7MS #180: Vulnhub Walkthrough - Skydog CTF
The following is a semi-spoilerish walkthrough of the Skydog CTF VM from Vulnhub by James Bower. It contains 5 flags, all of which have to be captured sequentially (I'm pretty sure) so I don't think you can accidentally ruin anything for yourself by reading this sequentially. Oh, and be sure to listen to the corresponding podcast episode (#180) for this post, as the two complement each other!
I'm intentionally not posting full details of all steps to own this VM for a few reasons:
-
Full (and better) walkthroughs already exist online.
-
By not posting the full details of each flag capture, ideally it will allow you the chance to get just a little push in the right direction without ruining the entire challenge.
-
I like to be transparent and show my full thought process. As you will see, I do a whole lot of stuff wrong before I start making good progress. We can both likely learn something from that :-)
Flag 1
As I set out to capture the first flag, I ran an NMAP scan. Alternatively, more and more I've been using Sparta as it has a nice GUI and give a comprehensive NMAP scan + automatically runs other helpful tools like Nikto.
The NMAP scan revealed only ports 22 and 80 open. I opened a Web browser to the site and a pic of a dog/logo was the only content. I did a "View Source" and that was literally the only content within the site. I saved the pic to the desktop and did some further analysis on it (think "data about the data") and that revealed the first flag. I submitted it to a cracking site to reveal the deciphered text. Recommendation on any of these vulnhub.com VMs: crack hashes as you go...one might be a key to the next flag.
Flag 2
From here I did a thorough dirb on the site looking for more content to explore. A file from these results brought me both my second flag as well as a clear direction of what folder to explore next.
Flag 3
By exploring the "view source" of the file in the new directory I discovered with dirb, there was a hint of a particular Hollywood actor and a specific role he played in a hacker-themed movie. This page also linked to a second page, and that page linked to an encrypted zip file. By using a zip-cracking utility built into Kali, I was able to crack it open. Its contents contained:
- Flag #3
- A hint that discovering flag #4 would take some serious OSINT.
Flag 4
For this one, I took all the Google information I could find about the actor in question, as well as his role in the hacker-themed movie, and threw it into a large text file. I then used a unix.com post to analyze my text file and strip out all unique words. I loaded up this new trimmed down word list into dirb and sifted the site through it. I discovered a new directory which revealed flag #4!
Flag 5
The new directory discovered with dirb has a page which, when you "view source," links to a pcap file. I pulled it down and ran it through net-creds just to see if any juicy bits would fall out. None did, but I did get a lead on what looked to be an audio stream that needed extracting. I tried using Wireshark and videos like this one to extract the audio conversation, but failed. I eventually went a different route and found this article which uses tcpflow and a couple other tricks to pull the MP3 out.
The MP3 itself, in combination with cracking the MD5 hashes gathered thus far, pointed to more OSINT using the aforementioned Hollywood star. When completed, the SSH username and password is revealed. Using the creds to login, the 5th flag is attained!
Rooting the box
The SSH access needs escalation. I used the privesc-check and g0tm1lk articles which helped identify a script with inappropriate permissions.
I tried to modify this script to add a new root user or add my existing user to the sudo group, but to no avail. I had to cheat and look at another walkthrough online to figure out which file to tamper with. Once I did, root access was attained shortly thereafter.
Need help?
I think the best way to do these exercises is in the "try harder" motto of the OSCP. If you want a gentle nudge in the right direction, I'm sure the James would give just the right amount of help. You could contact me as well. Have fun!