A new VM was released on Vulnhub this week. I had some downtime at night while traveling for work so I grabbed the image and got to work.

https://www.vulnhub.com/entry/skydog-2016-catch-me-if-you-can,166/

The challenge is set up with 8 flags as follows:

Flag#1 – “Don’t go Home Frank! There’s a Hex on Your House”
Flag#2 – “Obscurity or Security? That is the Question”
Flag#3 – “During his Travels Frank has Been Known to Intercept Traffic”
Flag#4 – “A Good Agent is Hard to Find”
Flag#5 – “The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices”
Flag#6 – “Where in the World is Frank?”
Flag#7 – “Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!”
Flag#8 – “Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!”

I always enjoy challenges like this with multiple flags as it helps to keep you going/on path.

I started off with an nmap scan to see what we were dealing with:

root@kali:~# nmap -A -p- -Pn --open -T4 172.16.94.136

Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-11-11 09:08 EST
Nmap scan report for 172.16.94.136
Host is up (0.00039s latency).
Not shown: 65531 filtered ports, 1 closed port
PORT      STATE SERVICE  VERSION
80/tcp    open  http     Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
443/tcp   open  ssl/http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: SkyDog Con CTF 2016 - Catch Me If You Can
| ssl-cert: Subject: commonName=Network Solutions EV Server CA 2/organizationName=Network Solutions L.L.C./stateOrProvinceName=VA/countryName=US
| Not valid before: 2016-09-21T14:51:57
|_Not valid after:  2017-09-21T14:51:57
|_ssl-date: TLS randomness does not represent time
22222/tcp open  ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:64:7c:d1:55:46:4e:50:e3:ba:cf:4c:1e:81:f9:db (RSA)
|_  256 ef:17:df:cc:db:2e:c5:24:e3:9e:25:16:3d:25:68:35 (ECDSA)
MAC Address: 00:0C:29:14:57:58 (VMware)
Device type: general purpose|phone|WAP|specialized|storage-misc

A web server listening on port 80 and 443 as well as an SSH service on a non-standard port.

I went a bit out of order with the flags so the clues do not match up exactly. I checked out the SSH service first and the banner gave up a flag.

root@kali:~# ssh 172.16.94.136 -p 22222
The authenticity of host '[172.16.94.136]:22222 ([172.16.94.136]:22222)' can't be established.
ECDSA key fingerprint is SHA256:DeCMZ74o5wesBHFLyaVY7UTCA7mW+bx6WroHm6AgMqU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[172.16.94.136]:22222' (ECDSA) to the list of known hosts.
###############################################################
#                         WARNING                             #
#		FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#	Flag{53c82eba31f6d416f331de9162ebe997}		      #
###############################################################
root@172.16.94.136's password:

The flag was the MD5 of the word ‘encrypt’.

I spun my wheels for a while on the next flag, after running Burp and Dirbuster for a while and not coming up with anything new I decided to go file by file. One of the JavaScript files had an interesting comment, in Hex, which was one of the clues.

root@kali:~# curl -s http://172.16.94.136/oldIE/html5.js
/* 666c61677b37633031333230373061306566373164353432363633653964633166356465657d */
/*! HTML5 Shiv v3.6 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed */
/* Source: https://github.com/aFarkas/html5shiv — No longer maintained */
.......................snip......................

Decoding the Hex with Python gave me the next flag, which was the MD5 of ‘nmap’ which must be the hint for the SSH banner flag.

root@kali:~# python
Python 2.7.12+ (default, Sep  1 2016, 20:27:38) 
[GCC 6.2.0 20160822] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "666c61677b37633031333230373061306566373164353432363633653964633166356465657d".decode('hex')
'flag{7c0132070a0ef71d542663e9dc1f5dee}'
>>>

Dirbuster turned up a protected page. Browsing to it gave me an error message. My first thought was changing my user-agent. I first attempted with Burp Intruder and a large user-agent list but did not get any hits.

root@kali:~# curl -s http://172.16.94.136/personnel
ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging....

Digging around for quite some time led me back to the same JavaScript file with some more interesting comments. The FBI page was expecting my UA to be IE 4.0. Super secure!

Changing my UA to IE 4.0 in Burp Repeater got me access to the FBI Portal page.

I set up a match/replace rule in Burp to make it easier to browse the site directly.

 

The FBI Portal page was all static content, but I did get the next flag (which cracked to ‘evidence’) as well as a clue “new+flag”.

Following the hint brought me to a password protected page.

Basic-auth can be brute-forced with Burp Intruder but I first needed a username. The JavaScript file from earlier gave us a user name and the login prompt states “FBI Personnel” so I followed the username format and configured Intruder to attempt a brute-force with the user ‘carl.hanratty’.

I set up Burp like so:

The username in position 1 with a ‘:’ separate and base64 encoding to properly format the payloads for basic-auth.

I used a large wordlist and eventually got a hit, the 301 redirect indicated a successful login.

I checked the string for the valid password.

root@kali:/# echo Y2FybC5oYW5yYXR0eTpHcmFjZQ== | base64 -d
carl.hanratty:Grace

I was greeted with an FBI evidence page which gave me my next flag (which cracked to ‘panam’).

As well as a PDF document that did not yield anything upon inspection.

 

As with all CTFs, I have gotten in the habit of checking images for hidden data with strings, exiftool, steghide, binwalk, etc. Running binwalk against this image file indicated the presence of something embedded. I attempted to carve it up for a while and didn’t get anywhere.

root@kali:~/Desktop/skyconCTF# binwalk -e image.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
2214320       0x21C9B0        MySQL MISAM compressed data file Version 10

I took a stab with steghide but did not have the passphrase. I eventually had a facepalm moment when trying ‘panam’. I extracted the flag.txt file and had the next flag as well as what appeared to be 2 passwords. But for what? It had to be the SSH service as the rest of the web application appeared static but I did not have user name.

root@kali:~/Desktop/skyconCTF# steghide extract -sf image.jpg -p panam
wrote extracted data to "flag.txt".
root@kali:~/Desktop/skyconCTF# cat flag.txt 
flag{d1e5146b171928731385eb7ea38c37b8}
=ILoveFrance

clue=iheartbrenda

Google showed that the ‘fastest man alive’ clue was potentially talking about the Flash, also known as Barry Allen. Google further turned up that Barry Allen was an alias used by Frank Abagnale in the movie to trick the FBI agent tracking him. I put together a list of potential usernames based on all the aliases I could find from the movie and tried various formats.

frank.conners
frank.abagnale
barry.allen
frankconners
frankabagnale
fconners
ballen
frankconners
frankabagnale
barryallen

Trying each of this usernames combined with ‘ILoveFrance’ and ‘iheartbrenda’ eventually got me a successful login: barryallen:iheartbrenda. Logging in got me the next flag.

root@kali:~/Desktop/skyconCTF# ssh barryallen@172.16.94.136 -p 22222
###############################################################
#                         WARNING                             #
#		FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#	Flag{53c82eba31f6d416f331de9162ebe997}		      #
###############################################################
barryallen@172.16.94.136's password: 
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

14 packages can be updated.
7 updates are security updates.

/usr/bin/xauth:  file /home/barryallen/.Xauthority does not exist
barryallen@skydogconctf2016:~$ 


barryallen@skydogconctf2016:~$ ls
flag.txt  security-system.data
barryallen@skydogconctf2016:~$ cat flag.txt 
flag{bd2f6a1d5242c962a05619c56fa47ba6}

This MD5 cracked to ‘theflash’.

There was also a large zip file in the user’s home directory which I transferred off using SCP to work on locally.

barryallen@skydogconctf2016:~$ file security-system.data 
security-system.data: Zip archive data, at least v2.0 to extract


root@kali:~/Desktop/skyconCTF# scp -P 22222 barryallen@172.16.94.136:/home/barryallen/security-system.data /root/Desktop/skyconCTF
###############################################################
#                         WARNING                             #
#		FBI - Authorized access only!                 # 
# Disconnect IMMEDIATELY if you are not an authorized user!!! #
#         All actions Will be monitored and recorded          #
#	Flag{53c82eba31f6d416f331de9162ebe997}		      #
###############################################################
barryallen@172.16.94.136's password: 
security-system.data                          100%   71MB  80.0MB/s   00:00

I unzipped the file and ran it through binwalk (which ended up crashing my VM) due to the size), whoops.

root@kali:~/Desktop/skyconCTF# unzip security-system.data.zip 
Archive:  security-system.data.zip
  inflating: security-system.data 

root@kali:~/Desktop/skyconCTF# binwalk -e security-system.data

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
150720        0x24CC0         Microsoft executable, portable (PE)
656418        0xA0422         Copyright string: "Copyright 1985-1998,Phoenix Technologies Ltd.All rights reserved."
819330        0xC8082         Copyright string: "Copyright (C) 2003-2014  VMware, Inc."
819369        0xC80A9         Copyright string: "Copyright (C) 1997-2000  Intel Corporation"
985388        0xF092C         Copyright string: "Copyright 1985-2001 Phoenix Technologies Ltd."
996673        0xF3541         Copyright string: "Copyright 2000-2015 VMware, Inc."
1000211       0xF4313         Copyright string: "Copyright 1985-2001 Phoenix Technologies Ltd."
5074944       0x4D7000        Microsoft executable, portable (PE)
5894224       0x59F050        Copyright string: "Copyright (C) Rational Systems, Inc."
6758664       0x672108        CRC32 polynomial table, little endian
7143424       0x6D0000        Microsoft executable, portable (PE)
17394939      0x1096CFB       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
19261011      0x125E653       mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
.......................snip......................

The file appeared to be a memory dump. I haven’t done much forensics so I turned to Google and came up with Volatility on Kali which seems to be a go-to for analyzing memory dumps.

I got started with this guide: http://resources.infosecinstitute.com/memory-forensics-and-analysis-using-volatility/

I first had to check the image info to figure out the operating system the dump came from and set up a profile moving forward.

root@kali:~/Desktop/skyconCTF# volatility imageinfo -f security-system.data 
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/root/Desktop/skyconCTF/security-system.data)
                      PAE type : PAE
                           DTB : 0x33e000L
                          KDBG : 0x80545b60L
          Number of Processors : 1
     Image Type (Service Pack) : 3
                KPCR for CPU 0 : 0xffdff000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2016-10-10 22:00:50 UTC+0000
     Image local date and time : 2016-10-10 18:00:50 -0400

I next used the ‘files’ plugin and dumped out all the file names.

root@kali:~/Desktop/skyconCTF# volatility --profile=WinXPSP2x86 -f security-system.data filescan > files
Volatility Foundation Volatility Framework 2.5
root@kali:~/Desktop/skyconCTF# cat files | grep flag.txt 
root@kali:~/Desktop/skyconCTF# cat files | grep flag
root@kali:~/Desktop/skyconCTF# cat files | grep .txt
0x0000000005e612f8      1      0 -W-r-- \Device\HarddiskVolume1\Documents and Settings\test\Desktop\code.txt
0x0000000

I grepped for ‘flag.txt’, ‘flag’ and just ‘.txt’ until I got several hits. Code.txt looked particularly promising. Looking at the plugin list I noticed one for checking command line history. Running it got me another Hex string.

root@kali:~/Desktop/skyconCTF# volatility --profile=WinXPSP2x86 -f security-system.data cmdscan
Volatility Foundation Volatility Framework 2.5
**************************************************
CommandProcess: csrss.exe Pid: 560
CommandHistory: 0x10186f8 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 2 LastAdded: 1 LastDisplayed: 1
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x2d4
Cmd #0 @ 0x1024400: cd Desktop
Cmd #1 @ 0x4f2660: echo 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d > code.txt

Once again I was able to use Python to decode the Hex and grab the last flag.

root@kali:~/Desktop/skyconCTF# python
Python 2.7.12+ (default, Sep  1 2016, 20:27:38) 
[GCC 6.2.0 20160822] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "666c61677b38343164643364623239623066626264383963376235626537363863646338317d".decode('hex')
'flag{841dd3db29b0fbbd89c7b5be768cdc81}'
>>> 

Flag 3 kept me stumped, I ran Wireshark and Ettercap for while since it seemed to allude to traffic sniffing, but no luck. I dug around the file system for a while and did not notice any services calling out. Eventually I took a look at the Apache configuration and found flag3 hidden inside the apache.crt file.

I decoded the base64 in Burp which gave me the MD5 of ‘personnel’. Luckily I found that page with Dirbuster or I would have been quite stuck.

This was a fun challenge and I got to play around with forensics tools a bit. I spent quite some time going through the memory dump with Volatility afterwards, really cool stuff.

Thanks to @jamesbower for putting this challenge together as well as @g0tmi1k and the @vulnhub team for continuing to maintain this community.