Tags: vulnhub

SkyDog 1 VM Walkthrough

for the SkyDog 1 VM hosted on Vulnhub from James Bower.

I liked the 2016 Skydog which I did a walkthrough for already, and here I’d found that the author of that had also done another; Skydog 1, so I thought I’d give it a shot.

Skydog 1logo image

First off, nmap found the following ports open:

nmap finds ports 22 and 80 open

Running nikto on port 80 finds some useful directories and the presence of robots.txt

nikto finds some directories to look at later

I visit the http content through the browser which is a static page with the logo shown at the top of this post.

Flag #1 Home Sweet Home or (A Picture is Worth a Thousand Words)

Since the home page pretty much only contains that image, I ran it through exiftool to find the first flag

picture exif info contains the first flag

this decrypts to “Welcome Home”

Flag #2 When do Androids Learn to Walk?

This was a great pun I liked, referring to robots.txt for crawling :) Nikto had already put this on our radar earlier, so time to take a look:

robots.txt contains the second flag

Flag #3 Who Can You Trust?

Another thing nikto showed us earlier was that although most of the entries in robot.txt don’t exist on the server, the Setec directory does, so we navigate there. It contains an image but no exif data this time, but it’s stored on an Astronomy subdirectory, so I navigate there too and find a directory listing:

a directory listing showing the presence of a zip file

We can see there is a zip file here, so we download that but it is password-protected. Running it through patator with the rockyou.txt password list we find that the password is yourmother.

cracking whistler.zip

This contains another flag.

Flag #4 Who Doesn’t Love a Good Cocktail Party?

The other file in the zip is Questttofindcosmo.txt:

Time to break out those binoculars and start doing some OSINT

We find out the images, Cosmo etc is a reference to a 1992 film “sneakers”, so I use the imdb page as an input to cewl to create a wordlist, which we feed into dirbuster.

dirbuster finds another subdirectory

Dirbuster has found another subdiretory. This finds another flag which decrypts to leroybrown.

Flag #5 Another Day at the Office

Another file in that subdirectory was companytraffic.pcap, which looks exactly what the clue alludes to, so we open it up in wireshark to view. Ther’s a lot of content but eventually we find an audio file, which when we export is a voiceprint file for Werner Brandes. We use this and the leroybrown flag from earlier as the password and ssh in.

logging in through ssh

Flag #6 Little Black Box

When I navigate to the /var/www/html directory to see if there was anything else useful in the web content I find a congratulations message:

a congratulations file

I suspect I’ve found this out of sequence though so continue to try and get root. One of the usual things I try at this stage is to search for world writeable files which shows an interesting python file:

a congratulations file

so we view the contents of this:

contents of python file which cleans up some files

I change the contents to give me root access:

changing root password

and then go and make a cup of tea, when I come back the cron job that calls it has run and i can view the last flag in the root directory:

root users directory with last flag

So I did find that congratulations flag out of sequence, but it was still worth it to find root anyway!

Written on November 20, 2016