This segment of my Vulnhub series covers my walkthrough for the “SkyDog Con CTF 2016 – Catch Me If You Can” game. There are eight flags to hunt down. What is interesting with this game is that you are given eight hints upfront, one for each flag.


As said, there are eight flags to hunt down. All in the form of flag{MD5 Hash}. Starting out there are one hint for each flag available from the start:

  • Flag 1: Don’t go Home Frank! There’s a Hex on Your House.
  • Flag 2: Obscurity or Security?
  • Flag 3: Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.
  • Flag 4: A Good Agent is Hard to Find.
  • Flag 5: The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices
  • Flag 6: Where in the World is Frank?
  • Flag 7: Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!
  • Flag 8: Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!

Host discovery

Image is setup to use DHCP. I start out performing a network scan:

$ sudo nmap -sn

Target IP is: (your may vary).

Service San

Moving on detecting live services on target:

sudo nmap -p1-65535 -A -T4 -sS
Service scan

Services found:

Port State Service
22 Closed ssh
80 Open Apache
443 Open Apache
22222 Open OpenSSH

Flag 1

Hint:Don’t go Home Frank! There’s a Hex on Your House.

What could the hint mean? Given I have little information to go by I decide to look at the ports. But which one would Frank call home? As a server guy, my first thought was SSH because of home directories. But then again, a homepage is technically “home” too. Better look at the homepage first.

SDC - Homepage.png
Start page

The homepage is nice looking. Simple and clean. Inspecting the HTML source I found a commented out Javascript reference:

Interesting script

The first line of that script contain a suspicious looking comment:

HEX string hidden in comment

This must be the hex from the hint:


Flag decoded

Hex decoded using “Hex to ASCII text converter“.

What Value
Hex decoded flag{7c0132070a0ef71d542663e9dc1f5dee}
MD5 decoded nmap

Flag 2

Hint:Obscurity or Security?” and “nmap

I’ve already done a service scan which uncovered SSH running on a custom port. Connecting to port 22222 gives me the second flag:

$ ssh frank@ -p 22222
SSH flag

Flag decoded

What Value
Flag Flag{53c82eba31f6d416f331de9162ebe997}
MD5 decoded encrypted

Flag 3

Hint:Be Careful Agent, Frank Has Been Known to Intercept Traffic Our Traffic.” and “encrypted

This smell like a “man in the middle attack”. Heading over to the website looking at the SSL certificate:

SDC - Flag 3.png
SSL flag

The third flag was hidden in the SSL/TLS certificate.

Flag decoded

What Value
Flag flag3{f82366a9ddc064585d54e3f78bde3221}
MD5 decoded personnel

Flag 4

Hint:A Good Agent is Hard to Find.” and “personnel

Looks like a reference to a path on the web server. Visiting “/personnel” path on web server yields:

ACCESS DENIED!!! You Do Not Appear To Be Coming From An FBI Workstation. Preparing Interrogation Room 1. Car Batteries Charging….

Maybe there’s a hint in the Javascript where I found the first flag. Putting it through DirtyMarkup reveals a reference to FBI agents.

Interesting comment

A quick Google search for IE 4 User-Agent brought me to this site where I found the very much usable User-Agent String

Mozilla/4.0 (compatible; MSIE 4.0; Windows 98)

Adding add-on “User Agent Switcher” to Firefox and using the Agent-String, it lead me to this page:

FBI portal

The fourth flag was clearly visible on the landing page:

Flag hidden in plain sight

Flag decoded

What Value
Flag flag{14e10d570047667f904261e6d08f520f}
MD5 decoded evidence

There seems to be an additonal hint: “Clue = new+flag

Flag 5

Hint:The Devil is in the Details – Or is it Dialogue? Either Way, if it’s Simple, Guessable, or Personal it Goes Against Best Practices” and “evidence“.

A quick research of this FBI page didn’t reveal much. At first I though the “new+flag” clue hinted at a Javascript function. So I whipped out the Firefox console and quick faced reality, it wasn’t related to Javascript at all. So, what could it be? Trying path “/newevidence” on webserver brought me a login dialog:


Trying to log on running the request through BurpSuite I find that the logon uses Base64 for authorization:

Authorization header field

Clearly I need to find a usable username. From looking at the comments in “html5.js” I remember that FBI uses this scheme when registering e-mail addresses:


The portal from Flag 4 greeted me as “Hanratty“. “Mr. Hanratty” is a character from the movie “Catch me if you can“. I admit – I’m not much into american movies so I had to Google a bit for this one. Anyway I found a clue that “Mr. Hanratty’s” firstname is Carl. Watching said movie isn’t an option so I’ll retort to brute forcing the login. Somehow I couldn’t get my fuzzers to work for this, so I wrote my own for the kick of it using Ruby:

require "net/http"
require "uri"
require "base64"

target_url = URI.parse(ARGV[0])
username = ARGV[1]
passwordfile = ARGV[2] do | password |
    request =
    fuzz_value = Base64.encode64("#{username}:#{password}".strip)

    request.add_field("User-Agent", "Mozilla/4.0 (compatible; MSIE 4.0; Windows 98)")
    request.add_field("Accept",   "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8")
    request.add_field("Accept-Language", "en-US,en;q=0.5")
    request.add_field("Accept-Encoding", "gzip, deflate")
    request.add_field("Authorization", "Basic #{fuzz_value}".strip)

    response =, target_url.port).start do |http|

    puts("Trying #{password}")

    if response.code == "200"
        puts("Password is: #{password}")

Ran it using the “rockyou” wordlist:

$ ruby basicfuzzer.rb carl.hanratty /home/reedphish/Hacking/rockyou.txt

After a while it spat out that the password is “Grace“.

Logging in using username “carl.hanratty” and password “Grace” I landed at his page:

SDC - Flag 5.png
New evidence

After looking at the links I found the fifth flag in the “Evidence Summary File” link.

Flag decoded

What Value
Flag flag{117c240d49f54096413dd64280399ea9}
MD5 decoded panam

Flag 6

Hint: “Where in the World is Frank?” and “panam

Looking at the other links on the very same page, I find the following files:

What Name
Image image.jpg
PDF Invoice.pdf

Running Binwalk on image.jpg:

I could Binwalk 500 miles

Maybe this is steganography? Trying Steghide:

$ steghide info image.jpg

By luck I tried “panam” as password and I got this output:

Hidden file detected

Extracting it:

$ steghide extract -sf image.jpg

This left me with a file called “flag.txt” containing the following lines:


Flag decoded

What Value
Flag flag{d1e5146b171928731385eb7ea38c37b8}
MD5 decoded ILoveFrance

Flag 7

Hint:Frank Was Caught on Camera Cashing Checks and Yelling – I’m The Fastest Man Alive!“, “ILoveFrance” and “iheartbrenda

It appears we’re on the movie reference track again:

  • France: Main character was apprehended in France.
  • Brenda: Frank Abagnale fell in love with a girl named Brenda.
  • “I’m The Fastest Man Alive”: Appears to a reference to “The Flash”. Coincidentally “The Flash” real name is Barry Allen, and that name also appears in this movie. Frank Abagnale uses this name … “iheartbrenda” appears to be related to this soup and it may be a password.

Given the small analysis above, there’s one place I haven’t looked much at yet. SSH! Using username “barryallen” and password “iheartbrenda” I am allowed access. A quick “ls” revealed a text file containing the flag.

SDC - Flag 7.png
More SSH

Flag decoded

What Value
Flag flag{bd2f6a1d5242c962a05619c56fa47ba6}
MD5 decoded theflash

Flag 8

Hint:Franks Lost His Mind or Maybe it’s His Memory. He’s Locked Himself Inside the Building. Find the Code to Unlock the Door Before He Gets Himself Killed!” and “theflash

While looking through Barry’s home directory I see there’s a file named ““. I copy it down to my computer.

Determining what kind of file this is:

$ file
It’s a Zip!

So it is a Zip file. Unzipping it yields a 1GB file:

Big file

Running “file” on this file just states it is a “data” file. Given the hints so far, the file looks like it could be a memory dump of some sorts. Just look at these hints

  • Frank lost his mind OR memory.
  • Flash

Kinda leads you on a certain track, doesn’t it? Anyway, it’s time for some memory forensics using the “Volatility Framework“. First, list out processes:

$ volatility -f pslist
Notepad in the house

Looking at the process list there’s not that much interesting going on except one instance of “Notepad.exe” (pid 268). We might be lucky it containing some information.

$ volatility -f cmdline --pid 268
Notepad open file

Looking at the content

$ volatility -f notepad
Content of file open in Notepad

A HEX string? That’s interesting. Decoding it using “Hex to ASCII text converter“:

What Value
Hex 66 6c 61 67 7b 38 34 31 64 64 33 64 62 32 39 62 30 66 62 62 64 38 39 63 37 62 35 62 65 37 36 38 63 64 63 38 31 7d
Flag flag{841dd3db29b0fbbd89c7b5be768cdc81}

Flag decoded

Cracked the MD5 using Hashkiller MD5 Decrypter.

What Value
Flag flag{841dd3db29b0fbbd89c7b5be768cdc81}
MD5 decoded Two[space]little[space]mice


If you enjoyed this walkthrough, please share and contact me on Twitter (@reedphish)!