The Necromancer: 1. Vulnhub’s VM Walkthrough

Page

The Vulnerable VM can be found at:

https://www.vulnhub.com/entry/the-necromancer-1,154/

Let’s go!

This VM has a specific objective instead of the typical boot2root.
It consists of 11 flags to be discovered.

BEFORE YOU CONTINUE ANY FURTHER, PLEASE NOTE THAT I DID NOT MASK OUT POTENTIAL SPOILERS AND THE FLAG VALUES. 

You’ll get spoiled if you continue.

— [ Flag 1 ] —
— [ WireShark ] —

After running nmap with both TCP and UDP scans, only UDP port 666 seems to be opened and nothing can be enumerated from it.

I decided to fire up WireShark to have a look behind the scenes.

wireshark-packet.png

It can be seen that our target is trying to connect to us on port 4444. Let’s make it happen.

sslencrypted.png

After a colleague told me that the strings value “V2VsY29..” typically refers to openssl encryption. I then went to Google-Fu on it.

flag1.png

— [ Flag 2 ] —
— [ Chanting the Flag] —

Following the instructions of the decoded message,
wire-shark-response.png

Oh no, perhaps the string value of flag1 can be decoded further?

hash-ider.png

Ok. Nice.

hashcat-cracked.png

“opensesame” it seems…

send-opensesame.png

Success!

wireshark-sesame.png

Getting the text out nice and neat…

getting-it-out-of-wireshark.png

New attack vector opens up on port 80!

— [ Flag 3 ] —
— [ Foremost in and out ] —

I spent quite awhile here, running my nikto and dirbuster with various directory files.
After everything turned up negative, I’m pretty sure that something is hiding in the image on the Web Server! (Absolutely no other possible route, did 101% enumeration)

strings-on-image.png

Running strings on the pileoffeathers.jpg displayed feathers.txt. Interesting.
I continued to dig further.

foremost-success.png

Hidden zip file extracted out.

flag3-found.png

Our flag, and a new directory it seems.

— [ Flag 4 ] —
— [ GDB, eh? ] —

I got served here pretty badly…
Nikto nothing, dirbuster with various directory lists, NOTHING!
Until I blindly followed the hints provided and not over-complicated stuff. Success!

hint-maybe.png

Google-FUUUUUUUUUUUUUUUUUUUU
Wikipediaaaaaaaaaaaaaaaaaaaaa

building-the-list.png

Next, I used CEWL to generated a word-list off the magical items wiki page.
the -m 4 flag will only take into account of the words that contain 4 or more character
the -d 0 flag will not continue to follow through the links in the wikipedia page (depth 0)

cewl-wordlist.png

Dirbuster with our magical-brute.txt created by CEWL.

dirb-success.png

Niceeeee.

talisman-wtf.png
The talisman is a binary file and upon execution, no matter what the input I gave, it always returns nothing.
Running strings on it displayed 2 interesting output. chantToBreakSpell and wearTalisman
I was quite confident that these are function names.
Although my GDB skills are near to non-existent, I know the basics of using it from http://overthewire.org/wargames/ which I’ve done months ago. Heh.

strings-on-talisman.png

My strategy is extremely basic and simple. We will set break point on it and attempt to jump to these 2 functions.

gdb-wearTalisman.png

Jumping to wearTalisman doesn’t display anything interesting. Next up,

gdb-chantToBreakSpell.png

Boom! Flag4 discovered!

Chanting again, eh? hashcat-md5.png

— [ Flag 5 ] —
— [ Here we Chant again ] —

After chanting “blackmagic” to the udp port 31337…

wireshark-response.png

Getting it out nice and neat from WireShark, again.

Capture.PNG

Boom flag 5! Aaaaaand a new directory.

— [ Flag 6 ] —
— [ Free Flag! ] —

Upon visiting the new directory discovered, the flag is shown on the web page itself.

flag6-wtf.png

The necromancer is a cap file which contains some wireless traffic upon opening it up on WireShark.

udp-161.png

— [ Flag 7 ] —
— [ UDP 161 && .cap ] —

So now we have a opened UDP port 161 running SNMP and a .cap file containing wireless traffic.

The .cap file seems to contain quite a handful of captures. Let’s ask Google on what to do with .cap file. Heh

what-to-do-with-pcap-wireless.png

Crack it, it said.

aircrack-rockyou.png

Ok. We have a key “death2all” now.

Moving on to SNMP on UDP port 161…

I know a fair bit on SNMP enumeration as it was taught in my OSCP PWK course… One of the tools taught on SNMP was snmpwalk.

I tried various community strings here, “public”, “private”, etc… to no avail.
I then decided to try “death2all” instead.

The output displayed shows that some string manipulation might be required. Now, that’s something new for me!

Google-Fu and found this wonderfully perfecto reference.

SNMP SUPER REFERENCE GUIDE

Quoting from part of the guide…

“The following example shows how use of the snmpget and snmpset commands together. The sequence of steps is as follows:

1. Use the snmpget command to check to current value of the MIB object.

2. Use the snmpset command to change the value of the MIB object.

3. Use the snmpget command to verify that the MIB object was in fact changed to the requested value.”

snmp-enum.png

Flag 7 and t22 == TCP Port 22 == SSH??

nmap-p22-open.png

— [ Flag 8, 9, 10] —
— [ Google-Fu x 3 ] —

Cracking flag 7…

cracked-md5.png

demonslayer, so much swag in it.

medusa-success.png

Initially I wanted to let Medusa run while I try other shit to enumerate, but it literally took 5 seconds to get the password, 12345678. GG.

ssh-demonslayer.png

I R demonslayer???

flag8-done.png

YAY Flag 8! Eh, no wait.

outside-no-u777.png

Not opened from the outside, what about local?

inside-have-u777.png

Ok! Let’s connect to it.

Upon connecting to localhost on UDP Port 777, I was presented with several questions.
The answers can be easily found using Google-Fu. Yes, all 3 of the questions.

flag8-real.png

Flag 8~

question1-google.png

flag9-real.png

Flag 9~

question2-google.png

flag10-real.png

Flag 10~

question3-google.png

Heh. Small vile, Eh?

smallvile.png

— [ Flag 11 ] —
— [ CATing everything like a god ] —

As it says, I felt a great power within my veins! Obviously the first thing I would do is sudo su to root, but Nay.

Checking on what sudo commands I am capable of running..,

wtf-happened.png

Whoop woot.

flag11.png

Pretty nice ASCII art. I’m not gonna snip off the credits~

credits.png

This VM was really fun. Learned quite a few new stuff as well. Heh.

hackergod.png

That’s all people!

Stay safe~

-9emin1

 

Advertisements