Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

The Necromancer: 1

Location

https://download.vulnhub.com/necromancer/necromancer.ova

Description

The Necromancer boot2root box was created for a recent SecTalks Brisbane CTF competition.
There are 11 flags to collect on your way to solving the challenging, and the difficulty level is considered as beginner.
The end goal is simple… destroy The Necromancer!

Enumeration

I started out with a simple nmap scan, but it came back empty. All ports are filtered. I tried another scan, but this time an intensive scan. Still nothing. Because I focused mainly on the TCP ports, I did another scan and this time I focused on the UDP ports.

doom.gif
I got one hit and that port was closed. But it was more information than before. According to the scan, the service on that port was a VoIP phone running Cisco. I tried another UDP scan, but only aimed on port 666. This time it was open.

There is some output from the nmap scan: “You gasp for air! Time is running out!”. After I tried to connect to the port using netcat the connection timed-out. All other options were similar. Another connection just wouldn’t happen. Because this looked like a hopeless case and I needed to know what was happening, I fire-up wireshark.

Wireshark

After capturing some packets I could that the VM was doing ARP requests to every IP address in the subnet. After a while there was a SYN request coming from the VM to an IP on port 4444. This occurred several times at different IP addresses. Let’s try and connect through port 4444.
wireshark

Secret message

After some waiting I got a connection end received some sort of code. It looked like base64 to me, so I tried to decode it.

Welcome!
You find yourself staring towards the horizon, with nothing but silence surrounding you. You look east, then south, then west, all you can see is a great wasteland of nothingness.
Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.
The air around you begins to get thicker, and your heart begins to beat against your chest. You turn to your left.. then to your right! You are trapped!
You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.
As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.
You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.
You open the box, and find a parchment with the following written on it. “Chant the string of flag1 – u666”

Nice. The first flag is in. Looks like md5.

Open sesame

Time to follow the instructions. “Chant the string of flag1”. Now that I know what the string is I can chant away.

A loud crack of thunder sounds as you are knocked to your feet!
Dazed, you start to feel fresh air entering your lungs.
You are free!
In front of you written in the sand are the words:
flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}
As you stand to your feet you notice that you can no longer see the flicker of light in the distance.
You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.
As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.
The birds get closer, and closer, and closer.
Staring up at the crows you can see they are in a formation.
Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.
As quickly as the birds appeared, they have left you once again…. alone… tortured by the deafening sound of silence.
666 is closed.

Alright. I got flag number 2 and a hint that port 80 might be open. First to check out what the original string looks like.

Port 80

Hours have passed since you first started to follow the crows.
Silence continues to engulf you as you treck towards a mountain range on the horizon.
More times passes and you are now standing in front of a great chasm.
Across the chasm you can see a necromancer standing in the mouth of a cave, staring skyward at the circling crows.
As you step closer to the chasm, a rock dislodges from beneath your feet and falls into the dark depths.
The necromancer looks towards you with hollow eyes which can only be described as death.
He smirks in your direction, and suddenly a bright light momentarily blinds you.
The silence is broken by a blood curdling screech of a thousand birds, followed by the necromancers laughs fading as he decends into the cave!
The crows break their formation, some flying aimlessly in the air; others now motionless upon the ground.
The cave is now protected by a gaseous blue haze, and an organised pile of feathers lay before you.

pileoffeathers
After a few options like brute forcing possible pages and files with dirb and making a word-list from the site with cewl (which all got no result), I turned towards the picture. There was nothing useful in the EXIF data, but when I used hexdump I got another clue.
hexdump
It seemed there was a text file embedded within the picture.

There was another base64 encoded strings inside the text file.

Alright. flag 3 and a way to move forward.

Across the chasm

chasm

You cautiously make your way across chasm.
You are standing on a snow covered plateau, surrounded by shear cliffs of ice and stone.
The cave before you is protected by some sort of spell cast by the necromancer.
You reach out to touch the gaseous blue haze, and can feel life being drawn from your soul the closer you get.
Hastily you take a few steps back away from the cave entrance.
There must be a magical item that could protect you from the necromancer’s spell.

Magical item

I broke my head on this one. Checked out the picture….nothing. Checked out the source code and HTML header…..nothing. Tried to brute force  possible pages or files with dirb….nothing. So the answer should be inside the text. There was something that could help me with the next piece of the puzzle. After a while there was a sentence where there was an ambiguous use of words. “There must be a magical item that could protect you from the necromancer’s spell.“. When I check on Google for alternative words for magical item, I got a fa long list of possibilities. So there was logic in my thinking. Too bad none were another page, but it gave me the idea to form a list with these words and give dirb another change.

When running the page I receive an executable.

These look like some functions that are interesting.

Nice. Another flag and a way to move forward.

Blackmagic

As you chant the words, a hissing sound echoes from the ice walls.
The blue aura disappears from the cave entrance.
You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.
You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.
The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.
Suddenly, you are attacked by a swarm of bats!
You aimlessly thrash at the air in front of you!
The bats continue their relentless attack, until…. silence.
Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.
Looking towards one of the torches, you see something on the cave wall.
You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall.
/thenecromancerwillabsorbyoursoul
flag5{0766c36577af58e15545f099a3b15e60}

The necromancer

flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}
You continue to make your way through the cave.
In the distance you can see a familiar flicker of light moving in and out of the shadows.
As you get closer to the light you can hear faint footsteps, followed by the sound of a heavy door opening.
You move closer, and then stop frozen with fear.
It’s the necromancer!

necromancer

Again he stares at you with deathly hollow eyes.
He is standing in a doorway; a staff in one hand, and an object in the other.
Smirking, the necromancer holds the staff and the object in the air.
He points his staff in your direction, and the stench of death and decay begins to fill the air.
You stare into his eyes and then…….
…… darkness. You open your eyes and find yourself lying on the damp floor of the cave.
The amulet must have saved you from whatever spell the necromancer had cast.
You stand to your feet. Behind you, only darkness.
Before you, a large door with the symbol of a skull engraved into the surface.
Looking closer at the skull, you can see u161 engraved into the forehead.

There is a link for obtaining another file. I download the file and thought about what u161 could mean. With previous hints I connected with that port, so in this case I think I also need to connect with UDP port 161. But I think I need another ‘magic’ word to chant. The hash of flag 5 is ‘809472671’. The hash from flag 6 I couldn’t crack.

802.11

The file was compressed and after decompressing it, I got a tcpdump file which I ran with wireshark. The traffic consisted only of 802.11 legacy (WiFi). Only problem was that it was all encrypted. In this case I relied on aircrack-ng to brute force the needed password.
aircrack-ng

Now that I have the secret key I can read the traffic in wireshark.
wpa
When I went over the file there was nothing really that looked interesting. There was however 1 thing that stood out among the rest. The communication between a Samsung device and a d-link router.

wireshark2
The only thing that was remotely name-like was the SSID the router was casting: ‘community’. OK. So I have a hint about connecting to UDP port 161. That’s a SNMP port. I have a password that decrypts WiFi traffic, only to show information about an SSID called ‘community’. With SNMP there is a SNMP Read-Only Community String that works like a password.
snmp
The door is ‘Locked’ and to defeat the necromancer I must ‘Unlock’ the door. Still need to work with SNMP. Let’s try and change the Location from ‘Locked’ to ‘Unlocked’. Problem is I don’t have the right OID. So I need to run another tool. I didn’t had it installed, but for this I’ll use snmpwalk (for which I will need to install snmp).

Entering the lair of the beast

After this I finally got my 7th flag, which was ‘demonslayer’ cracked, and a clue on where to look for next. I may enter the necromancers lair on port 22. So the username will probably be ‘necromancer’ and the password is the cracked hash from flag 7. But that wasn’t the case. I tried different combinations, but was getting nowhere.

demon.JPG
After I entered the lair of the beast I looked for something to hold on to.

You enter the Necromancer’s Lair!
A stench of decay fills this place.
Jars filled with parts of creatures litter the bookshelves.
A fire with flames of green burns coldly in the distance.
Standing in the middle of the room with his back to you is the Necromancer.
In front of him lies a corpse, indistinguishable from any living creature you have seen before.
He holds a staff in one hand, and the flickering object in the other.
“You are a fool to follow me here! Do you not know who I am!”
The necromancer turns to face you. Dark words fill the air!
“You are damned already my friend. Now prepare for your own death!”
Defend yourself! Counter attack the Necromancer’s spells at u777!

Fighting the beast!

Here in the lair of the beast I need to fight him with the given task.

** You only have 3 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 2 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 1 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 0 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path?
!!!!!!! You have been defeated by The Necromancer! (*_*) !!!!!!!

Without having the opportunity to give a proper answer, the connection is closed and I’m knocked out of the lair. Guess the knock down was so hard, I need to start over from scratch. After trying to get back on my feet it seems the whole VM got back to its initial phase!!!! This isn’t just a troll…..it’s a mental breakdown.
After repeating the whole process I’m back at the lair to face the necromancer. After checking my notes I see the error of my ways. When using netcat I also used the options -nv which ran through the script giving empty answers.
 

A great flash of light knocks you to the ground; momentarily blinding you!
As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.
An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.
The room is silent.
You walk over to where the Necromancer once stood.
On the ground is a small vile.

I hoped to get some information from the cracked hashes, but that wasn’t so.
flag 8: Kelewan
flag 9: Mephistopheles
flag 10: Hedge

When looking at my notes I saw a small change with before. There was a hidden file which wasn’t there before the battle. It was the small vile on the ground.

You pick up the small vile.
Inside of it you can see a green liquid.
Opening the vile releases a pleasant odour into the air.
You drink the elixir and feel a great power within your veins!

With great power comes great responsibility

To see what great power is bestowed upon me, I use sudo -l.

demon

Conclusion

As far as a themed boot2root, this was one of the most awesome I ever did!
This b2r was filled with a good deal of different challenges in a wide range.
Excellent work for the people who created this masterpiece.

Flags

flag1{e6078b9b1aac915d11b9fd59791030bf}
flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}
flag3{9ad3f62db7b91c28b68137000394639f}
flag4{ea50536158db50247e110a6c89fcf3d3}
flag5{0766c36577af58e15545f099a3b15e60}
flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}
flag7{9e5494108d10bbd5f9e7ae52239546c4}
flag8{55a6af2ca3fee9f2fef81d20743bda2c}
flag9{713587e17e796209d1df4c9c2c2d2966}
flag10{8dc6486d2c63cafcdc6efbba2be98ee4}
flag11{42c35828545b926e79a36493938ab1b1}