This is my walk-through of the SkyDog 1 challenge posted on vulnhub.com.
Full NMAP scan of host:
root@kali:~# nmap -p- -A 192.168.1.215
I begin with enumerating web services:
I download the image and use EXIF to see if I can find any useful data. I found the 1st flag!
root@kali:~/Downloads# exif SkyDogCon_CTF.jpg
Additional enumeration of the web services reveals the 2nd flag:
root@kali:~# curl -i -k http://192.168.1.215/robots.txt
There are many entries in the robots.txt file. I spend some time reviewing these and find a clue in /Setec:
Further enumeration of /Setec using cURL reveals another directory to explore:
root@kali:~# curl -i -L http://192.168.1.215/Setec
Taking a look into the /Astronomy/ folder we just found:
I downloaded the Whistler.zip, tried to unzip the file but it is password protected. Used fcrack and a dictionary file to crack the password:
root@kali:~/Downloads/skyctf# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u Whistler.zip
Unzipping the Whistler.zip file reveals our 3rd flag:
And another clue:
I realized early on that the theme of this challenge was based on the movie Sneakers. I followed the clue and used some open source intel to create a wordlist using Cewl:
root@kali:~# cewl -m 4 -d 1 -w sneakers.txt http://www.imdb.com/title/tt0105435/keywords?ref_=ttpl_sa_3
Used the new wordlist with Dirb and found a new directory to explore:
root@kali:~# dirb http://192.168.1.215 /root/sneakers.txt
Looking into the /PlayTronics directory I find the 4th flag and a pcap file:
I open the .pcap file in Wireshark and find an audio file download:
I was able to download and play the audio file. The file says Werner Brandes, who is a character from the movie Sneakers. Getting past this took some time on my part. I was finally able to SSH to the host using the credentials user:wernerbrandes pw:leroybrown.
An ls in wernerbrandes’s home dir reveals the 5th flag:
After some time of looking around I was able to find a world writable file I could use to escalate my privs, sanitizer.py:
wernerbrandes@skydogctf:~$ find / \( -wholename /home/homedir/* -prune -o -wholename /proc/* -prune \) -o \( -type f -perm -0002 \) -exec ls -l {} ; 2>/dev/null
I open the sanitizer.py file and make a modification:
And to escalate my privileges:
Finding our final flag: