Penetration Testing Project Game of Thrones CTF: 1

System and Enterprise Security
Master Degree in Engineering in Computer Science
Penetration Testing Project
Game of Thrones CTF: 1
Tanasache Florin
1524243
1

Contents
1 Summary 3
2 Attack Narrative 4
2.1 Dorne . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2 The Wall & The North . . . . . . . . . . . . . . . . 20
2.3 Iron Islands . . . . . . . . . . . . . . . . . . . . . . 25
2.4 Stormlands . . . . . . . . . . . . . . . . . . . . . . 27
2.5 Mountain and The Vale . . . . . . . . . . . . . . . . 30
2.6 The Reach . . . . . . . . . . . . . . . . . . . . . . . 35
2.7 The Rock and King’s Landing . . . . . . . . . . . . 38
2.8 The Dragonglass Mine . . . . . . . . . . . . . . . . 43
2.9 The Final Battle . . . . . . . . . . . . . . . . . . . . 46
3 Recommendations 51
4 Vulnerability List 52
4.1 Weak Credentials . . . . . . . . . . . . . . . . . . . 52
4.2 Web Server Files . . . . . . . . . . . . . . . . . . . 52
4.3 Insecure FTP service . . . . . . . . . . . . . . . . . 52
4.4 Insecure HTTP service . . . . . . . . . . . . . . . . 52
4.5 Insecure DNS service . . . . . . . . . . . . . . . . . 53
4.6 Sitemap.xml . . . . . . . . . . . . . . . . . . . . . 53
4.7 Weak Hashing Function - MD5 . . . . . . . . . . . . 53
4.8 Hosts File . . . . . . . . . . . . . . . . . . . . . . . 53
4.9 SQL Injection . . . . . . . . . . . . . . . . . . . . . 54
4.10 Port Knocking . . . . . . . . . . . . . . . . . . . . . 54
4.11 GitList . . . . . . . . . . . . . . . . . . . . . . . . 54
4.12 Docker Daemon Privilege Escalation . . . . . . . . . 55
2

Abstract
This document provides a complete report on a penetration test using Kali Linux with a vulnera-
ble machine available on Vulnhub.com. The Game of Thrones CTF: 1 (Capture The Flag) contains 11
flags in total (7 kingdom flags, 3 secret flags and one battle flag). The first chapter introduces a short
description about cyber-risks and general IT security nowadays. The second chapter contains the set-
ting for the laboratory in Oracle Virtual Box software to virtualize the attacker machine and the target
machine. Furthermore, the subchapters are about the attack narrative, each one according to a specific
step-by-step location. Please notice that this walkthrough might contain spoilers to the actual TV series.
Ultimately, a comment about the vulnerabilities found in this challenge, some recommendations and the
major consulted resources and used tools.
1 Summary
We live in an increasingly networked world, from personal banking to government infrastructure. Protecting
those networks is no longer optional. Cyber risk is now firmly at the top of the international agenda as high
profile breaches raise fears that hack attacks and other security failures could endanger the global economy.
Penetration testing, or pentesting, involves simulating real attacks to assess the risk associated with poten-
tial security breaches. On a pentest (as opposed to a vulnerability assessment), the testers not only discover
vulnerabilities that could be used by attackers but also exploit vulnerabilities, where possible, to assess what
attackers might gain after a successful exploitation.
A penetration test (PT) is a proof-of-concept approach to actually explore and exploit vulnerabilities. This
process confirms whether the vulnerability really exists and further proves that exploiting it can result in
damage to the application or network. The PT process is mostly intrusive and can actually cause damage to
the systems; hence, a lot of precautions need to be taken before planning such a test. The outcome of a PT
is, typically, evidence in the form of a screenshot or log, which substantiates the finding and can be a useful
aid towards remediation.[1]
Generally, a pentest methodology has the following phases:
• Preparation : Defining the parameters of the test such as objectives, external vs internal pentesting,
scope, roles and responsibilities, limitations.
• Reconnaissance : Collecting information on the target. There are two modes: Passive with no inter-
action with the target, and Active where direct interactions are required.
• Scanning : Gathering basic infos on the target and trying to determine an attack surface. Two main
approaches: Port/network scanning and Vulnerability scanning.
• Explotation : There are a huge amount of tools available. In this phase the right tool for the job
depends on the kind of exploit you need to perform. Kali Linux distribution contains a large number
of potential candidates.
• Maintaining Access : Maintaining access requires taking the steps involved in being able to be
persistently within the target environment in order to gather as much data as possible.
• Covering Tracks : The final phase of covering tracks simply means that the attacker must take the
steps necessary to remove all semblance of detection. Any changes that were made, authorizations that
were escalated etc. all must return to a state of non-recognition by the host networks administrators.
3

2 Attack Narrative
For this challenge we are going to test the Game of Thrones CTF: 1 provided by Vulnhub[2]. Once down-
loaded the OVA file, we have imported it into the open-source hypervisor Oracle VM VirtualBox Version
5.1.30 [3]. The name of the CTF machine is Game of Thrones. In order to perform the penetration test
we have also installed Kali Linux OS, set as another VM. The next step is the proper configuration of the
network settings for the two working machines.
As specified in the note on the sites (Vulnhub), the Game of Thrones VM must be on the same subnet
as the attacking machine. Consequently, we have set the network interface as Host-Only mode on a network
called VirtualBox Host-Only Ethernet Adapter and subsequently configured correctly the DHCP server. Af-
ter that, we start the both VMs, especially Kali which we are going to use for all operations.
The VM Game of Thrones is booted up in command line mode with a request for login data. Obviously we
do not have the credentials for the login. Then, with both VMs in running mode we are going to use only
the Kali Linux for this challenge.
Usually in the penetration test its not possible to access directly to the machine we want to attack. In-
deed, we run operations only on the Kali Linux VM, and in the vulnerable VM we have only the main login
screen.
The first step is to discover to which subnetwork the machine is connected and then discover the IP address
assigned by the DHCP server. As we remember from previously, we have already set the subnetwork , so
now we only have to discover the IP address.
We start with discovering the host. For this we usually use the netdiscover, an active/passive reconnaissance
tool, mainly developed for those wirelles networks[4].
root@kali:~# netdiscover -r 192.168.231.0/24
• -r: range, scan a given range instead of auto-scan /24 /16 /8.
Figure 1: Netdiscover Output
4

In the Figure 1 we can see the three addresses found by the tool. The addresses 192.168.231.1 and
192.168.231.100 are related correspondingly to the Apache server of VirtualBox and the DHCP server set
by VirtualBox.
Therefore, 192.168.231.103 is the IP address assigned by the DHCP to the Game of Thrones CTF machine.
Next we need to find out what open ports there are, so let’s begin with a port scanning using the popu-
lar tool nmap[5]. Nmap is a security scanner, used to discover hosts and services in a computer network,
thus building a ”map” of the network. To achieve its goal, Nmap sends special packets to the target hosts
and then analyzes the responses.
root@kali:~# nmap -Pn -A -v 192.168.231.103
• -Pn : treat all hosts as online skip host directory.
• -A : enable OS detection, version detection, script scanning and traceroute.
• -v : increase verbosity level.
Figure 2: Nmap Output
There are quite many open ports (Figure 2). We are going to analyze them later. Now, we usually start with
the http service (port 80).
Before we analyze the webpage, we use another tool given by Kali. Nikto is a web application vulnerability
scanner that looks for issues such as dangerous files, outdated versions and misconfigurations[6].
5

Figure 3: Nikto Output
Also, in this case (Figure 3) we have a lot of useful informations to complete the challenge, particularly
those highlighted in yellow. We will use them just ahead.
2.1 Dorne
Figure 4: Main page Game of Thrones CTF
Let’s begin our conquest to the throne with the main webpage, by entering the IP address of the VM in your
browser (Figure 4). Here it only shows a Game of Thrones background and plays the amazing intro song.
Having a look at the source code however, reveals useful hints.
6

Figure 5: Source code of the main page
We have multiple hints in this source code. The two main are:
• ”Everything can be TAGGED in this world, even the magic or the music” - Bronn of the Blackwater
• ”To enter in Dorne you’ll need to be a kind face” - Ellaria Sand
The first stop suggests to be a kind face, referencing that brute force techniques are not to be used. The
second proposes that even the music can be tagged in this world, and this probably means that we need to
analyze the music files when we find them. How we have already probably seen, there is the .wav and the
.mp3 file in the source code. Then we download both of them and look at their properties.
In the .wav file there was nothing special, whereas in the other one’s audio properties (Figure 6) we got
our first flag. This is not the flag of Dorne, but the first of three secret flags.
Savages secret flag: 8bf8854bebe108183caeb845c7676ae4
7

Figure 6: Audio properties of the .mp3 file
Now, let’s see the source code of the JavaScript (Figure 7) and CSS referenced in the welcome page.
They contain three more hints:
• ”Music reaches where words can’t. It’s known even for the animals” - Catelyn Stark
• ”You’ll never enter into King’s Landing through the main gates. The queen ordered to close them
permanently until the end of the war” - Tywin Lannister
• ”If you put a city under siege, after five attacks you’ll be banned two minutes” - Aegon the Conqueror
and His Conquest of Westeros Book
Figure 7: Source code of the JavaScript file
8

The hints tell us that we cannot enter directly into king’s landing and we cannot use brute force services or
we will get banned for 2 minutes. Since this has been all we found in the source code we remember that
the Nikto tool reported that we have three http directories in the robots.txt file that we can visit (Figure 8).
These are: /the-tree/,/secret-island/ and /direct-access-to-kings-landing/.
Figure 8: Content of the robots.txt file
So, let’s visit them. The /the-tree/ shows an image of Jon Snow when he was stabbed (Figure 9). Oh
well. But we are pretty sure that we are not dead yet. John Snow never dies!
Figure 9: The /the-tree page
Having a look at the source-code of the page revealed another hint (Figure 10):
• ”You mUSt changE your own shape and foRm if you wAnt to GEt the right aNswer from the Three-eyed
raven” - Written on the tree by somebody
We notice that it is very suspicious that there are some capital characters in the hint. Taking only those we
have the word ”USERAGENT”. This and the content of the robots.txt about the specified useragent lead
us to change the User-Agent to ”Three-eyed-raven”.
9

Figure 10: Source code of the /the-tree page
In order to change this we can use the BurpSuite tool provided by Kali. Burp Suite is a graphical tool
for testing Web application security. The tool is written in Java and developed by PortSwigger Security [7].
Then, we run it. However, by default, Burp’s proxy service listens on the local ip (127.0.0.1) on TCP port
8080.
Therefore, we have to go in our Web Browser (for instance Mozilla which is bundled in Kali Linux) and go
to: Preferences/Advanced/Network tab/Settings. like shown in the Figure 11.
Figure 11: Settings Mozilla Firefox
Now, when we open a new tab and we go to http://192.168.1.90/the-tree/ burp will intercept the request.
Note that our web page in our browser will be blanc but if we go to burp we can see your HTTP request. In
the Figure 12 the HTTP request show us the User-Agent used by Mozilla Firefox. So, we have to change it,
that is, replace it with Three-eyed-raven and click the Forward button.
10

Figure 12: HTTP request on Burp
N.B: After that we can reconﬁgure the browser to stop using Burp for now, or we can turn off Intercept
in Burp under the Proxy tab.
Let’s see what happens if we go back to our browser. We should see Bran that wants to help us (Figure 13 ).
Figure 13: Previous page with an another User-Agent
Since Bran said that he wants to help us, let’s check the source code of the page (Figure 14).
11

Figure 14: Source code of the Bran page
Bran gave us three hints :
• ”To enter in Dorne you must identify as oberynmartell. You still should find the password”
• ”3487 64535 12345 . Remember these numbers, you’ll need to use them with POLITE people you’ll
know when to use them”
• ”The savages never crossed the wall. So you must look for them before crossing it”
We now have something that looks like a username for Dorne (oberynmartell) and also something that looks
like a set of port numbers, maybe useful further. Furthermore, we also have a hint that the flag of the Savages
is at the beginning of the challenge but we already found it.
Despite having the username for Dorne we still need to find out the password and where to access it.
Continuing with the list of the directories of the robots.txt let’s go to the /secret-island/ (Figure 15).
12

Figure 15: The /secret-island/ page
Not bad, Lord Baelish gave us The Map of Westeros. Also, in this case, we should see the source (Figure
16). Unfortunately, in this case there is not much. So, let’s analyze The Map of Westeros.
Figure 16: Source code of the /secret-island/ page
In the Figure 17 we can see the path we have to walk in order to conquer the Seven Kingdoms. Luckily,
this map tells us where to access every kingdom, especially that Dorne is on the FTP port. We have a total
of 11 Flags (we already have 1, the Savage’s Secret ﬂag, 10 more to go).
13

Figure 17: The The Map of Westeros
So, going back to the nmap scan (figure 2) we note the open ports. The order to tackle this challenge is:
1. Dorne (FTP) −→ TCP port 21
2. The Wall & The North (HTTP) −→ TCP port 80
3. Iron Islands (DNS) −→ TCP port 53
4. Stormlands (WEBMIN) −→ TCP port 10000
5. Mountain and The Vale (PostgreSQL) −→ TCP port 5432
6. The Reach (IMAP) −→ TCP port 143 (filtered)
7. The Rock and King’s Landing (GitList & mySQL) −→ TCP port 3306
8. Final Battle(SSH) −→ TCP port 22
In order to attack the FTP service, we still need the password though. So, let’s try the last http page from
the robots.txt file, the /direct-access-to-kings-landing/ (Figure 18).
14

Figure 18: The /direct-access-to-kings-landing/ page
Oh, King Joffrey. Let’s check the source code (Figure 19).
Figure 19: Source code of the /direct-access-to-kings-landing/ page
In the source page we notice another reference to the Savages. We have that flag so let’s continue.
However, something is missing so we probably need to investigate more. Next, let’s try using the tool called
uniscan [8]. Uniscan is a powerful vulnerability scanner which includes web and server fingerprinting. This
scanner works better than any vulnerability scanners such as Nikto.
root@kali:~# uniscan -u 192.168.231.103 -qwdes
• -u : ¡URL¿Ł- i.e. website address to scan for vulnerabilities.
• -q : enable directory checks.
• -w : enable file checks.
• -d : enable dynamic checks.
15

• -e : enable robots.txt and sitemap.xml check.
• -s : enable static checks.
Uniscan gives us two checks: robots.txt that we have already examined and the file /sitemap.xml. Checking
the sitemap.xml file (Figure 20) we can note the PHP script raven.php.
Figure 20: The /sitemap.xml/ file
Then, let’s check it out (Figure 21):
Figure 21: The /raven.php file
Ah, a crow. Probably he has a message for us. Let’s see the source as shown in the Figure 22:
Figure 22: Source code of the /raven.php file
16

As we predicted on raven.php we have another useful hint:
• ”To pass through the wall, mcrypt spell will help you. It doesn’t matter who you are, only the key is
needed to open the secret door” - Anonymous
This hint means that when we are at the Wall we will need to use the mcrypt tool with a key to decrypt
something. Well, it can be very useful.
However, we have not the password to Dorne yet. This means that we need to investigate more and more,
undoubtedly we have missed something. Then, let’s use the dirb tool, another useful tool provided by Kali.
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by
launching a dictionary based attack against a web server and analyzing the response.
root@kali:~# dirb http://192.168.231.103/
Figure 23: DIRB output
After an intense scanning, in the Figure 23 we can note that there is another interesting hidden directory
(yellow).
This directory is http://192.168.231.103/h/i/d/d/e/n/. Let’s check it (Figure 24) :
17

Figure 24: The /h/i//d/d/e/n/ page
Hi Ser Jorah. Well, we are on the right path. Let’s check the source (Figure 25).
Figure 25: Source code of the /h/i//d/d/e/n/ page
The page source reveals again two hints:
• ”My little birds are everywhere. To enter in Dorne you must say: A verySmallManCanCastAVeryLargeShad0w
. Now, you owe me - Lord (The Spider) Varys”
• ”Powerful docker spells were cast over all kingdoms. We must be careful! You can’t travel directly
from one to another usually. That’s what the Lord of Light has shown me” - The Red Woman Melisan-
dre”
Just perfect! Varys gave us our FTP password. So our credentials for Dorne should be :
Username: oberynmartell
Password: A verySmallManCanCastAVeryLargeShad0w
18

N.B. In this challenge it is really important to pay attention to the hints. Hence, do not forget the hint from
Melissandre. She is talking about dockers and how we may be able in the future to get from one docker
container to another.
Having the right credentials, let’s log into the FTP server and find the flag.
root@kali:~# ftp 192.168.231.103
We are in Dorne. Here is the our first kingdom flag (Figure 26).
Figure 26: Dorne
Kingdom Flags 1/7
Dorne : fb8d98be1265dd88bac522e1b2182140
Secret Flags 1/3
Savages : 8bf8854bebe108183caeb845c7676ae4
19

2.2 The Wall & The North
Once reached Dorne we have to continue the adventure until the final battle against the White Walkers. As
we can see in the Figure 26, the command dir allows us to see the available files and directories in the
current directory. There are two files. We can proceed to download them: problems in the north.txt and
the wall.txt.nc.
The file file the wall.txt.nc is an encrypted file so let’s see what we have in problems in the north.txt.
root@kali:~# cat problems in the north.txt
• ”There are problems in the north. We must travel quickly. Once there we must defend the wall” - Jon
Snow
• ”What kind of magic is this?!? I never saw before this kind of papirus. Let’s check it carefully” -
Maester Aemon Targaryen
• md5(md5($s).$p)
• nobody:6000e084bf18c302eae4559d48cb520c$2hY68a
We remember when the raven told us to use the mcrypt tool when we arrived at the Wall and we are almost
there. However, at first we will have to decrypt the hash we have in the problems in the north.txt file. Mas-
ter Aemon gave us a good hint, i.e. md5(md5($s).$p) which basically means md5(md5($salt).$password).
After some , I found out that this is a hash mode in the tool called hashcat. Hashcat is the world’s fastest
and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-
optimized hashing algorithms. It currently supports CPUs, GPUs, and other hardware accelerators on Linux,
Windows, and macOS, and has facilities to help enable distributed password cracking. Usually, it is used to
bruteforce hashes [10].
Unfortunately, this hash-mode is not supported anymore with the current version of hashcat. But after a
little deep search in the wiki section, specifically in the hash-examples, I found out, that it is still supported
with the hashcat-legacy (3610). So, we have to download this version for our purpose.
Figure 27: Legacy Hash types
In the Figure 27 we can note that the hash in the .txt file ”6000e084bf18c302eae4559d48cb520c$2hY68a”
has the $ sign as a separator from the salt and in hashcat 2.00 (3610) the separator had to be a : sign.
20

So, the valid hash is ”6000e084bf18c302eae4559d48cb520c:2hY68a”. Then, let’s decode the it:
root@kali:~# ./hashcat-2.00/hashcat-cli64.bin -m 3610 -a 0 pass.txt rockyou.txt
• -m : number, Hash-type, in our case 3610.
• -a : attack mode, 0 = Straight.
• -pass.txt : the password founded in the .txt file.
• -rockyou.txt : a password dictionary file that come with Kali, designed for cracking passwords.
Figure 28: Output hashcat
In the Figure 28 we can see that the password recovered by the hash is stark. Using this we can decrypt the
encrypted file the wall.txt.nc with mcrpyt tool. Mcrypt is a simple crypting program, a replacement for the
old unix crypt. When encrypting or decrypting a file, a new file is created with the extension .nc and mode
0600 [11].
root@kali:~# mcrypt -d the wall.txt.nc
• -d : decrypt mode.
Now, let’s look inside the decrypted file:
Figure 29: The the wall.txt file
Well, Samwell gave us a hood hint, that is an URL and some credentials (Figure 29) in order to get faster
to Winterfell and enter in:
Username: jonsnow
21

Password: Ha1lt0th3k1ng1nth3n0rth!!! Since now we are at The Wall, the next stop is, according to
the map, The North which is the HTTP server. Trying to connect to http://winterfell.7kingdoms.ctf/——
W1nt3rf3ll—— gives a nice surprise (Figure30).
Figure 30: The http://winterfell.7kingdoms.ctf/——W1nt3rf3ll—— page
Let’s check what Sandor Clegane hides in the source page:
Figure 31: Source code of the http://winterfell.7kingdoms.ctf/——W1nt3rf3ll—— page
As we expected (Figure 31) we have some hints. Not all is lost. The fist hint is not so positive, however,
the second hint in this file put us on the right path. Indeed, it says something about VirtualHost. We know
that Virtual hosting is a method for hosting multiple domain names (with separate handling of each name)
on a single server (or pool of servers). This allows one server to share its resources, such as memory and
processor cycles, without requiring all services provided to use the same host name.
Therefore, one thing we can do is to edit our hosts file on our Kali VM and assign winterfell.7kingdoms.ctf
to the IP of the GoT VM (Figure 32). The computer file hosts is an operating system file that maps host-
names to IP addresses and it is a plain text file.
22

Figure 32: Hosts file
By changing the hosts file, now let’s let’s use again our browser to go to http://winterfell.7kingdoms.ctf/—
—W1nt3rf3ll——.
Figure 33: The http://winterfell.7kingdoms.ctf/——W1nt3rf3ll—— login form
How we can see in the Figure 33 the browser opens a login form where we could login with the provided
credentials in the wall.txt file.
Figure 34: The ”new” http://winterfell.7kingdoms.ctf/——W1nt3rf3ll—— page
23

Good point Jon Snow. We recovered Winterfell (Figure 34).
Let’s check the source code, maybe Jon Snow knows something else (Figure 35).
Figure 35: Source code of the http://winterfell.7kingdoms.ctf/——W1nt3rf3ll—— page
We have our second kingdom ﬂag.
Kingdom Flags 2/7
Winterfell : 639bae9ac6b3e1a84cebb7b403297b79
Secret Flags 1/3
24

2.3 Iron Islands
The next stop are the Iron Islands. According to the map we have found in the first part, they can be found
on the DNS service. Firstly, we notice that in the Figure 35 there are two hints:
• ”We must do something here before travelling to the Iron Islands, my lady” - Podrick Payne
• ”Yeah, I can feel the magic on that shield. Swords are no more use here” - Brienne Tarth
From the first hint we know that we have to do something else in Winterfell before going to Iron Islands
and Brienne tell us that there’s magic on a shield. On the webpage of Winterfell there was another image
showing a shield, like in the Figures 34 and 36.
Figure 36: Shield image
Sometimes in the CTF we have to subject the image to a deeper analysis, that is pass the image files
through tools like strings to see if there are hidden messages. The strings tool or command returns each
string of printable characters in files. Its main uses are to determine the contents of and to extract text from
binary files [12].
After I downloaded the insignia picture that resembles a wolf (the one under the picture of John Snow) let’s
run the strings command on the file.
root@kali:~# strings shield.jpeg
The last line of the output of the strings command will give us a hint:
• ”Timef0rconqu3rs TeXT should be asked to enter into the Iron Islands fortress” - Theon Greyjoy
The first part of the hint is the key to move forward. Indeed, Theon tells us to request ”Timef0rconqu3rs
TeXT” to enter into the Iron Islands fortress. Furthermore, our Westeros map tells us that the Iron Islands
are a DNS server and after our FTP and web battles we have arrived to the Iron Islands. Therefore, since we
are talking about DNS we should probably ask for ”Timef0rconqu3rs after the TXT entry.
In order to achieve this we will use the nslookup tool [13]. Nslookup (which stands for name server lookup)
is a network utility program used to obtain information about internet servers. As its name suggests, it finds
name server information for domains by querying the Domain Name System (DNS).
25

root@kali:~# nslookup -q=TXT Timef0rconqu3rs.7kingdoms.ctf 192.168.231.103
• -q : the type of the information query, in our case TXT.
Figure 37: Nslookup output
N.B. Only asking after Timef0rconqu3rs don’t work, because we have to add the 7kingdoms.ctf domain at
the end of the Timef0rconqu3rs request.
In the Figure 37 we can see the result of the request. We have found the our third ﬂag and some cre-
dentials for the next step.
Username: aryastark
Password: /N3ddl3 1s a g00d sword#!
Kingdom Flags 3/7
Iron Islands : 5e93de3efa544e85dcd6311732d28f95
Secret Flags 1/3
26

2.4 Stormlands
Luckily, the next step is already given. SO, we go to http://stormlands.7kingdoms.ctf:10000 where 10000
is the port and log in with the credentials founded before (Figure 38).
Figure 38: Login to Stormlands
Once connected on the webpage we have a list of information about our machine (Figure 39). SInce
there is a search function, I first tried to look for some files using it, but there was nothing, so I started trying
to check for a SQL injection.
Figure 39: Stormlands page
SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious
SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the
attacker). SQL injection must exploit a security vulnerability in an application’s software, for example,
when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements
27

or user input is not strongly typed and unexpectedly executed [14]. Therefore I tried to search for some
characters that are actually capable of causing SQL injection.
And indeed, searching for ’ resulted in a link for a File Manager (Figure 40).
Figure 40: File Manager
Then, we click on the File Manager Module Link, we have to activate Java and allow the app to launch.
Unfortunately, even though I have activated Java on Mozilla browser installed on Kali Linux there was a
problem. Specifically, I could see a file structure, but I could not browse through it. After a lot of attempts
with other solutions, I used Firefox, version 50 32 bit on Windows machine where it worked.
Figure 41: Arya Stark folder
After some searches throw the folders we browsed to /home/aryastark/ where we found the file flag.txt
(Figure 41). We save this file to our box and see what it contains:
28

Figure 42: File ﬂag.text from aryastark folder
We conquered Stromlands! In the Figure 42 we can see also other useful information. We have found
our fourth ﬂag and some credentials for the next step.
Username: robinarryn
Password: cr0wn f0r a King-
db: mountainandthevale
Kingdom Flags 4/7
Stormlands : 8fc42c6ddf9966db3b09e84365034357
Secret Flags 1/3
29

2.5 Mountain and The Vale
According to the map, we have arrived to the Mountain and the Vale, which is the postgresql server.
From the last step we just got the credentials (robinarryn/cr0wn f0r a King- ) and the database name
(mountainandthevale). Therefore, we will have to play with the Postgresql service [15]. PostgreSQL, of-
ten simply Postgres, is an object-relational database management system (ORDBMS) with an emphasis on
extensibility and standards compliance. As a database server, its primary functions are to store data securely
and return that data in response to requests from other software applications. Let’s connect to it and see
what’s there:
root@kali:~# psql -h 192.168.231.103 mountainandthevale robinarryn
• -h : host, and mountainandthevale is the database and robinarryn is the username
In the Figure 43 we can see the list of the tables in the database:
Figure 43: The tables of the database
Undoubtedly, in these tables there are a lot of hints that can help us proceed. So, let’s check the content
of each table.
In the ﬁrst table (Figure 44) we note the famous kill list of Arya Stark, with the name and the reason for
each one.
Figure 44: The arya kill list table
30

We have to read very carefully the content of these tables. Furthermore, they are also interesting for a
fan of the TV series or the books. The second table is the braavos book and contains a list of pages with
some sentences. However, we can note (Figure 45) that there is no entry for ”page 5” and the last table entry
number 9 looks like some encoded gibberish.
Figure 45: The braavos book table
Therefore, I tried to use some important cipher like ATBASH cipher, Caesar cipher and VIGENERE
cipher. Fortunately, among them I have found the deciphered text with the Vigenere cipher.
Figure 46: The Vigenere cipher
In the Figure 46 we can see the deciphered text.
It says: The Many Faced God Wants you to change your face. He wants you to identify as one of your
kill list. Select it based on this book lost page number. The database to connect will be braavos and your
password will be valarmorghulis.
31

Well, in a few words it means that we have to connect to the database braavos having the password but
not the username. However, as we remember from above there is no entry for ”page 5” in the braavos book
table. This means that the username will be the fifth entry on the arya kill list table, which is TheRed-
WomanMelisandre. Since with the normal password (valarmorghulis) we can’t connect to the database,
after some tries we can deduct from the username that the first letter of each word is uppercase, so the
password we have to use is: ValarMorghulis.
root@kali:~# psql -h 192.168.231.103 braavos TheRedWomanMelisandre
Figure 47: The database braavos
From the Figure 47 we can see that there is a table. Let’s query it.
Figure 48: The second secret flag
Well done. We have the secret flag for Braavos : 3f82c41a70a8b0cfec9052252d9fd721 (Figure 48).
Now, let’s continue with the other tables of the database mountainandthevale. The third table is the eyrie.
32

Figure 49: The eyrie table
In the eyrie table we can note some useful hints. With the first hint we know that the flag is hidden
somewhere in this database and also with the word OWN Littlefinger tell us something about ownership.
We haven’t done much/any rights administration for databases before so maybe we have to modify them.
Let’s see also into the last table, popular wisdom book (Figure 50:
Figure 50: The popular wisdom book table
A lot of clues here that are useful. Especially the one about High Garden when paired with the informa-
tion we received from Bran early on in regard to certain numbers. Clearly, we have to do something with
them.
Using the hint from the eyrie table and looking at the ”GRANT” usage examples on the web I found a com-
mand with which we can give access to the user we are currently on (robinarryn), that is, can grant access
to all tables in the schema.
Figure 51: GRANT command
33

Then, now we can try to query for the flag (Figure 51. The query yield this:
Figure 52: base64 encoded message
Looking at the end (==) we can instantly recognize that this is base64. Then, we can copy this text and
decode it:
Figure 53: base64 deciphered message
As expected, we conquered the Kingdom of the Mountain and the Vale and we now have our flag for the
Vale (5/7 kingdom flags). We also have credentials for the Kingdom of the Reach as known as High Garden.
Username: olennatyrell@7kingdoms.ctf
Password: H1gh.Gard3n.powah
Kingdom Flags 5/7
Mountain and the Vale: bb3aec0fdcdbc2974890f805c585d432
Secret Flags 2/3
Braavos : 3f82c41a70a8b0cfec9052252d9fd721
34

2.6 The Reach
After the quick trip to Braavos, now we are back on track to High Garden. As the map indicates, High
Garden is IMAP, which is port 143. In computing, the Internet Message Access Protocol (IMAP) is an
Internet standard protocol used by e-mail clients to retrieve e-mail messages from a mail server over a
TCP/IP connection. However, looking at our nmap scan of the beginning, the port isn’t really open. It’s in a
filtered state. But how we can see from the last hint received, first we have to open the gates. Furthermore,
we have a couple of numbers and there is the clue about knocking (a lot of mention about being polite as
well, and knocking is definitely considered polite or we can say that polite can be synonym for order. This
can only mean one thing: we have to do some port knocking in order for High Garden to open up their
doors.
Since we have the passcode ”3487 64535 12345” given by Bran, let’s try to knock (Figure 54).
Figure 54: Port knocking
Great! The port is open now. There are a couple of different ways to go about accessing this port. The
first way is by telnet using the corresponding username and password.
root@kali:~# telnet 192.168.231.103 143
Now, after a look at the IMAP specific commands [16], I tried some of them:
• LIST ”< mailboxpath > ” ” < searchargument > ”: if ” < mailboxpath > ” empty list shows
all content from root, ”” is case-sensitive mailbox name with possible wildcards and * is a wildcard,
and matches zero or more characters at this position.
• SELECT < mailboxpath > : allows to pass from Authenticated to Selected status.
• FETCH < sequenceset > < dataitemsname >: reads content/parts of an email. In this case I
have used 1 to select the inbox list and all to fetch all the items.
However, with telnet we are not able to show the body of the message (Figure 55). So, instead of telnet, we
can use curl to query the system so that it gives us the entire email and in much better formatting. Curl is a
35

tool to transfer data from or to a server, using one of the supported protocols (DICT, FTP, IMAP, IMAPS,
POP3, RTSP,TELNET etc). The command is designed to work without user interaction [17].
Basically, we can use curl to download content from the internet.
Figure 55: IMAP commands
root@kali:~# curl –insecure
• –insecure : (SSL) This option explicitly allows curl to perform ”insecure” SSL connections and trans-
fers.
We conquered also the Kingdom of the Reach! We have a kingdom ﬂag (6/7) and more credentials for the
next destination: Casterly Rock (Figure 56).
Username: TywinLannister
Password: LannisterN3verDie!
36

Figure 56: Kingdom of the Reach
Kingdom Flags 6/7
The Reach : bb3aec0fdcdbc2974890f805c585d432
Secret Flags 2/3
37

2.7 The Rock and King’s Landing
The map shows The Rock & Kings Landing as gitlist/mysql and nmap shows port 1337 as http. Since we
have also the credentials for the service let’s open the our browser to port 1337 (Figure 57):
Figure 57: Login to the Rock
Upon accessing the site we can see it is a GitList site [18]. GitList is an elegant and modern web
interface for interacting with multiple git repositories. It allows you to browse repositories using your
favorite browser, viewing ﬁles under different revisions, commit history, diffs.
Figure 58: GitList site
How we can see in the Figure 58 there are 3 folders. I have skipped the second and the third because their
contents are only about some not relevant information. Let’s see what we have in the ﬁrst one, casterly-rock:
38

Figure 59: Casterly-rock folder
There is a string of what looks like hex characters (Figure 59). Using the xxd tool we can decode it.
The tool xxd creates a hex dump of a given file or standard input. It can also convert a hex dump back to its
original binary form [19].
Figure 60: Deciphered Hexadecimal text
So, we get the following message: /home/tyrionlannister/checkpoint.txt (Figure 60). Well, that’d be
useful if we were logged into a shell. The only other hint we have is that the map said gitlist AND mysql.
There’s a search box so let’s try some injection tests. After a lot of searches to the Google, it becomes clear
that there is a remote code execution vulnerability present in GitList, which we can use to check out this
directory/file. On this site [20] I have found a lot of useful information.
In short, we can use the following path to execute commands:
http://7kingdoms.ctf:1337/casterly-rock/blob/master/””’CMDHERE’
where CMDHERE is the command that we can inject in the URL.
Now, using the list of character encoding [21] we can finally make use of the path that we already have and
cat it out to the screen.
39

Figure 61: Result of /home/tyrionlannister/checkpoint.txt path
How we can see in Figure 61 there are clues and credentials. Just as all the previous clues have insin-
uated, it wasn’t possible to remote into the King’s Landing MYSQL database directly, so instead, it looks
like we will have to continue using Casterly Rock’s RCE vulnerability to access it. Therefore, we can use a
MySQL command in order to make a request for all tables [22].
mysql -h 192.168.231.103 -u cerseilannister -p g0dsHaveNoMercy -D kingslanding execute=”show tables;”
where -u is teh user, -p the password, -D the database and -execute is the MySQL command.
Using the MySQL command with the right formatted URL, we get an error but also a clue: there is a table
named iron throne (Figure 62).
Figure 62: MySQL command show tables;
So having the table name let’s follow up with the command:
mysql -h 192.168.231.103 -u cerseilannister -p g0dsHaveNoMercy -D kingslanding execute=”select*from iron throne;”
We get the following (Figure 63):
Figure 63: MySQL command select * from iron throne;
40

Line 1 is morse code. Let’s decode it and see what it says.
Figure 64: Morse code
The result is a path /ETC/MYSQL/FLAG, probably is the location of the next flag 64. But trying to
traverse here doesn’t work, so we need a another solution. Ser Davos told us that we have some privileges
in the kingdom, so perhaps we can use that power to copy the contents of the flag into a new table that we
can then read.
First, let’s check what permissions we have:
mysql -h 192.168.231.103 -u cerseilannister -p g0dsHaveNoMercy -D kingslanding
execute=”show grants for current user;”
Figure 65: MySQL command show grants for current user;
We have FILE grants on all files so we can use the LOAD command to input the data from a file into a
table. The first step is creating a table called mytable and ensuring it was blocked out with a large enough
41

space to store whatever might be in the ”flag” file. The command is as follows:
execute=”create table mytable (toto VARCHAR(500));”
We don’t see any confirmation output on screen, but the table is created. Indeed, if we try again this
command we will get confirmation back that it was successful (already created). The second step is loading
the file content into the table using the following command:
execute=”load data infile ’/etc/mysql/flag’ into table mytable;”
Also in this case we don’t have any confirmation about the command execution but we are sure that the our
table contains the flag. So, let’s access the table to view the contents:
execute=”select * from mytable;”
Figure 66: The content of the Kingdom flag
There is our final kingdom flag and the user and password for SSH:
Username: daenerystargaryen
Password: .Dracarys4thewin.
Kingdom Flags 7/7
The Kingdom : c8d46d341bea4fd5bff866a65ff8aea9
Secret Flags 2/3
42

2.8 The Dragonglass Mine
We have all the Kingdom flags but we need another secret flag for the final battle against the White Walkers.
According to the map the next secret flag is connected to the Dragonglass Mine. So, we have to login with
the the received credentials and forge some dragonglass weapons.
Figure 67: Looking for Dragonglass Mine
As we expected, it will not be so easy to find the dragonglass. Here we have two interesting files:
digger.txt and checkpoint.txt. Let’s see what is in the second one. Based on the hints that the file included
(Figure 67), we are going to have to create an SSH tunnel over to the dragonglass mines. It also mentions
that the fail2ban magic is not present. Fail2Ban is an intrusion prevention software framework that protects
computer servers from brute-force attacks. So, this means bruteforcing with Hydra or some other tool is
an option. Furthermore, digger.txt probably is a wordlist, so let’s grab that with SCP (SecureCopy). SCP
allows files to be copied to, from, or between different hosts. It uses ssh for data transfer and provides the
same authentication and same level of security as ssh [23].
root@kali:~# scp daenerystargaryen@192.168.231.103:/home/daenerystargaryen/digger.txt /root/digger.txt
After that we will need to create our ssh tunnel. I setup the SSH tunnel using port 6969 on localhost, but it
can be used any port.
root@kali:~# ssh daenerystargaryen@192.168.231.103 -L 6969:172.25.0.2:22 -N
• -L : port: host: hostport, that is specifies that the given port on the local (client) host is to be forwarded
to the given host and port on the remote side.
43

• -N : do not execute a remote command. This is useful for just forwarding ports.
After this is up and running, it’s time to load up Hydra and point it to port 6969 on the localhost utilizing the
digger.txt as the wordlist. Just as the clue mentioned, we want to be the user ’root’. Hydra is a parallelized
login cracker which supports numerous protocols to attack. It is very fast and ﬂexible, and new modules are
easy to add [24].
root@kali:~# hydra -l root -P digger.txt ssh://localhost:6969
• -l : login name
• -P : load several passwords from ﬁle (digger.txt)
• -[service://server[:PORT][/OPT] : ssh://localhost:6969
Figure 68: Bruteforce with Hydra tool
We have the password (Dr4g0nGl4ss!). Now that we have the it (Figure 68), lets use our ssh tunnel to
connect to the dragonglass mine.
44

Figure 69: Dragongrall Mine and last secret ﬂag
Well done! Now we have our last secret ﬂag (Figure 69). Furthermore, we also received new useful
credentials:
Username: branstark
Password: Th3 Thr33 Ey3d Raven.
Kingdom Flags 7/7
The Kingdom : c8d46d341bea4fd5bff866a65ff8aea9
Secret Flags 3/3
Dragonglass : a8db1d82db78ed452ba0882fb9554fc9
45

2.9 The Final Battle
We are almost at the end. Now it’s finally time for final showdown with the white walkers. Firstly, from the
previous hint we have to go back to the host’s ssh and login as Bran instead of Daenerys.
root@kali:~# ssh branstark@192.168.231.103
Figure 70: The Final Battle
How we can see from the Figure 70 we have a file called checkpoint.txt. It is a hint about the final battle,
telling us that we have to escalate the root.
The whole system is docker based, and as we got some hints that the services were docked contained we
can try and find some docker exploits to elevate to root. Usually, in order to exploit we have to use tools like
Metasploit. Metasploit is a tool for developing and executing exploit code against a remote target machine
[25].
Therefore, what we have to do is establish an SSH connection through the console and then deploy our
exploit to become root [26]. First we have to use Metasploit’s ssh login module to connect via ssh setting
the right username, password and host (Figure 71).
46

Figure 71: Metasploit ssh login
Having the session open we look after locating docker daemon privilege escalation and set the right
session and LHOST ﬁrst before to run the exploit (Figure 72).
Figure 72: The docker daemon privilege escalation exploit
Then, after running the exploit we have a meterpreter session. Now since we are root, we can explore
the root directory.
47

Figure 73: Content of the root directory
In the directory we have two files (Figure 73): checkpoint.txt and final battle. Save them on our own
box and we can note that it’s clear that the final battle is a zipped file that is password protected. Let’s see
the other one:
Figure 74: Content of checkpoint.txt file
The content of the checkpoint.txt file (Figure 74) is guiding us on how to create the password to unlock
the final battle file. In order to achieve this we can choose whatever language we want. I preferred Python.
It is a pseudo-code, so we need to combine indexed portions of each secret flag string that we found.
48

Figure 75: Python code and result of the programming part
In Figure 75 we can see the python code that we have used to choose the right part of each secret flag
and the final result.
Then, using the password to open the final battle archive, we receive the final flag!
Figure 76: The final flag
49

Yeah! We finally won the battle against White Walkers. And as a gift for this CTF we have a last step.
Using an MD5 [27] decoder and all of the flags in order, we get a small message:
Figure 77: The gift message
Overall, this was an awesome CTF VM and this challenge is my first experience with anything like it.
The challenges were interesting and I learned a lot through the research done to complete the tasks.
50

3 Recommendations
Penetration testing can be conducted by way of a cyberattack or by exploiting a physical vulnerability of
an organization. It is designed to actually exploit weaknesses in the architecture of the systems. In order
to be more prepared for cybersecurity breaches, agencies should consider a comprehensive penetration test
ethical hacking with the goal of attacking or bypassing the established security mechanisms of an agency’s
systems, and using the same tactics as a malicious intruder.
The main point of the high number of vulnerabilities comes from the fact that multiple issues could com-
promise the system if the attacker knows how to use them together.
• Passwords : Passwords are used to prevent unauthorized access. They should be strong enough
that no one can guess your password. Passwords should not be shared with anyone at any cost and
passwords should be changed periodically. However, most of the time people reveal their passwords
to others, write them down somewhere and keep easy passwords that can be guessed.
• Running Services : The open ports of a running service allow the attacker to exploit previous ver-
sions of unused software or gain better information on the network. If the system is connected to an
unsecured network (open connections) then it comes in the reach of hackers. Running services secure
or to close unused port is an important step in order to reduce the attack surface.
• Patch Management : Cyber criminals commonly exploit known weaknesses for which patches have
already been released. IT managers who have not kept their patches up to date, particularly with the
updating of third-party applications like Java and Adobe, have opened themselves up to this kind of
attack. If a software is not updated frequently by companies after the release of an update, attackers
can easily attack the system and compromise it.
• Insecure in-house developed applications : Internally developed applications are not generally as
rigorously tested as popular third-party programs. One major category of vulnerability is the input
validation ﬂaw, where an outside or client-facing input overrides the legitimate functioning of a sub-
system. These include crosssite scripting for websites and SQL injection for applications.
• User Awareness : One of the simplest methods for cyber criminals to exploit is the phishing scheme,
whereby an attacker tricks the user into revealing personal information. One of the more basic ap-
proaches is to pose as a systems administrator and then demand a users password for ”validation.”
• Regular Vulnerability Assessments : A vulnerability assessment is the process of identifying and
quantifying security vulnerabilities in an environment. It is an in-depth evaluation of your information
security posture, indicating weaknesses as well as providing the appropriate mitigation procedures
required to either eliminate those weaknesses or reduce them to an acceptable level of risk. It ensures
that security systems are correctly installed and operating in the correct way.
Risk Rating : The overall risk identiﬁed in the VM Game of Thrones CTF is High because an adversary
is highly likely to exploit the vulnerability and start the threat event. Since a direct path from an external
attacker to a compromised system was discovered it’s reasonable to believe that a malicious entity will be
successful in attacking and penetrating the system. It’s important to notice that the goal attack can be reached
using other ways and not the only one path.
51

4 Vulnerability List
Below there is represented a list of the vulnerabilities, with the the following fields for each of them : Name,
Description, Risk, Recommendation.
4.1 Weak Credentials
• Description : Most of the passwords are given by the hints but in the case of the SSH tunnel the hydra
tool can simply crack it as user ”root” and found the password using an wordlist.
• Risk : High
• Recommendation : Ensure that the system is protected by complex passwords or passphrase, avoid-
ing the use of theme correlated word that can be easily find with a dictionary.
4.2 Web Server Files
• Description : The robots.txt
file shows multiple informations about the structure of the website and where to access to sensitive
areas. Moreover a website page allows to run some commands through a web shell, using HTTP
protocol and methods GET, HEAD, POST, OPTIONS.
• Risk : High
• Recommendation : File robot.txt should contain only directories they don’t want to be crawled, web
page administration access should not be so easy to be found and should be forbidden to implement a
web shell without proper security mechanisms.
4.3 Insecure FTP service
• Description : FTP is a service that is commonly used in Web Servers from Webmasters for accessing
the files remotely. FTP servers carry numerous vulnerabilities such as anonymous authentication ca-
pabilities, directory traversals, and cross-site scripting, making port 21 an ideal target. Legacy services
such as Telnet on TCP port 23 were fundamentally unsafe from the start. Though its bandwidth is
tiny at a few bytes at a time, Telnet sends data completely unmasked in clear text. Attackers can listen
in, watch for credentials, inject commands via [man-in-the-middle] attacks, and ultimately perform
Remote Code Executions (RCE).
• Risk : Very High
• Recommendation : FTP is a security risk because it transmits login information (including pass-
words) in plain/text, so it need to wrap it up in encryption. One of the simple easier solution is to just
use one of the more secure versions of FTP known as SFTP or FTPS since many FTP clients have
built-in support for this.
4.4 Insecure HTTP service
• Description : TCP port 80 for HTTP supports the web traffic that web browsers receive. Usually,
attacks on web clients that travel over port 80 include SQL injections, cross-site request forgeries,
cross-site scripting, and buffer overruns.
52

• Risk : High
• Recommendation : Acquire a certificate and implement HTTPS on all the server areas where au-
thentication is needed or sensitive data are exchanged.
4.5 Insecure DNS service
• Description : While some network ports make good entry points for attackers, others make good
escape routes. TCP/UDP port 53 for DNS offers an exit strategy. Once criminal hackers inside the
network have their prize, all they need to do to get it out the door is use readily available software that
turns data into DNS traffic. DNS is rarely monitored and even more rarely filtered.
• Risk : High
• Recommendation : Normally it is a good point to limit the IP ranges which are allowed to query the
DNS server. The reason being that if you allow any IP to query your DNS server using UDP, it might
be abused for performing DNS amplification attacks if you are an open resolver.
4.6 Sitemap.xml
• Description : Sitemap is a list of pages on a website that is accessible to all users. An XML sitemap is
a way for website owners to tell search engines about all the pages that exist on their website. Sitemap
is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code
and execute it in the context of the webserver process. This may facilitate a compromise of the
application and the underlying system. Analyzing this file we have found the raven.php file.
• Risk : High
• Recommendation : File sitemap.xml should contain only files that are secure. This vulnerability
is mitigated in some cases if the setting for ”Include a stylesheet in the sitemaps for humans.” on
the module’s administration settings page is not enabled (the default is enabled). Usually for both
sitemap.xml and robots.txt or other files that can be found with a web scanner tool it’s recommended
to to block automated scanners from scanning the site.
4.7 Weak Hashing Function - MD5
• Description : MD5 is a cryptographic hash function that is considered unreliable becuase it can be
cracked by brute-force attack and suffers from extensive vulnerabilities. In this case using the hashcat
tool and a password dictionary file rockyou.txt it was possible to crack a hash type.
• Risk : High
• Recommendation : Use reliable cryptographic functions like SHA-256, SHA-512.
4.8 Hosts File
• Description : This is an unformatted text file containing the domain names and their IP addresses
next to each other. When you want to address a particular computer, the operating system ”looks”
first in the Hosts file, obtains the relevant IP address, and then uses this to contact the computer/server
at this address. The main reasons that /etc/hosts (in Linux) are used by attackers is to redirect user
53

traffic to sites under their control. It’s important to note that hosts files are used in preference to
DNS servers, so even if the user has a good entry in DNS for a specific system, hosts will still take
precedence. In terms of where this has been used, banking trojans have made use of attacks on hosts
files to effectively send customers to fake banking sites, which appear to use the correct host name. In
this CTF has been possible to modify it.
• Risk :High
• Recommendation : The easiest way to protect this file is to make it read only. This isn’t a great level
of protection, as it’s easily disabled by malware on your machine. A better way to protect it is to use
an antivirus/antimalware. Many of these products include hosts protection as standard.
4.9 SQL Injection
• Description : The character ’ is used because this is the character limiter in SQL. This vulnerability
has been used for the fourth flag. With ’ you delimit strings and therefore you can test whether the
strings are properly escaped in the targeted application or not. If they are not escaped directly you can
end any string supplied to the application and add other SQL code after that.
• Risk :
• Recommendation : To prevent SQL injections, is necessary to validate all untrusted input by verify-
ing that it belongs to a white-listed domain of accepted inputs (or typically escape special characters).
4.10 Port Knocking
• Description : The basic port knocking method uses a fixed sequence of ports. This method is not
protected cryptographically so there are the following attacks possible: brute-force where you use the
full range of possible ports 165535 then even very short knocking sequences give impressive number
of combinations to test, sniffing if the port knocking sequence is not protected cryptographically so
an attacker can sniff the successful port knocking sequence and man in the middle where captured
one-time knocking sequences cannot be reused but a port-knocking access can be exploited by a
man-in-the-middle attack.
• Risk : High
• Recommendation : Port knocking should only be viewed as part of an overall network defense
strategy providing protection against random and targeted attacks, not as complete standalone solu-
tion. Modern port knock systems incorporate features such as secure cryptographic hashes, blacklists,
whitelists and dynamic attack responses to further increase system capability.
4.11 GitList
• Description : The main vulnerability in GitList I discovered was a trivial RCE (Remote Code Exe-
cution), exploitable by anonymous users without any access. Knowing how often they shell out, and
the complete lack of input sanitization, I attempted to pop this by trivially evading the double quotes
and injecting grave accents. This type of vulnerabilities can provide an attacker with the ability to
execute malicious code and take complete control of an affected system with the privileges of the user
running the application. After gaining access to the system, attackers will often attempt to elevate
their privileges.
54

• Risk : Very High
• Recommendation : The best way to protect a computer from a remote code execution vulnerability
is to fix holes that allow an attacker to gain access. For instance, to avoid SQL injection hence RCE
vulnerability, all input that are to be concatenated in dynamic SQL must be correctly filtered and
sanitized.
4.12 Docker Daemon Privilege Escalation
• Description : This module obtains root privileges from any host account with access to the Docker
daemon. Usually this includes accounts in the ”docker” group. It is used by Metasploit to escalate to
root in the last step. A user on a Docker host who has access to the docker group or privileges to sudo
docker commands is effectively root, which is why it’s very important to control that right.
• Risk : High
• Recommendation : It’s hard to fix this. Two possible ”solutions”: allow the docker daemon to run as
non-root on the host system and having non-root privileges on the host and root inside the container.
References
[1] Penetration Testing. A Hands-On Introduction to Hacking. Georgia Weidman, 2014
[2] Game of Thrones CTF: 1, Vulnhub.com, released 8 september 2017.
URL: https://www.vulnhub.com/entry/game-of-thrones-ctf-1,201/
[3] Oracle VM VirtualBox
URL: https://www.virtualbox.org/
[4] NetDiscover Tool
URL: https://github.com/alexxy/netdiscover
[5] Nmap Tool
URL: https://nmap.org/
[6] Nikto Tool
URL: https://cirt.net/nikto2-docs/
[7] BurpSuite Tool
URL: https://portswigger.net/burp
[8] Uniscan Tool
URL: https://tools.kali.org/web-applications/uniscan
[9] DIRB Tool
URL: https://tools.kali.org/web-applications/dirb
[10] Hashcat Tool
URL: https://hashcat.net/wiki/doku.php?id=hashcat
[11] Mcrypt Tool
URL: https://linux.die.net/man/1/mcrypt
55

[12] Strings Tool
URL: https://linux.die.net/man/1/strings
[13] Nslookup Tool
URL: https://linux.die.net/man/1/nslookup
[14] SQL Injection, Wikipedia page
URL: https://en.wikipedia.org/wiki/SQL_injection
[15] PostgreSQL, Ofﬁcial page
URL: https://www.postgresql.org/
[16] IMAP, List of commands
URL: http://busylog.net/telnet-imap-commands-note/#23/
[17] Curl Tool
URL: https://linux.die.net/man/1/curl
[18] GitList, Github page
URL: https://github.com/klaussilveira/gitlist
[19] XXD Tool
URL: http://www.tutorialspoint.com/unix_commands/xxd.htm
[20] GitList vulnerabilities
URL: http://hatriot.github.io/blog/2014/06/29/gitlist-rce/
[21] Character Encoding (ascii chart)
URL: https://grox.net/utils/encoding.html
[22] MySQL Commands
URL: https://www.pantz.org/software/mysql/mysqlcommands.html
[23] Secure Copy
URL: http://www.hypexr.org/linux_scp_help.php
[24] Hydra Tool
URL: https://tools.kali.org/password-attacks/hydra
[25] Metasploit Project
URL: https://www.metasploit.com/
[26] Using Exploits in Metasploit
URL: https://www.offensive-security.com/metasploit-unleashed/
using-exploits/
[27] MD5 Encrypter
URL: http://www.md5online.org/md5-encrypt.html
56

Penetration Testing Project Game of Thrones CTF: 1

More Related Content

What's hot (20)

Similar to Penetration Testing Project Game of Thrones CTF: 1 (20)

Recently uploaded (20)

Penetration Testing Project Game of Thrones CTF: 1