SkyDog Con 2016 CTF – Walk Through Guide

Next Story

Threat Hunting with Bro IDS

Download Link
The VM is now available for download on Vulnhub at the link below.

https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/

Instructions
The CTF is a virtual machine and works best in Virtual Box. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file it is best to make sure that USB 2.0 is disabled before booting up the VM. The networking is setup as a Host-Only Adapter for networking but you can change this before booting up depending on your networking setup. If you have any questions please send me a message on Twitter @jamesbower and I’ll be happy to help.

Goal of Sky Dog Con CTF
The purpose of this CTF is to find all eight flags hidden throughout the server by hacking network/system services and applications. This can be achieved without hacking the VM file itself.

Flags
The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533}

Walk Through

Flag#1 – “Don’t go Home Frank! There’s a Hex on Your House”

I begin by running a minimum port scan and find that only ports 80(HTTP) and 443(HTTPS) appear to be open.

Image 1 - Default NMap Scan

Next I check out the web pages and see that they’re both the same webpage which is just the CTF homepage with details and instructions but no obvious flag.

SkyDog Con CTF 2016 - Catch Me If You Can

Let’s see what my favorite old timer web scanner Nikto comes back with.

Nikto

Nikto doesn’t provide me anything of real interest so I continue moving forward. I kick off Dirb to look for potentially sensitive directories but again I’m disappointed.

dirb

I use Burp Suite to spider the site and then do an active scan to look for some way of compromising either the site itself or the webserver itself.

Burp Suite Scan

Burp comes back showing the site has an LFI vulnerability but further analysis shows this is a false positive so no luck there. Out of habit I always love checking out a websites source code to see if anything interesting jumps out at me. Looking at the source code I notice a potentially interesting file at /oldIE/html5.js

viewsource
When I look at the file I see an interesting sequence of numbers at the top.

oldieviewsource
These numbers look like hex! This has to be part of the flag just based on our clue. Now I convert the hex to text using the following xxd command.

root@kali# echo 666c61677b37633031333230373061306566373164353432363633653964633166356465657d | xxd -r -p

hex
And we’ve got our first flag.
flag{7c0132070a0ef71d542663e9dc1f5dee}

Since I know the flags are all MD5 hashes I decided to Google the hash just for the heck of it. So 7c0132070a0ef71d542663e9dc1f5dee = “nmap”. Hmm..

Flag#2 – “Obscurity or Security? That is the Question”

Ok so when I look at the clue I think of “Security Through Obscurity” which for me translates into security in plain site. That along with the “nmap” MD5 hash from the last flag makes me think I need to look deeper into my nmap scans.

Ok after running a more complete scan of all 65535 ports I see that the server is running an SSH server on port 22222. That must be my way into the server.

Full NMap Scan

I try logging into the SSH server with a basic test/test account just for the lulz.

SSH
Awesome! We’ve got our second flag.

Flag{53c82eba31f6d416f331de9162ebe997}

Ok so now I know the importance of looking up the MD5 hashes for additional clues. So 53c82eba31f6d416f331de9162ebe997 = “encrypt”.

Flag#3 – “During his Travels Frank has Been Known to Intercept Traffic”

Alright so our hero Frank has “intercepted traffic” in the past and our additional clue is “encrypt”. The only thing that I’ve come accross so far having anything to do with intercepting traffic and encryption would be the SSL in use for the default site. So I take a closer look at the SSL cert and BOOM. There’s the third flag.  flag{f82366a9ddc064585d54e3f78bde3221}.

SSL Certification Details

And f82366a9ddc064585d54e3f78bde3221 = “personnel”

Flag#4 – “A Good Agent is Hard to Find”

So I’m not really sure what this clue is referencing. Looks like the only thing I have to go on is the previous clue word of “personnel”. Possibly a password or maybe a directory? Let’s find out.

Personnel

Hmm. Ok so we know that /personnel is a directory but we don’t appear to have access from the message we get; “ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation.” FBI Workstation huh? How does the webserver know I’m not coming from a FED machine? IP address or referrer or maybe my user agent string? Too many assumptions. Let’s look at what I know so far. So far my only real artifacts have been the html5.js file and the SSL cert. I don’t see anything else out of the ordinary in the SSL cert so I go back and continue looking through the html5.js file for clues. There is a bunch of junk in this
file so I decide to just look at the comments first. And sure enough about half way through the file we come across some really interesting comments.

Source Code Comments

Turns out as of May 2016 the FBI still uses IE4 on all workstations per “doug.perterson@fbi.gov”. Can’t say this is too surprising but hey whatever floats your boat I guess. Ok so now I refresh the page with an IE4 user agent and we’re greeted with what looks to be an FBI Portal welcoming Agent Hanratty.

FBI Portal
At the bottom of the portal we find our fourth flag{14e10d570047667f904261e6d08f520f} and a new clue “Clue = new+flag”.

And 14e10d570047667f904261e6d08f520f = “evidence”

Flag#5 – “The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices”

With the information we just got from Flag#4 I’m going to guess that I should see if /newevidence is a directory. Yep, but it looks like I need a username/password in order to log in along with still using an IE4 user agent.

Username and Password
Ok so let me think about this. When I logged into the Portal I was greeted as Agent Hanratty. It’s a good bet that Agent Hanratty is the user I need to be in order to log in but what’s his username? First thing I need to do is figure out what naming scheme the FBI uses when creating new users. Well if I look back at my notes I can see that the FBI creates accounts using the scheme “firstname.lastname” which I saw from the “doug.perterson@fbi.gov” comment in the source code.

Since I’ve watched the movie already I know that Agent Hanratty’s first name is Carl so his username should be carl.hanratty if my naming scheme guess is correct. Now for his password. The clue for Flag#5 talks about dialogue and “Best Practices”. I’m pretty sure that “Simple, Guessable, Personal and Goes Against Best Practices” is referring to passwords. Now I’m thinking about movie dialog with Carl Hanratty. I’ve got two choices here really. Watch the movie again or download a transcript of the movie. I decide that watching the movie again with some popcorn and two Czech gymnast is the better call.

You Have Chosen Wisely

Thanks old man, who ironically can barely hold up his sword so how is he supposed to protect the cup? But I digress. I have chosen wisely but I’m also all business so I paid special attention to anything Tom Hanks character said that might be personal and something that might be used as a password. Bingo, in one of the scenes Agent Hanratty mentions that he has a daughter named “Grace”. I kick out my libidinous and limber business associates. Time for James to get paid. Let’s see if that works.

FBI New Evidence
Yep, I’ve now got access to the /newevidence directory and it looks like there’s a few things in here. Ok cool, so Evidence.txt contains our flag. flag{117c240d49f54096413dd64280399ea9}

And 117c240d49f54096413dd64280399ea9 = “panam”

Ok so PanAm is the major airline that Frank defrauds in the movie. I add this to my notes just in case it’s needed later.

Flag#6 – “Where in the World is Frank?”

Ok so where is Frank? I’ve still go the two files “image.jpg” and “Invoice.pdf”. I download both files to my Kali box and now it’s time to take a deeper look. I’m going to see if the PDF file is hiding anything that might interest me.

root@kali# pdf-parser Invoice.pdf

Nothing of value hiding inside the PDF except for where it was created but that’s a dead end. Now to look at the meta data for image.jpg. The only thing that pops out is the size. 4.1 MB for a JPEG seems rather large but not crazy large so this seems like another dead end.

Image Meta Data with Exiftool
Maybe I’m over thinking this. Let me look at the Invoice.pdf a little closer. So the invoice is for an “Encryption Consultation Project” from someone named Stefan Hetzl. A Google search for “stefan hetzl encryption” reveals that Stefan Hetzl is the author of Steghide. Steghide is a pretty awesome tool for using steganography and is built into Kali so that’s a pretty big clue. Then there is also the image itself. When I looked closely at it I could see sign on a building that said “le bellevue”. I Googled this and the results showed that it’s a place in France which is exactly where Frank ends up in the movie. But I still haven’t found the flag yet so deeper into the rabbit hole I go. I’m assuming that Steghide and image.jpg are linked now considering the size of the JPEG. Seems like a passphrase is needed to get pretty much any information out of Steghide. There’s a good chance that the passphrase is “panam” from our last MD5 hash. Ok very cool so the passphrase is “panam”.

Steghide Tool in Use
Awesome so Steghide shows that there’s a file flag.txt embedded in the image. So now it’s time to extract it.

root@kali# steghide extract -sf image.jpg

I’ve now got the flag.txt file in my current directory. And sure enough it contains our flag and a clue for Flag#7 “clue=iheartbrenda”. Onward and upward.

And d1e5146b171928731385eb7ea38c37b8 = “ILoveFrance”

Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”

Ok so this is a weird clue. Why is Frank yelling “I’m the fastest man alive!”? That just sounds strange to me but at the same time also kind of familiar. I Google the phrase and sure enough it’s from super hero Barry Allen; aka The Flash. Now this is interesting because in the movie when Agent Hanratty realizes that Frank is actually a kid it’s because one of Franks aliases is Barry Allen which is one of the names he used when cashing checks so that makes sense. Now I make a bunch of different combinations of “barry allen” and “the flash” and see if they correspond with any directories which is a big no. Ok so the only place left to use any credentials that I’ve found is SSH. So I try “barry.allen” with a password of “iheartbrenda” but that doesn’t work. Next I try “barryallen” and “iheartbrenda” as the password and I’m in.

Key SSH Version Information

Ok nice. In Barry’s home directory I’ve got the seventh flag which is flag{bd2f6a1d5242c962a05619c56fa47ba6} and I’ve got a pretty large file called “security-system.data”.

And bd2f6a1d5242c962a05619c56fa47ba6 = “theflash”

Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”

Now that I have SSH access to the Barry Allen account I begin looking closer at the security-system.data file in the home directory. I download the file to Kali to see what type of file it is. The file command shows it’s a zip file so I run the following.

root@kali# mv security-system.data security-system.data.zip
root@kali# unzip security-system.data.zip

Now security-system.data show’s as simply data. Running strings on the file I see a lot of mentions of memory so I’m thinking its a memory image of a machine. The next step is to look at the file using volatility.

root@kali# volatility -f security-system.data imageinfo

Volatility Memory Forensics Tool

And sure enough volatility is able to show some interesting information. I continue to dig further using volatility.

root@kali# volatility -f security-system.data --profile=WinXPSP2x86 iehistory

This is pretty intertesting. I can see a reference for a file called code.txt on the Desktop which is a direct reference to our clue.

Volatility Memory Forensics Tool Console

I’m interested in seeing if I can view any screen shots from the image.

root@kali# volatility -f security-system.data --profile=WinXPSP2x86 screenshot --dump-dir /root/Downloads/dump/

I was able to grab a few images but only one had anything visable which showed an empty code.txt but nothing else. My next step is to see if anything was typed into the console.

root@kali# volatility -f security-system.data --profile=WinXPSP2x86 consoles

Awesome! I can see that code.txt was created on the Desktop by echoing hex into the file. Time to see what the hex says so I run the xxd command again.

root@kali# echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d | xxd -r -p

And we get our final flag.

flag{841dd3db29b0fbbd89c7b5be768cdc81}

And 841dd3db29b0fbbd89c7b5be768cdc81 = “Twolittlemice”