Sky Dog Con CTF – Over but not forgotten.

Download Link
https://download.vulnhub.com/skydog/SkyDogCTF.ova

Instructions
The CTF is a virtual machine and works best in Virtual Box. This OVA was created using Virtual Box 4.3.32. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file above it is best to disable the USB 2.0 setting before booting up the VM. The networking is setup for a NAT Network but you can change this before booting up depending on your networking setup. If you have any questions please send me a message on Twitter @jamesbower and I’ll be happy to help.

Goal of Sky Dog Con CTF
The purpose of this CTF is to find all six flags hidden throughout the server by hacking network and system services. This can be achieved without hacking the VM file itself.

Flags
The six flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533}

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)

Flag #2 When do Androids Learn to Walk?

Flag #3 Who Can You Trust?

Flag #4 Who Doesn’t Love a Good Cocktail Party?

Flag #5 Another Day at the Office

Flag #6 Little Black Box

Walkthrough

Flag #1 Home Sweet Home

Starting off we need to find the IP address of our booted VM.  We can generally do this by either running an nmap ping scan or by running a nifty tool called “netdiscover”.

[email protected]:~# netdiscover 10.0.2.0/24

Comparing the MAC address with the one given in our Virtual Box Settings we now know that the VM has an IP of 10.0.2.4.

Let’s find out what kind of services are running on it.

nmap -sV -P0 10.0.2.4

Ok so I’ve got a web server running Apache on Ubuntu along with an SSH server.

I’m going to dig a little deeper into the SSH server.

Nothing too revealing at the moment.  Time to look into the webserver.

#PenTestProTip – Always make sure to keep notes while pentesting. The more detailed the better.  Whether it’s an application, network, or even a mobile app I’m constantly creating “digital breadcrumbs” if you will in Evernote.  This can also include things like screen shots, config files and other assets or whatever.

We already know that the server is running Apache so lets take a look.

Ok, so the homepage is basically just this SkyDog picture.

This reminds me that the first clue is “Home Sweet Home”.  Maybe this is a reference to the homepage?  I guess we’ll see.

The image seems pretty legit so let’s check out the source of the page.

Alright, the homepage is literally just the image.

#PenTestProTip – At this point most people will conclude that this is a dead end and move on.  This happens in pen testing all the time.  You begin to follow a lead and then give up right before the finish line.  In my mind the image itself “SkyDogCon_CTF.jpg” is still an asset that needs to be analyzed.

I save the image to the desktop and do a quick check to see what’s up with it.

exiftool SkyDogCon_CTF.jpg

Great!  We’ve got the first flag!

flag{abc40a2d4e023b42bd1ff04891549ae2}

But before moving on I want to know if this hash has any sort of significance or something.  Let’s see what Google has to say.

Welcome Home!  Very interesting.  This goes in the notes.

Time for Flag #2

Flag #2 When do Androids Learn to Walk?

And as always, thank you for taking the time to read this. If you have any comments, questions, or critiques, please reach out to me on our FREE ML Security Discord Server – HERE