Game of Thrones : 权利的游戏

简介

今年权利的游戏要上映最终季了，很是期待啊，争斗了那么久的权位，这次终于要和异鬼开打了。

祝你好运，老神和新人会保护你！

下载URL: https://www.vulnhub.com/entry/game-of-thrones-ctf-1,201/

靶机使用：Virtualbox

攻击机：kali linux

0x001 信息收集

kali linux 是物理机器，所以就费点事，虚拟机使用的Virtualbox网卡桥接模式

扫描网络找到靶机IP

nmap -sn 192.168.1.1-254

Nmap scan report for 192.168.1.104
Host is up (0.039s latency).
MAC Address: E0:94:67:A1:C9:FD (Intel Corporate)

找到靶机 进行详细TCP扫描 

nmap -A -T4 -Pn -p- 192.168.1.104
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-21 17:22 CST
Nmap scan report for 192.168.1.104
Host is up (0.0088s latency).
Not shown: 65526 closed ports
PORT      STATE    SERVICE    VERSION
21/tcp    open     ftp        Pure-FTPd
22/tcp    open     ssh        Linksys WRT45G modified dropbear sshd (protocol 2.0)
| ssh-hostkey: 
|   2048 e6:5b:d7:78:6b:86:4f:9b:35:40:9f:c7:1f:dd:0d:9f (RSA)
|   256 b8:e3:30:88:2e:ba:56:f2:49:b0:cc:35:c7:cc:48:06 (ECDSA)
|_  256 a9:f2:d8:ee:f0:93:49:d8:19:04:ff:ad:89:ee:df:7d (ED25519)
53/tcp    open     domain     (unknown banner: Bind)
| dns-nsid: 
|_  bind.version: Bind
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|     bind
|_    Bind
80/tcp    open     http       Apache httpd
| http-robots.txt: 2 disallowed entries 
|_/secret-island/ /direct-access-to-kings-landing/
|_http-server-header: Apache
|_http-title: Game of Thrones CTF
143/tcp   filtered imap
1337/tcp  open     http       nginx
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Welcome to Casterly Rock
|_http-server-header: nginx
|_http-title: 401 Authorization Required
3306/tcp  filtered mysql
5432/tcp  open     postgresql PostgreSQL DB 9.6.4 - 9.6.6
10000/tcp open     http       MiniServ 1.590 (Webmin httpd)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Login to Stormlands
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.70%I=7%D=1/21%Time=5C458F83%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,3F,"\0=\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x
SF:04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04Bind\xc0\x0c\
SF:0\x02\0\x03\0\0\0\0\0\x02\xc0\x0c");
MAC Address: E0:94:67:A1:C9:FD (Intel Corporate)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Device: router

UDP扫描

nmap -n -A -sU 192.168.1.104
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-21 17:25 CST
Nmap scan report for 192.168.1.104
Host is up (0.0042s latency).
Not shown: 955 closed ports, 44 open|filtered ports
PORT   STATE SERVICE VERSION
53/udp open  domain  (unknown banner: Bind)
| dns-nsid: 
|_  bind.version: Bind
|_dns-recursion: Recursion appears to be enabled
| fingerprint-strings: 
|   DNSVersionBindReq: 
|     version
|     bind
|     Bind
|   NBTStat: 
|     CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|_    ROOT-SERVERS
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-UDP:V=7.70%I=7%D=1/21%Time=5C45940C%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReq,3D,"\0\x06\x85\0\0\x01\0\x01\0\x01\0\0\x07version\x04bind
SF:\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x05\x04Bind\xc0\x0c\0\x02\
SF:0\x03\0\0\0\0\0\x02\xc0\x0c")%r(DNSStatusRequest,C,"\0\0\x90\x04\0\0\0\
SF:0\0\0\0\0")%r(NBTStat,105,"\x80\xf0\x80\x90\0\x01\0\0\0\r\0\0\x20CKAAAA
SF:AAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01\0\0\x02\0\x01\0\x07\xe9\0\0\x14\x
SF:01F\x0cROOT-SERVERS\x03NET\0\0\0\x02\0\x01\0\x07\xe9\0\0\x04\x01L\xc0\?
SF:\0\0\x02\0\x01\0\x07\xe9\0\0\x04\x01B\xc0\?\0\0\x02\0\x01\0\x07\xe9\0\0
SF:\x04\x01K\xc0\?\0\0\x02\0\x01\0\x07\xe9\0\0\x04\x01M\xc0\?\0\0\x02\0\x0
SF:1\0\x07\xe9\0\0\x04\x01C\xc0\?\0\0\x02\0\x01\0\x07\xe9\0\0\x04\x01A\xc0
SF:\?\0\0\x02\0\x01\0\x07\xe9\0\0\x04\x01E\xc0\?\0\0\x02\0\x01\0\x07\xe9\0
SF:\0\x04\x01G\xc0\?\0\0\x02\0\x01\0\x07\xe9\0\0\x04\x01D\xc0\?\0\0\x02\0\
SF:x01\0\x07\xe9\0\0\x04\x01J\xc0\?\0\0\x02\0\x01\0\x07\xe9\0\0\x04\x01I\x
SF:c0\?\0\0\x02\0\x01\0\x07\xe9\0\0\x04\x01H\xc0\?");
MAC Address: E0:94:67:A1:C9:FD (Intel Corporate)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

0x002 侦查

对80端口进行访问看能否有收获

http://192.168.1.104/

打开是一张图片 而且页面在播放熟悉的音乐

查看源代码 告诉我们要干什么

his is the Game of Thrones CTF v1.0 (September 2017)
			
			Designed by Oscar Alfonso (OscarAkaElvis or v1s1t0r)
			Contact: v1s1t0r.1s.h3r3@gmail.com
			https://github.com/OscarAkaElvis/game-of-thrones-hacking-ctf
			
			Thanks to the beta testers, specially to j0n3, Kal3l and masAcre

			--------------------------------------
			 _____                      ___    _____ _                       			
			|   __|___ _____ ___    ___|  _|  |_   _| |_ ___ ___ ___ ___ ___ 
			|  |  | .'|     | -_|  | . |  _|    | | |   |  _| . |   | -_|_ -|
			|_____|__,|_|_|_|___|  |___|_|      |_| |_|_|_| |___|_|_|___|___|
			
			--------------------------------------
			
			Goal:
			-Get the 7 kingdom flags and the 4 extra content flags (3 secret flags + final battle flag). There are 11 in total.
			
			Rules/guidelines to play:
			- Start your conquer of the seven kingdoms
			- You'll need hacking skills, no Game of Thrones knowledge is required. But if you play, it may contains spoilers of the TV series
			- Difficulty of the CTF: Medium-High
			- This is the start point, the base camp
			- You must travel to westeros. First stop: Dorne. Last stop: King's Landing
			- Don't forget to take your map (try to find it). It will guide you about the natural flag order to follow over the kingdoms
			- Listen CAREFULLY to the hints. If you are stuck, read the hints again!
			- Powerful fail2ban spells were cast everywhere. Bruteforce is not an option for this CTF (2 minutes ban penalty)
			- The flags are 32 chars strings. Keep'em all! you'll need them
			
			Good luck, the old gods and the new will protect you!
			
			The game already started!! A couple of hints as a present.
			
			"Everything can be TAGGED in this world, even the magic or the music" - Bronn of the Blackwater
			
			"To enter in Dorne you'll need to be a kind face" - Ellaria Sand

访问robots.txt 文件是否得到一些有用的信息

http://192.168.1.104/robots.txt


User-agent: Three-eyed-raven
Allow: /the-tree/
User-agent: *
Disallow: /secret-island/
Disallow: /direct-access-to-kings-landing/

访问http://192.168.1.104/the-tree/ 

查看源代码 发现了注释中给予了提示 找三眼乌鸦  这段话奇怪的是它的大写字母 根据robots.txt给出的提示USERAGENT 是请求头中的信息

<!--
"You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed raven" - Written on the tree by somebody
-->

burp抓包 修改 User-Agent: Three-eyed-raven

GET /the-tree/ HTTP/1.1
Host: 192.168.1.104
User-Agent: Three-eyed-raven
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

得到了新的提示信息

查看源代码

<!--
				"I will give you three hints, I can see the future so listen carefully" - The three-eyed raven Bran Stark
				
				"To enter in Dorne you must identify as oberynmartell. You still should find the password"
				"3487 64535 12345 . Remember these numbers, you'll need to use them with POLITE people you'll know when to use them" 
				"The savages never crossed the wall. So you must look for them before crossing it"
			-->

继续访问http://192.168.1.104/secret-island/

源代码提示

<!--
			"Take this map and use it wisely. I want to be your friend" - Petyr (Littlefinger) Baelish
		-->

而且map得到一张地图

访问http://192.168.1.104/direct-access-to-kings-landing/

查看源代码给出提示 播放的音乐有我们想要的东西 先不管它

<!--
			"I've heard the savages usually play music. They are not as wild as one can expect, are they?" - Sansa Stark
		-->

继续侦查CSS中的有用信息