Monday, July 11, 2016

Vulnhub Walkthrough: The Necromancer



First things first, find the IP address. I used netdiscover for this.
netdiscover -r 192.168.0.1/24
 
Seems like 192.168.0.106 is my target. Luckily the vm tells you which IP it's bound to. But you'll see in a moment why one might doubt DHCP is working.

As the first step in the enumeration phase, nmap is the way to go right? Well what happens when the host you're targeting doesn't respond to scans?

I won't pretend like I figured this part out quickly. I scanned it using nmap, nc, and even tried firewalking. Nothing seemed to knock any ports open.
I was however running Wireshark in the background to see if it elicited any response from these probes. After some time I realized the machine was trying to connect to me on port 4444.



I set a netcat listener to port 4444, and within ~30 seconds, I had my first flag.

  It seems to be a base64 string, so I tried decoding it using the skiddypad from irongeek (I know I can do this from the command line).

This seemed to be a hint to connect to UDP port 666.

nc -nvu 192.168.0.106 666

It responded back and seems to want something specific, so I decided to look into the flag a bit more. After enough time in the PWK lab network, I knew that things like this are usually a hash.

Decoding the flag using crackstation shows its an MD5 hash which translates to 'opensesame'

I re-scanned and it seemed this opens up port 80 as a web portal.

I decided to download the picture and take a closer look for clues.

strings pileoffeathers.jpg    reveals a hidden file "feathers.txt"








unzip pileoffeathers.jpg  reveals feathers.txt

cat feathers.txt
ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==

Decoding this using a Base64 decoder translates to:
flag3{9ad3f62db7b91c28b68137000394639f} - Cross the chasm at /amagicbridgeappearsatthechasm

Navigating to http://192.168.0.106/amagicbridgeappearsatthechasm/ reveals a new webpage with a new image:
I ended up getting stuck here for hours trying to figure out what I was missing. I ran dirbuster using the medium sized list and found nothing. I decided to try a different wordlist and got lucky.

I created my own wordlist using cewl against a glossary of pagan related terms. I used dirb to brute force directories on http://192.168.0.106/amagicbridgeappearsatthechasm/  using this wordlist.

http://www.neopagan.net/Pagan_Glossary.html
I then navigated to the page http://192.168.0.106/amagicbridgeappearsatthechasm/talisman  and downloaded the binary.

It seems some time in a debugger is in order!

chmod +x talisman
gdb talisman

info functions to get a feel for what trickery lies ahead.

After sifting through these functions a bit, I decided to set a break at wearTalisman and have it jump to chantToBreakSpell. Seemed like the way this program was intended to run.
I uploaded the flag to crackstation and it came up with 'blackmagic'

Since there was a reference to another udp port 31337, I decided to connect to it and send the command 'blackmagic'

 http://192.168.0.106/thenecromancerwillabsorbyoursoul  revealed another flag and another clue.
This gives us the sixth flag, now over the halfway point.

I clicked on the link and I downloaded the necromancer.bz2 from the new web site.

I unzipped using bunzip2 necromancer

This revealed a .tar file. I confirmed the filetype using exiftool

tar -xf necromancer.out
This revealed necromancer.cap

I opened up the pcap file in wireshark. It seemed to have a lot of wireless traffic so I ran it through aircrack-ng to see if there were any handshakes in there.

aircrack-ng necromancer.cap
This in fact did reveal a handshake, now to bruteforce.

aircrack-ng -w /usr/share/wordlists/rockyou.txt necromancer.cap

death2all  seems to be the next magic phrase. Now I need to know how to use it.

Well at the bottom of the last webpage we visited, there was a reference to another udp port, 161. A popular SNMP port. So I decided to give snmpwalk a whirl using death2all as the community string.
It seems that it's locked and is looking for the string death2allrw. Presumably the 'rw' was a hint that it will become read/writeable for us.

snmpwalk -c death2allrw -v1 192.168.0.106

This revealed a ton of text. After some googling, I found that you can set the MIB value to 'unlocked' so we can read/write to it. Neat!

http://docstore.mik.ua/orelly/networking_2ndEd/snmp/ch08_03.htm
Then this reveals flag 7! It also seems to reference what might be another open port!

I plugged the flag into crackstation and found out it was an MD5 hash for 'demonslayer'

I then ran nmap to verify that port 22 was in fact open.
 Port 22 opened up! This means that we can probably brute force our way in using 'demonslayer' as the username.

Now to run hydra using our trusty rockyou.txt wordlist.
Our SSH credentials are Username: demonslayer and Password: 12345678

Now to ssh in using our new credentials and grab the next flag!
It seems to be another reference to a UDP port. This time, we can't connect to it remotely, so I decided to use a localhost connection.

nc -u localhost  777
It seems we will be answering some riddles. I googled that exact phrase and found https://en.wikipedia.org/wiki/Tsurani which contained the reference to Kelewan.

Alright! That got us our next flag.
I googled the next question and found a reference to it in  http://shamankingarchive.wikia.com/wiki/Faust_VIII

It appears Johann made a deal with the Devil and the Devils name is Mephistopheles. So I entered that in and BOOM! The ninth flag!
Alright the next question was answered in the same manner. I googled it and found it was Hedge.

https://en.wikipedia.org/wiki/List_of_Old_Kingdom_characters
The hint seems to be for a small vile. So where is it?

I tried sudo su just in case that worked, but nada.

I decided to start hunting around by using the locate function.
It seems I have a new power, interesting. Maybe I can sudo now?
Interesting. Last time I tried to sudo it very specifically said I wasn't in the sudoers list.

Maybe now I can sudo my way to the 11th flag. Presumably it's in the /root directory and uses the same naming convention the rest of the flags had.
OMFG I DID IT! Well, not 100% on my own. I chatted with other guys in the IRC who were progressing at roughly the same rate. Shout out to Adam Antium and Enigma. It was a tough one but really fun working through the problems with you two at various stages.

Thanks to xerbus for this CTF. Really well done. You must have put some serious work into this. It will certainly be one of the few vms I hold on to.

Feel free to tweet me @sp3cT0rr if you have any questions!