The Vulnerable VM can be found at:
This VM has a specific objective instead of the typical boot2root.
It consists of 11 flags to be discovered.
BEFORE YOU CONTINUE ANY FURTHER, PLEASE NOTE THAT I DID NOT MASK OUT POTENTIAL SPOILERS AND THE FLAG VALUES.
You’ll get spoiled if you continue.
— [ Flag 1 ] —
— [ WireShark ] —
After running nmap with both TCP and UDP scans, only UDP port 666 seems to be opened and nothing can be enumerated from it.
I decided to fire up WireShark to have a look behind the scenes.
It can be seen that our target is trying to connect to us on port 4444. Let’s make it happen.
After a colleague told me that the strings value “V2VsY29..” typically refers to openssl encryption. I then went to Google-Fu on it.
— [ Flag 2 ] —
— [ Chanting the Flag] —
Following the instructions of the decoded message,
Oh no, perhaps the string value of flag1 can be decoded further?
“opensesame” it seems…
Getting the text out nice and neat…
New attack vector opens up on port 80!
— [ Flag 3 ] —
— [ Foremost in and out ] —
I spent quite awhile here, running my nikto and dirbuster with various directory files.
After everything turned up negative, I’m pretty sure that something is hiding in the image on the Web Server! (Absolutely no other possible route, did 101% enumeration)
Running strings on the pileoffeathers.jpg displayed feathers.txt. Interesting.
I continued to dig further.
Hidden zip file extracted out.
Our flag, and a new directory it seems.
— [ Flag 4 ] —
— [ GDB, eh? ] —
I got served here pretty badly…
Nikto nothing, dirbuster with various directory lists, NOTHING!
Until I blindly followed the hints provided and not over-complicated stuff. Success!
Next, I used CEWL to generated a word-list off the magical items wiki page.
the -m 4 flag will only take into account of the words that contain 4 or more character
the -d 0 flag will not continue to follow through the links in the wikipedia page (depth 0)
Dirbuster with our magical-brute.txt created by CEWL.
The talisman is a binary file and upon execution, no matter what the input I gave, it always returns nothing.
Running strings on it displayed 2 interesting output. chantToBreakSpell and wearTalisman
I was quite confident that these are function names.
Although my GDB skills are near to non-existent, I know the basics of using it from http://overthewire.org/wargames/ which I’ve done months ago. Heh.
My strategy is extremely basic and simple. We will set break point on it and attempt to jump to these 2 functions.
Jumping to wearTalisman doesn’t display anything interesting. Next up,
Boom! Flag4 discovered!
Chanting again, eh?
— [ Flag 5 ] —
— [ Here we Chant again ] —
After chanting “blackmagic” to the udp port 31337…
Getting it out nice and neat from WireShark, again.
Boom flag 5! Aaaaaand a new directory.
— [ Flag 6 ] —
— [ Free Flag! ] —
Upon visiting the new directory discovered, the flag is shown on the web page itself.
The necromancer is a cap file which contains some wireless traffic upon opening it up on WireShark.
— [ Flag 7 ] —
— [ UDP 161 && .cap ] —
So now we have a opened UDP port 161 running SNMP and a .cap file containing wireless traffic.
The .cap file seems to contain quite a handful of captures. Let’s ask Google on what to do with .cap file. Heh
Crack it, it said.
Ok. We have a key “death2all” now.
Moving on to SNMP on UDP port 161…
I know a fair bit on SNMP enumeration as it was taught in my OSCP PWK course… One of the tools taught on SNMP was snmpwalk.
I tried various community strings here, “public”, “private”, etc… to no avail.
I then decided to try “death2all” instead.
The output displayed shows that some string manipulation might be required. Now, that’s something new for me!
Google-Fu and found this wonderfully perfecto reference.
Quoting from part of the guide…
“The following example shows how use of the snmpget and snmpset commands together. The sequence of steps is as follows:
1. Use the snmpget command to check to current value of the MIB object.
2. Use the snmpset command to change the value of the MIB object.
3. Use the snmpget command to verify that the MIB object was in fact changed to the requested value.”
Flag 7 and t22 == TCP Port 22 == SSH??
— [ Flag 8, 9, 10] —
— [ Google-Fu x 3 ] —
Cracking flag 7…
demonslayer, so much swag in it.
Initially I wanted to let Medusa run while I try other shit to enumerate, but it literally took 5 seconds to get the password, 12345678. GG.
I R demonslayer???
YAY Flag 8! Eh, no wait.
Not opened from the outside, what about local?
Ok! Let’s connect to it.
Upon connecting to localhost on UDP Port 777, I was presented with several questions.
The answers can be easily found using Google-Fu. Yes, all 3 of the questions.
Heh. Small vile, Eh?
— [ Flag 11 ] —
— [ CATing everything like a god ] —
As it says, I felt a great power within my veins! Obviously the first thing I would do is sudo su to root, but Nay.
Checking on what sudo commands I am capable of running..,
Pretty nice ASCII art. I’m not gonna snip off the credits~
This VM was really fun. Learned quite a few new stuff as well. Heh.
That’s all people!