SkyDog 1: – CTF

This is my walk-through of the SkyDog 1 challenge posted on vulnhub.com.

Full NMAP scan of host:

root@kali:~# nmap -p- -A 192.168.1.215

skydog-nmap

I begin with enumerating web services:

skydog-homepageimage

I download the image and use EXIF to see if I can find any useful data. I found the 1st flag!

root@kali:~/Downloads# exif SkyDogCon_CTF.jpg

skydog-1stflag

skydog-1stflag-decrypt

Additional enumeration of the web services reveals the 2nd flag:

root@kali:~# curl -i -k http://192.168.1.215/robots.txt

skydog-2ndflag

skydog-2ndflag-decrypt

There are many entries in the robots.txt file.  I spend some time reviewing these and find a clue in /Setec:

skydog-setecpic

Further enumeration of /Setec using cURL reveals another directory to explore:

root@kali:~# curl -i -L http://192.168.1.215/Setec

skydog-curlsetec

Taking a look into the /Astronomy/ folder we just found:

skydog-astronomyfolder

I downloaded the Whistler.zip, tried to unzip the file but it is password protected. Used fcrack and a dictionary file to crack the password:

root@kali:~/Downloads/skyctf# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u Whistler.zip

skydog-fcrackwhis

Unzipping the Whistler.zip file reveals our 3rd flag:

skydog-unzipwhis

skydog-3rdflag

skydog-3rdflag-decrypt

And another clue:

Skydog-cosmoclue

I realized early on that the theme of this challenge was based on the movie Sneakers.  I followed the clue and used some open source intel to create a wordlist using Cewl:

root@kali:~# cewl -m 4 -d 1 -w sneakers.txt http://www.imdb.com/title/tt0105435/keywords?ref_=ttpl_sa_3

skydog-cewlwordlist

Used the new wordlist with Dirb and found a new directory to explore:

root@kali:~# dirb http://192.168.1.215 /root/sneakers.txt

skydog-dirbwordlist

Looking into the /PlayTronics directory I find the 4th flag and a pcap file:

skydog-playtronicsdir

skydog-4thflag

skydog-4thflag-decrypt

I open the .pcap file in Wireshark and find an audio file download:

skydog-mp3download

I was able to download and play the audio file.  The file says Werner Brandes, who is a character from the movie Sneakers.  Getting past this took some time on my part.  I was finally able to SSH to the host using the credentials user:wernerbrandes pw:leroybrown.

skydog-ssh

An ls in wernerbrandes’s home dir reveals the 5th flag:

skydog-5thflag

skydog-5thflag-decrypt

After some time of looking around I was able to find a world writable file I could use to escalate my privs, sanitizer.py:

wernerbrandes@skydogctf:~$ find / \( -wholename /home/homedir/* -prune -o -wholename /proc/* -prune \) -o \( -type f -perm -0002 \) -exec ls -l {} ; 2>/dev/null

skydog-linuxenum-worldwritable

I open the sanitizer.py file and make a modification:

skydogsanitizer

And to escalate my privileges:

skydog-changepermissions

Finding our final flag:

skydog-final

 

 

 

 

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s