Vulnhub – Skydog 2016 Walkthrough

Vulnhub Walkthrough – Skycon – Catch me if you can

The Vulnerable machine can be downloaded from here:

https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/

Lets have an understanding of the hints given to us .

SkyDog Con CTF 2016 – Catch Me If You Can

Difficulty: Beginner/Intermediate

Instructions: The CTF is a virtual machine and works best in Virtual Box. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file above make sure that USB 2.0 is disabled before booting up the VM. The networking is setup for a Host-Only Adapter by default but you can change this before booting up depending on your networking setup. The Virtual Machine Server is configured for DHCP. If you have any questions please send me a message on Twitter @jamesbower and I’ll be happy to help.

Flags

The eight flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533

Flag #1 Don’t go Home Frank! There’s a Hex on Your House.

Flag #2 Obscurity or Security?

Flag #3 Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.

Flag #4 A Good Agent is Hard to Find.

Flag #5 The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices

Flag #6 Where in the World is Frank?

Flag #7 Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!

Flag #8 Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!

SETUP

The image is an ova file , use the import appliance option in virtual box and import the image , set the network setting to host only adapter , same goes for your kali Linux machine as well.

Lets begin…

Flag #1 Don’t go Home Frank! There’s a Hex on Your House.

Lets just access the port 80 http shall we ?

By instinct one always goes through the source code of the page to find something juicy , it’s the basic ritual on visiting a website .

Here there is a comment that leaks important information , a link that was supposed to be removed on the production environment. Don’t go home frank , just don’t .

Let’s access the File.

There seems to be a hex at the 1st line itself , there you go with the hint , Don’t go Home frank there is a hex on your house. On decoding the hex we get the 1st Flag

Now we have the flag , as said the Flags are MD5 lets decrypt.

Nmap ! , hmmm time for nmap.

Flag #2 Obscurity or Security?

Here we go.

Port 22 closed , obscurity or security ? Time to run nmap on all the ports .

Note: I’ve use nmap -sT -p 1-65535 (IP address)

 

Obscurity it seems. Lets connect to the SSH on port 22222.

There we go with another flag , Flag 2 has been bagged. MD5 Decrypting the same gives us .

Flag #3 Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.

Last hint Encrypt and Flag 3 mentioning about traffic. Encrypted Traffic maybe ? The only place on the server where encrypted traffic for this machine can be expected is the HTTPS channel and sniffing will be possible if he has a MITM attack the site is loading the attackers certificate .

So far assumption was true , time to check the certificate.

Bingo , there we go with Flag 3. The decrypted value for the same is

Flag #4 A Good Agent is Hard to Find.

Pretty much lost here, Personnel and A good agent is hard to find ?

Agent in the term here must have something to do with the User agent , but what about personnel what is “personnel”. Could it be a password ? could it be a person from the movie ? no damn clue. So I decide to find more information on the web application for any more information that can be grabbed , standard practice , run dirbuster and nikto as the 1st phase.

And there we go there was a correlation with the word personnel.

So that’s what it was all about. On accessing the directory there was an access denied error .

Oh off course the 2nd hint, A good agent is hard to find , must have to do something with the user-agent. So I tried going through all the discovered pages source code and page html5.js gave us just what we needed.

Internet Explorer 4 for the lulz , let’s edit the user agent and access the page. Burp is our savior we can replace all the User-Agents to the agents we want with the match and replace feature .

And then there goes our request with the new User-Agent.

So what have we here? A classy agent portal welcoming Agent Hanratty.

First off let’s just grab the Flag as you can see bottom left of the screenshot above. MD5 decrypt of the same is

Flag #5 The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it                  Goes Against Best Practices

 

Devil in the Details  and evidence , well neither relate. Has to be there are two separate hints. So far there is a clue on the personnel page itself that says , clue=new+flag , newevidence. By this time im pretty convinced this has to be a directory. So I tried the same.

Well nope , believe me you , I have wasted almost 3 hours trying to figure out what newevidence was , only to later realize it was a directory on the root path and not personnel. *facepalm*

Okay so now we need a username and password, default instinct is to spam the default known credentials , “test”,“admin”,“administrator” well that is interesting deriving the username was pretty easy “Welcome agent Hanratty “ so if the hint is redirecting me to an html basic authentication page must be Agent Hanratty as the user. So now let’s come to the flag hint.

FLAG HINT :The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it  Goes Against Best Practices

A dialogue , Simple, Guessable , Personal this basically is an straightforward hint itself , its something Hanratty spoke in his dialogue which relates to Simple or Personal ethics or Personal Life. Time for a quick IMDB shall we ?

So I went through the dialogues and highlighted the words that sound simple, guessable and Personal. I tried all of them and failed , Something is wrong , being pretty confident about the password being one of these , I began to wonder if the username was correct , digging deep came back to the page “ html5.js” giving a hint that the username is in the firstname{dot}lastname format.

So From imdb got the whole name of Hanratty , its “carl.hanratty”. So I repeated the activity again with the username carl.hanratty and bingo it was the name of her daughter “Grace” as the password. Simple , guessable and Personal there we go the devil in the detail”.

Checking out the below three hyperlinks , evidence summary file gave us a flag , Possible location gave us an image and Case invoices gave us a pdf file.

MD5 decrypted hash of the above is

The other two files saved them on my Desktop , since the image made no sense and the pdf was an invoice .

And the pdf file

Flag #6 Where in the World is Frank?

 

And the flag hint panam , interesting this makes no sense at all . Pan am as per the movie is Pan America where Frank becomes an imposter as a pilot.

Tried directory listing of the places Frank travelled in the movie , plus the place he was caught plus the place he was born , the prison he was going to be sent , but nothing. Then stuck a question there is an image file attached and the invoice has charged money for encryption, the person who raised the invoice was Stefan hetzl ,and a little googling for Stefan hetzl encryption it was found that he was the developer of steghide , possible steganography ?

On checking it was found that indeed steganography was used we were asked the password , offcourse had to be the flag “panam” which was accepted  and there we go a secret message and a flag.

Crosschecking just to be sure if the flag matched he mentioned decrypted value , it was correct. Now comes another clue “iheartbrenda”.

Flag #7 Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!

 

The Flag hint and “iheartbrenda” okay when a comic fan hears Fastest man alive all he can think of is flash, the comic hero. So I tried to see if there was any relation to flash and Brenda. Well no, apparently in the movie Frank did mention he was the fastest man alive when he was cashing the checks and he introduced himself as Barry Allen to Hanratty. So far we can conclude that “iheartbrenda” without spaces must be a password for something and Fastest man alive has to be something that results to Barry Allen or Flash. What could be the place that requires another password on the server. Initially I tried to see if there were any folders with iheartbrenda but none then tried the same with barryallan , flash,theflash etc none succeded.

I was under the impression that the last flag would be the password to SSH service on the server , however we are near the end , what if this is the stage where we get a low privilege user over the server using the obtained credentials and  flag 8 is the answer to the last escalation. So shortlisted possible usernames with the password “iheartbrenda” using the naming convention barry.allen  , theflash etc and other possible combinations. Maybe without the {dots} We hit a bingo on barryallen.

And there we go another flag. MD5 decrypt for the same is

 

Flag #8 Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!

 

Okay so now we are almost there , there is a hint made available there is a file called “system-securityd.data” on determining the file type it’s a zip file . let’s pull the same on our system and check what the file is . We can simply use scp to do the same.

Now we have the file on our system , lets unzip it we have got a file security-system.data that huge in size probably a GB may be .

The hint : Franks Lost His Mind or Maybe it’s His Memory. Has to be the memory dump eh ? along with the previous flag , theflash . Totally flash memory. Time to kick in the forensics boot. Even without a bit of hesitation kick the volatility and begin dissecting the file.

I can see a notepad file that stands out from the default services. Let’s see what notepad was open.

Code.txt, hmm no hesitation let’s just open that damn file.

Another hex value , let us decrypt the same.

MD5 of the same is

It will take a some effort to find a site that has the decrypted hash for the same. If you are lazy hashkiller.co.uk has the decrypted hash available.

And this concludes our hunt for all the flags on this CTF.

Cheers and share !!