Today I’m going to provide a walkthrough on the Necromancer CTF challenge (from vulnhub) that I recently completed. It was LOTS of fun! Fairly easy but with a few twists and turns along the way. This walkthrough will be split into 2 parts.
So after setting up the machine I started with a basic nmap scan – first to find the machine IP and then to find open ports/running services. I tried a basic -sS with no result then an -sV scan….nothing….all ports filtered. I was a bit confused then remembered these scans are only scanning tcp ports. So I tried a UDP port scan with -sU and a definitive port number range.
Viola! We have an open port on UDP 666 with a service called doom! My next logical step was to use netcat.
Connecting with nc just gives us a message “You gasp for air! time is running out!”. At this point I was a little stumped with where to go but eventually I decided to check the network traffic to see if anything was coming from the necromancer.
Using tshark I saw a LOT of arp traffic coming from the necromancer and going to port 4444. Interesting! With handy dandy netcat I listened on port 4444 to see what the necromancer had to say.
Looking at this string I immediately thought base 64…..so….time to decode…..
I was then given flag 1 with a hint to chant it to U666. I tried doing this with netcat but the reply was “try chanting in an different tongue”. Duh! it was an md5 hash. Hashcat was playing up so I turned to crackstation.net.
So now lets try chanting “opensesame” at U666!! with handy dandy netcat again! And we get the following…
Yay! Now with this message the thing that stuck out was the “formation looks like the numeral 80”. I immediately thought http and decided to open a browser.
It worked! and what’s more is there’s a picture which had me thinking (or hoping!) for some forensics!!! I downloaded the picture and opened in hexeditor – this is always my first move with ctf images.
Anything stand out?? What is that suspicious looking feathers.txt about?? Did someone say file carving….?….
Foremost for the win!!
feathers.txt was another base 64 encoded message….so lets decode.
This hint was pretty simple…lets take this back to ice weasel…
Now this part was by far the most difficult part, albeit the BEST, most rewarding part! I’ll admit after trying many different things it took me a couple of weeks just thinking about this (and I was pretty busy with other stuff…like life, as well!). Suddenly I had an epiphany randomly while driving….There’s been a lot of url file/directory stuff…and I need a “magical item” to protect me. What if there’s another directory that’s name has something to do with a magical item.
So I rushed home and googled “Magical items”, found a wiki page that looked good….
and then started CeWL! Time to generate a wordlist with the wikipage. I made sure I set depth to 0 so it only pulled words from that page and also only words equal to or greater than 4 characters so I wasn’t getting ‘and’ or ‘the’.
Here’s a little snippet of my awesome wordlist…
Ok, so I had the wordlist and now I was pretty excited because I got to use one of my favourite tools – Dirbuster to the rescue!!
wordlist set. Starting directory set. Blank file extension anddddddd start!
Here’s the results!
It probably only took about 3 minutes maximum to find ‘talisman’. If we go there we get the ‘talisman’ file to download.
Which so happens to be an ELF file – using file we can get some more information.
Well I guessed the first thing to do would be try and execute the file -permission denied. But that’s an easy fix. And when we run it we get this message…
But when we say ‘yes’, nothing happens. Hmm. From here I thought well I have an executable that takes input so the most likely scenario here is a buffer overflow. So how do we test if this is the case…we attempt to induce a seg fault!
I input a heap of letters just to see what would happen. There’s our segmentation fault. Ladies and gentlemen it looks like we have a buffer overflow. Now obviously we can’t point to our own script for code execution however there might be a function within the program that we would like to jump to.
Using edb and the –symbols flag we find 2 that stand out “chantToBreakSpell” and “wearTalisman”. Running both it turns out “wearTalisman” is just the function we ran earlier.
No dice. So lets try “chantToBreakSpell”. I used gdb to get a breakpoint after the main function (b main), and then directly jump to ‘chantToBreakSpell”. You could also use Peda for this to give a more indepth analysis of the program.
And hooray another flag! And a hint to chant words at u31337. This looks like another chanting the flag using netcat scenario. Cracking the hash gives us the phrase “blackmagic”…
And lets chant it at UDP port 31337 with nc
I felt like that part was a little too easy to be given another flag but hey I’ll take it. And we also get another directory.
Furthermore, we get a file to download. Again with the ‘file’ command we can see what it is.
After decompressing and untaring (based on file information) we are left with a cap file. I had a look at it in tshark and a few things caught my eye. 1 – The deauthentication/authentication traffic made me think WPA…perhaps a preshared key? 2 – the word “Community” kept coming up. why?
So I went with the preshared key idea. I had never tried to crack a key from a cap file so with a bit of googling I came with a solution. Aircrack-ng.
And after a few minutes we get the key death2all!!
Now from here I was quite confused until I went back over each step and realised I didn’t scroll all the way down on the /thenecromancerwillabsorbyoursoul page. Silly me! I missed this big wall of text with a hint U161.
UDP port 161…SNMP. Now from here came a whole lot of googling because I hadn’t done much with SNMP before. I started with a metasploit SNMP enumeration module as shown below.
So I needed to unlock the door. Hmm. was there a way to alter variables? I did some research and found I needed to find paths to change the variable. To do this I used snmpwalk. snmpset and snmpget.
With the paths found with snmpwalk I could now ‘set’ variables. I used the string “unlocked” because the door was locked and we needed it unlocked.
Now with snmpget….
We get another flag AND another hint t22….TCP port 22…..SSH!
My first thought was ok I need a username, and sure enough the flag ended up being “demonslayer”. What an appropriate username. lets give ssh a try.
and we need password.
Here’s where we can use medusa….or hydra….what ever takes your fancy.
And here’s the password “12345678”. Clearly this Necromancer wizard guy isn’t too fussed about his own security. tsk tsk, Necromancer.
Anddd we’re in! The ascii art is pretty awesome (especially when it’s pink!).
After some quick fiddling flag8 was just sitting out in the open.
u777…ok…This was again a little tricky and took some thinking outside of the box (I mean figuratively, not literally because thinking outside of the actually box got me nowhere!). After a lot of stuffing around trying to netcat (yes our beloved netcat again!) in externally. I tried netcat internally to UDP port 777 on the localhost.
Inside the lair it was time to battle the necromancer with some random questions. The googles helped here. Although it was important to read each page properly not just go with the seemingly correct answer from the google search page output.
OK next step. Where is this small vile? I thought maybe it was hidden. And eventually found the following command.
And then after drinking it we have great power!!!! So su root is worth a try right?
Sadly that didn’t work. So what can we do? Lets find out…
It turns out flag 11, our last flag is here! And demonslayer has access!
Done! This CTF was lots of fun! and much different to the usually “find the vulns, exploit the vulns” kind of challenges I’m used to.
Thanks for the awesome CTF Xerubus!