We covered the first part solution of Game of Thrones CTF Vulnhub where we gathered the challenge flags using various active information gathering techniques such as using nmap, anonymoys FTP login and data extraction using exif tool.
We also covered the second part solution of Game of thrones vulnhub Walkthrough where we demonstrated interacting with PostgreSql using psql to extract flags and information.
Initial Setup & Reconnaissance
I started by getting the vulnerable machine set up. After that, I performed an nmap
scan (I didn’t show the command itself, but the results were discussed), which revealed several open ports, including FTP (21), SSH (22), HTTP, and MySQL. Then, I navigated to the web server hosted on the vulnerable machine.
Exploring the Website & User Agent
I tried robots.txt
in the URL to find accessible directories, and it told me that a specific user agent was required: “three-eyed Raven.” To see the directories correctly, I used a browser plugin to change my user agent to “three-eyed Raven.” One of the directories, /secretisland/
, displayed a map outlining the challenge’s progression: FTP server first, then HTTP, and so on.
Finding the First Hint (Music File)
Another directory contained a hint in its source code about a music/MP3 file. I downloaded an MP3 file from the main webpage. To analyze its metadata, I used exiftool
. The command I would use is similar to: exiftool [filename.mp3]
. This process revealed the first secret flag: “gold savages.”
Accessing the FTP Server
Navigating to another directory, the page source provided a hint for an FTP username: “over inmortal.” I then used dirb
(or a similar tool) with the common.txt
wordlist to find more directories. The command would be something like: dirb http://[target_ip]/ [path_to_wordlist]/common.txt
. This scan unveiled a hidden directory named /hidden/
. The source code of the /hidden/
page revealed the password for the FTP server (for the user “Dorney,” although I used the previously found username “over inmortal”).
I then connected to the FTP server using the command: ftp [target_ip]
. I logged in with the username over inmortal
and the password I had just found. Inside the FTP server, I used the ls
command (which I typed as “list command”) to see two files. I then used get [filename]
to download both of them.
Decrypting FTP Files & Getting the Second Flag
One of the downloaded files, “problems in the north,” contained a hint about an MD5 hash with a salt. I knew I needed to use hashcat
with the rockyou.txt
wordlist to crack this hash. The command would look something like: hashcat -m [mode] [hash_file] rockyou.txt
. The cracked password turned out to be “stork.”
This password “stork” was then used to decrypt the other downloaded FTP file, named “the world.txt.nc.” I used mcrypt
for the decryption. After navigating to the file’s directory, the command would be: mcrypt [encrypted_file_name]
. I entered the passphrase “stork.” After decryption, I viewed the file using the command: cat [decrypted_file_name]
(the file was renamed “the world.txt” after decryption). The decrypted file provided a URL and credentials to access the next part of the challenge, which was supposed to yield the second flag.
Accessing the Second Flag’s Location
The URL from the decrypted file wasn’t directly resolvable, so I edited my /etc/hosts
file to map the vulnerable machine’s IP address to this new hostname. I’d typically use a command like sudo nano /etc/hosts
for this. Navigating to this new URL in the browser and viewing its page source revealed the second flag: “you have conquered the kingdom of the north which is the HTTP is your second flag.” The page also hinted that the next step involved the “Iron Islands,” a DNS server.
That’s where the video concluded, with the promise of a follow-up for the remaining flags.