靶机说明:
Game of Thrones Hacking CTF
This is a challenge-game to measure your hacking skills. Set in Game of Thrones fantasy world.
Goal:
Get the 7 kingdom flags and the 4 extra content flags (3 secret flags + final battle flag). There are 11 in total.
Rules/guidelines to play:
- Start your conquer of the seven kingdoms
- You'll need hacking skills, no Game of Thrones knowledge is required. But if you play, it may contains spoilers of the TV series
- Difficulty of the CTF: Medium-High
- Don't forget to take your map (try to find it). It will guide you about the natural flag order to follow over the kingdoms
- Listen CAREFULLY to the hints. If you are stuck, read the hints again!
- Powerful fail2ban spells were cast everywhere. Bruteforce is not an option for this CTF (2 minutes ban penalty)
- The flags are 32 chars strings. Keep'em all! you'll need them
Requirements/starting guide:
- Import the Linux based CTF challenge virtual machine (OVA file)
- OVA file is compatible with Oracle Virtualbox and Vmware
- The challenge vm needs 1 cpu and 1512mb RAM to work properly
- The challenge vm has its network configured by default as bridge. It will take an IP from the DHCP of your network
Downloading challenge CTF vm:
- Download Link 1 (Mega)
- Mirror 1 (Dropbox)
Troubleshooting
- Vmware:
- If you get a warning/error importing machine, press "Retry" and it will be imported flawlessly
- Oracle Virtualbox
- It's recommended to use "Import Appliance" menu option instead of double click on OVA file
- If you get an error regarding network, just select your network interface
Good luck, the old gods and the new will protect you!
_____ ___ _____ _
| __|___ _____ ___ ___| _| |_ _| |_ ___ ___ ___ ___ ___
| | | .'| | -_| | . | _| | | | | _| . | | -_|_ -|
|_____|__,|_|_|_|___| |___|_| |_| |_|_|_| |___|_|_|___|___|
靶机渗透:
本次采用parrot linux+windows10来作为攻击机,攻击机IP地址为:192.168.0.112
靶机与攻击机在同一网段,我们先用nmap扫描出靶机的IP地址:
因为我用VM打开靶机,所以发现靶机IP为:192.168.0.161
然后我们使用nmap对这个IP进行深度扫描:
可以发现靶机开启了很多端口:21,22,53,80,143,3306,5432,10000
我们尝试访问一下靶机主页面:
我们先查看源代码:
...有一堆看起来很与价值的东西...经过百度翻译...shit..我们接着看:
我们尝试使用kali里面的dirb来对靶机目录进行爆破:
发现很多目录:
- http://192.168.0.161/css/
- http://192.168.0.161/favicon.ico
- http://192.168.0.161/imgs/
- http://192.168.0.161/index.php
- http://192.168.0.161/robots.txt
- http://192.168.0.161/sitemap.xml
还有比较奇怪的目录:
- http://192.168.0.161/h/i/d/d/e/n/index.php
我们先查看一下比较敏感的 robots.txt :
里面有三个目录:/the-tree/,/secret-island/,/direct-access-to-kings-landing/,
还有个User-agent:Three-eyed-raven
我们先依次访问那三个目录:
我们点击Map:
我们仔细研究一下这张地图:
上面记录了本次游戏的关键点和目标,除了常规需要得到7个flag之外,还有3个隐秘flag,
而且最后的战争是通过ssh...
我们访问下一个目录:
我们查看源代码,看是否有有用的信息:
有这样一句话:
You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed raven" - Written on the tree by somebody
翻译:你必须改变自己的形状和形式,如果你想从Three-eyed-raven那里得到正确答案的话--树上的某个人所写
看到这个Three-eyed-raven我突然想到robots.txt里面的user-agent,提示也说需要改变自己,
会不会是要burp抓包,来替换header头的user-agent,我们尝试:
内容如下:
<!--
"I will give you three hints, I can see the future so listen carefully" - The three-eyed raven Bran Stark
"To enter in Dorne you must identify as oberynmartell. You still should find the password"
"3487 64535 12345 . Remember these numbers, you'll need to use them with POLITE people you'll know when to use them"
"The savages never crossed the wall. So you must look for them before crossing it"
-->
翻译:
“我会给你三个暗示,我可以看到未来,所以仔细听”——The three-eyed raven Bran Stark
“为了进入Dorne,你必须把自己当作 oberynmartell。你将会找到密码
“3487 64535 64535。记住这些数字,你需要和有礼貌的人一起使用,你会知道什么时候使用它们。
“野人从来没有穿过墙。所以你必须在过马路前寻找它们。
...突然没头绪了,我们爆破出了那么多目录,我们访问几个比较敏感的:
我们突然发现还有个 raven.php ,尝试访问:
还得查看源代码:
翻译:穿过墙壁,mcrypt的咒语将帮助你。不管你是谁,只有钥匙才能打开秘密之门
...我们继续访问目录:
查看源代码:
内容如下:
<!--
"My little birds are everywhere. To enter in Dorne you must say: A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me" - Lord (The Spider) Varys
"Powerful docker spells were cast over all kingdoms. We must be careful! You can't travel directly from one to another... usually. That's what the Lord of Light
has shown me" - The Red Woman Melisandre
-->
翻译:我的小鸟到处都是。要进入Dorne,你必须说:"A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me"——“主(蜘蛛)瓦里斯”
“强大的码头法师被铸造在所有王国上。我们必须小心!你不能直接从一个旅行到另一个…通常情况下。这就是光之主向我展示的——“红女人梅丽桑德雷
我们得到了一个密码:A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me 然后根据这个可以进入Dorne,我想起来提示里面有
为了进入Dorne,你必须把自己当作 oberynmartell。你将会找到密码 这个 oberynmartell就是密码,同时地图上也有提示:
我感觉我们可以以 Dorne 的身份尝试登陆ftp,密码是oberynmartell: