NECROMANCER CTF SOLUTION
https://VulnHub CTFvulnhub.com/entry/the-necromancer-1,154/
Hello everyone in this post I am gonna show you how to solve Necromancer CTF box step by step. It’s amusing box for me. It takes time but the box is worth it. I used port scanning, sniffing, stegonography solving, wireless password cracking, web pentesting, hash cracking, message decoding reverse engineering and SNMP attacks method for solving this CTF box. Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
Lets go;
First of all I implemented passive information gathering techniques with netdiscover tool for finding IP addresses of the network;
After that I performed some port scanning activity with Nmap but nothing found; as you see all ports are filtered, but In Default If you don’t specified the needful parameters in Nmap command line, it only scans well known ports.
I repeated the scanning activity with -p- parameter for all ports and I discovered two open ports which works over UDP 161 and 666 port. Under the normal coditions, we control the services of the ports and we search exploit codes if the services has vulnerabilities but the situation is different for this box.
I have detected two port which run UDP and I decided to enumerate the SNMP but found nothing. Then I opened a socket connection for performing banner grabbing against UDP 666. When I connected to port via Nmap, a message suddenly was sended by the CTF box; “You Gasp For Air” Hmmm… It’s time to sniffing, it can be a clue for me and I started wireshark for analysing network packets;
It’s cool. CTF box sends syn packets to my TCP 4444 but TCP 4444 socket is closed so my box reply with RST packet to the CTF box. Interestingly UDP 666 connection triggers an new reverse communication from CTF box to the KALI machine. Ok cool let’s open a scoket and bind TCP 4444 in our local with nc tool. Wow it’s cool. We received a base64 decoded message;
Decoding part is piece of cake. I used base64 tool for decoding this message like shown below:
I got the first flag from decoded message. But the flag seems like a hash. Look at the flag:
I used hash-identifier for detecting the hash algorithm for imlementing rainbow attack later. Hash algorithm is detected as MD5 by the Hash Identifier tool. I implemented rainbow attack with john and waited for cracking process.
I didn’t wanna lost time, and I decided to benefit from online hash crackers. So hash was cracked successfully:
Message is “opensesame”. It reminds me Ali Baba and the forty thieves. Ali baba says “Open sesame open!” and caves door opens. Hmmm…. I decided to send my message over 666 UDP port.
Hey! It’s good I captured second flag. I noticed a string in flag message. “looks like numeral 80” says us now we can find open HTTP 80 port. Good news we can browse the web pages. I fastly used Nikto for quick vuln scan and dirb for directory brute forcing:
Web page is shown the above.
I decided yo use curl for extracting the source HTML code:
I saw a jpg format file and I downloaded it with wget for analysing:
I used string tool for viewing the strings which is olcated in the file and I caught txt file extension in string list. An other txt file might be hidden in this picture. Keep on analysing:
I analyzed the picture with exiftool:
I used Binwalk Tool for extract the hidden file from the jpg extension file. I was able to extract the fathers.txt hidden file and displayed the conetent of the file. I saw base64 decoded message again. CTF creator must be like base64 algorithm :) Ok I decoded the message and I extracted an url from decoded message.
I browsed the our new URL and I implemented directory bruteforcing attack for finding new subdirectories which is located under the new subdirectory was discovered by us.
I founded a file is named talisman. I downloaded for analysing file:
I used file command for learning file type of talisman but I got a linux error because I didn’t add i386 architecture to 64 bit Kali opretaing system. Finally I saw the file format is ELF. I decided to run and execute the file. When I execute the elf it asks me “Do you want to wear talisman?” If I give it wrong answer file is closed. Cool! It’s reverse time:)
sudo dpkg — add-architecture i386
sudo apt-get update
sudo apt-get install libc6:i386 libncurses5:i386 libstdc++6:i386
Do you want to wear talisman? Let’s use GDB for reversing this ELF file. First list functions for learning which function trigger our question. Use info functions command for this. I saw weartalisman function and I put a breakpoint at this point (function’s reside address on the memory)
Create a pattern for input area with pattern_create. My aim is checking Wheather If elf is vulnerable against bufferoverflow. I wrote pattern at message field and I observed the EIP value with info registers eip. I saved the eip value for querring the value from pattern_offset tool.
Ok! Elf is vulnerable against bufferoverflow and our offset value is 32. That means we controlled EIP value. If I able to overwrite chantobreakspell function address in the EIP value I can redirect to pragram execution to chanttobreakspell function and I able to bypass message authentication code. Because OS where binary was compiled is little endain we wrote address reversely. Lets write our magic input into a file and save. Open talisman in GDB and give our magic Input with r<overflow command.
We have captured another flag. You can do this like shown below too:
My previous reverse solution maybe long way. I think about it. Can I solve this problem in a short way so I created alternated solution for this. I listed functions. I put a break point at main function. I run the program and gave jump command for jumping intended function. It’s piece of cake:):)
From the message, We have two important clue first is hashed flag second is u31337 udp port. I tried to crack hash and explore the udp 31337 port. I founded the palintext of the hash by using OSINT. “blackmagic” is the plaintext form of the flag.
Before we go to next step I wanna give some information gdb-peda. ( How Much I love reverse, still keep in touch:)
https://github.com/longld/peda
git clone https://github.com/longld/peda.git ~/peda
echo “source ~/peda/peda.py” >> ~/.gdbinit
echo “DONE! debug your program with gdb and enjoy”
The same operation can be implemented just using gdb-peda:
let’s send blagmagic string over UDP 31337 port to the CTF box and capture the new flag:
We carcked the hash via online from https://crackhash.com/ we got the new plaintext value of the hash. Drive the new URL via browser;
Cool! We captured the flag6 and cracked it same method.
In new web page we noticed that a new file is called necromancer.
I obtained the file type by using file command. It’s bzip file format. I extracted the compressed files and I examined the other extracted files with file command and I have detected a pcap file. I love pcap files:):)
When I analyzed the pcap file I saw wireless packets probe request, response, beacons, I remember my OSWP certificate preparation days. I wrote a filter in wireshark for retriewing the SSID values from probe responses. SSID is community. Loop the begining, SNMP comes to my mind. My brain calls SNMP community strings, MIBs etc…
I observed some deauthenticaion frames. If I wonder that somebody cracked WPA password? Is there any handshake inside the pcap?
I got it I caught it. I detected a handshake which belongs to WPA communication so I can crack the WPA password with this pcap.
I used aircrack as a cracker tool and rockyou.txt as a dictionary file and I was able to crack password:
I decided to decrypt the wireless traffic by using airdecap tool, I know the password so Why can not decrpyt the traffic? First I tried airdecap tool:
After that for more visibility I used wireshark for decrypting the wireless communication:
Let’s go back to the beggining. I tried to enumerate snmp but nothing happened at the beginning but Now I try to SNMP with the community name as cracked wpa password. I used Metasploit module for this purpose;
Ouch! What’s that we have a new message. If you notice we change community, we coulnd’t find anything at the begining because we tried our snmp enumeration operation with community public or private default strings. Lets use snmawalk tool;
Message says us unlock to door. But how? I quickly research SNMP set values issues and I found some information about SNMP from Web. I found a tool is given blow;
Cool! The CTF writer wants me to manipulate target agent as “The door is unlocked”. Hmmm! Great let’s try snmpset tool for this purpose;
I captured the new flag, flag7. I guess flags never finish:) I am always capturing new flag:) We have a hash and detect a new connection point: TCP 22 SSH port. I cracked the hash value via online services:
First thing can be implement with demonslayer is bruteforce over SSH. If I fail, I will search SSH version for ssh-key vulnerabilities. I used medusa for bruteforce attack and I found SSH password:
After I established an SSH connection to the CTF box I need to privilige escalation.
I tried a lot of things like suid bits, crontabs, sudoers, kernel version, installed packs but found nothing.
I displayed flag8.txt content and I found some clues about it.
spells at u777 says us create a connection UDP 777. First I initiate a connection from Kali to CTF box but nothing happened.
After that I opened udp 777 at CTF box in local computer and I captured new flag.
The answer is in the wiki. Osint always helps us:)
I captured another flag. Last question’s answer is in the wiki again:
Thanks for reading! I hope meet you a new blogpost see you friends!!
