Fear The Necromancer!

After the success of my first boot2root, The Wall, I decided I would create another challenge. Welcome to The Necromancer!

There are 11 flags to collect on your way to solving the challenging, and the difficulty level is considered as beginner.

The end goal is simple… destroy The Necromancer!

I hope everyone enjoys the challenge. Here’s my write-up of the intended path to the final flag.

Just like all boot2root CTF challenges, we need to find our victim machine:

Selection_097

Let’s fire up nmap and see what we can find..

Selection_099

All ports are filtered… hmm. Let’s listen on the wire and see if we can find anything interesting:

Selection_100

It looks like the box periodically probes for any host listening on port 4444. Let’s setup a listener and see what’s going on.

Selection_101

Nice! We receive some sort of traffic from the VM. Looking at the garbled text we can see it all looks alphanumeric, which screams base64 encoding to me. Let’s attempt to decode it and see what we have.

Selection_102

Welcome!

You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.

Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.

The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right! You are trapped!

You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.

As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.

You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.

You open the box, and find a parchment with the following written on it. “Chant the string of flag1 – u666”

BAM! We have found the first flag! flag1{e6078b9b1aac915d11b9fd59791030bf}

Ok… let’s get out of this box before we run out of air. ‘u666’ sounds like UDP port 666 to me, so let’s try connecting to it.

Selection_103

Hmmm… none of the strings we have sent seem to be working. “Try in a different tongue!” looks like it could be a good hint. Let’s take a look at contents of the flag and see if it’s some type of hash.

Selection_105

Good… an MD5 hash, which luckily for us can be decrypted with a dictionary attack. Quick! We had better chant the string before we run out of air!

Selection_106

A loud crack of thunder sounds as you are knocked to your feet!

Dazed, you start to feel fresh air entering your lungs.

You are free!

In front of you written in the sand are the words:

flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}

As you stand to your feet you notice that you can no longer see the flicker of light in the distance.

You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.

As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.

The birds get closer, and closer, and closer.

Staring up at the crows you can see they are in a formation.

Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.

As quickly as the birds appeared, they have left you once again…. alone… tortured by the deafening sound of silence.

666 is closed.

Flag 2 is ours! flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}

We follow the crows to port 80, and our quest continues….

Hours have passed since you first started to follow the crows.

Silence continues to engulf you as you trek towards a mountain range on the horizon.

More times passes and you are now standing in front of a great chasm.

Across the chasm you can see a necromancer standing in the mouth of a cave, staring skyward at the circling crows.

As you step closer to the chasm, a rock dislodges from beneath your feet and falls into the dark depths.

The necromancer looks towards you with hollow eyes which can only be described as death.

He smirks in your direction, and suddenly a bright light momentarily blinds you.

The silence is broken by a blood curdling screech of a thousand birds, followed by the necromancers laughs fading as he descends into the cave!

The crows break their formation, some flying aimlessly in the air; others now motionless upon the ground.

The cave is now protected by a gaseous blue haze, and an organised pile of feathers lay before you.

Selection_107

The source of the website doesn’t give us anything interesting, and simply looking at the pile of feathers image doesn’t give us any real hints. Let’s take a closer look at the image.

Selection_108

Looks like there’s an embedded zip file, and it has a text file in it.. let’s extract it!

Selection_109

Some more base64 encoding… let’s decode it.

Selection_110

Flag 3 is ours! flag3{9ad3f62db7b91c28b68137000394639f} … and it looks like we have a hint to another web directory. Let’s cross the chasm!

You cautiously make your way across chasm.

You are standing on a snow covered plateau, surrounded by shear cliffs of ice and stone.

The cave before you is protected by some sort of spell cast by the necromancer.

You reach out to touch the gaseous blue haze, and can feel life being drawn from your soul the closer you get.

Hastily you take a few steps back away from the cave entrance.

There must be a magical item that could protect you from the necromancer’s spell.

Looking at the source code once again doesn’t help us, and this time the image doesn’t seem to give us anything useful. Let’s see if we can find a magical item on the web server.

Selection_111

We have found a talisman! Let’s pick it up and take a look at what it can do.

Selection_112

Hmmm… it seems the talisman is a 32 bit binary. Let’s try to use it…

Selection_113

Nothing happens. Let’s test it for a possible buffer overflow…

Selection_114

A segfault… you beauty! It’s debug time! There are two ways I approached this… the long way, and the short way. I’ll start with the long way :)

First up, we know that we get a segfault if we send 100 A’s as our input. We’ll create a pattern of the same size, which will give us our offset.

Selection_115

Nice! We can see our offset is at 32. Let’s create a file with 32 A’s and 4 B’s in it, and pass this in our debugger to see if we can overwrite EIP.

Selection_116

Look at that.. we have overwritten EIP with our 4 B’s. But now what? This binary is local to our attacking machine, so there’s no use throwing in any shellcode etc. Let’s disassemble the main function and see how our program behaves.

Selection_118

The program calls the function wearTalisman. We disassemble that function and see that a bunch of text is printed to the screen, we’re then asked whether we want to wear the Talisman, and then the program exits.

Let’s take a look at the functions in our binary.

Selection_117

Oh! A function we haven’t seen before! chantToBreakSpell. Let’s replace our B’s in EIP with the address of this function and see what happens…

Selection_119

Voila!! We redirect our program flow to the chantToBreakSpell function, and we’re rewarded with our next flag! flag4{ea50536158db50247e110a6c89fcf3d3}

You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
flag4{ea50536158db50247e110a6c89fcf3d3}
Chant these words at u31337

Before we continue, here’s the short way of solving that binary challenge as promised:

Start debugging the binary, show the functions, set a breakpoint at main, and then run….

Selection_122

Now that we have hit our breakpoint, simply jump to the address of the chatToBreakSpell function.

Selection_123

Much quicker, but you don’t really learn anything that way in my opinion.

Anyhow… moving on. Let’s visit UDP port 31337 and see what we have.

Selection_120

Looks like the same problem as we had ealier. A quick decryption of the MD5 hash and we have a string ‘blackmagic’.

Selection_121

As you chant the words, a hissing sound echoes from the ice walls.

The blue aura disappears from the cave entrance.

You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.

You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.

The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.

Suddenly, you are attacked by a swarm of bats!

You aimlessly thrash at the air in front of you!

The bats continue their relentless attack, until…. silence.

Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.

Looking towards one of the torches, you see something on the cave wall.

You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall.

/thenecromancerwillabsorbyoursoul

Flag 5 is ours! flag5{0766c36577af58e15545f099a3b15e60}

I don’t know about you, but this shit is getting scary ;) Let’s take a look at what seems to be another URL location…

flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}

You continue to make your way through the cave.

In the distance you can see a familiar flicker of light moving in and out of the shadows.

As you get closer to the light you can hear faint footsteps, followed by the sound of a heavy door opening.

You move closer, and then stop frozen with fear.

It’s the necromancer!

Again he stares at you with deathly hollow eyes.

He is standing in a doorway; a staff in one hand, and an object in the other.

Smirking, the necromancer holds the staff and the object in the air.

He points his staff in your direction, and the stench of death and decay begins to fill the air.

You stare into his eyes and then…….

…… darkness. You open your eyes and find yourself lying on the damp floor of the cave.

The amulet must have saved you from whatever spell the necromancer had cast.

You stand to your feet. Behind you, only darkness.

Before you, a large door with the symbol of a skull engraved into the surface.

Looking closer at the skull, you can see u161 engraved into the forehead.

Wow! Flag 6 already.. that was easy. flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}

Taking a look at the web page we can see that there is some sort of file which we can download called ‘necromancer’. We download it and see that it is a bzip2 compressed file. Decompressing the file gives us a capture file.

Selection_124

Looking at the capture file in wireshark we notice there is a fair amount of ‘wireless’ type traffic.

We can see an SSID…

Selection_125

… some deauthentication traffic…

Selection_126

… and a 4-way authentication handshake.

Selection_127

Let’s see if aircrack-ng can help us crack the WPA handshake. We run ‘aircrack-ng necromancer.cap -w /usr/share/wordlists/rockyou.txt’….

Selection_128

Too easy.. we have a wpa key. Now what? Taking a look at our story line we can see we need to take a look at UDP port 161. If you know your ports well, you’ll know that UDP port 161 is used for SNMP. Let’s take a look….

Selection_129

Remembering back to our cap file, we had an SSID of ‘community’. We also have a string of ‘death2all’. Surely not….

Selection_130

Success! We need to unlock that door… let’s assume that death2allrw means ‘read write’, and try to set the value of the OID to unlocked.

Selection_131

The door is unlocked and we have another flag! flag7{9e5494108d10bbd5f9e7ae52239546c4}

It’s time to enter the Necromancer’s lair!!! t22… TCP port 22, or the default port of SSH. But what username or password do we use?

Decrypting the hash in flag7 results in the string ‘demonslayer’. Assuming this is our username, we can try to bruteforce our way in…

Selection_132

Okay.. take a deep breath! It’s time to enter the necromancer’s lair!

Selection_133

Time to be a little cautious. Taking a quick look around we can see a flag8.txt file.

Selection_134

You enter the Necromancer’s Lair!

A stench of decay fills this place.

Jars filled with parts of creatures litter the bookshelves.

A fire with flames of green burns coldly in the distance.

Standing in the middle of the room with his back to you is the Necromancer.

In front of him lies a corpse, indistinguishable from any living creature you have seen before.

He holds a staff in one hand, and the flickering object in the other.

“You are a fool to follow me here! Do you not know who I am!”

The necromancer turns to face you. Dark words fill the air!

“You are damned already my friend. Now prepare for your own death!”

Defend yourself! Counter attack the Necromancer’s spells at u777!

ARGHHHHHH!!!!!!!! Shit!!! Quick.. defend ourselves!!!!

Selection_135

Woah!!!! We have more flags!!!

flag8{55a6af2ca3fee9f2fef81d20743bda2c}
flag9{713587e17e796209d1df4c9c2c2d2966}
flag10{8dc6486d2c63cafcdc6efbba2be98ee4}

As a side note here… what would have happened if we got the answers incorrect and lost all our hitpoints? Simple.. you would have been defeated by the necromancer, and the VM would be rebooted and reinitialised back to the beginning flag. Every b2r should have a troll ;)

Selection_139

Let’s keep going!!!

A great flash of light knocks you to the ground; momentarily blinding you!

As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.

An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.

The room is silent.

You walk over to where the Necromancer once stood.

On the ground is a small vile.

We did it! The necromancer is gone! Let’s take a look at this small vile.

Selection_136

You pick up the small vile.

Inside of it you can see a green liquid.

Opening the vile releases a pleasant odour into the air.

You drink the elixir and feel a great power within your veins!

We feel powerful? All I feel is a massive amount of adrenaline after having to defend ourselves from the evil bastard! Never the less… powerful… unix. Let’s check out our sudo privs….

Selection_137

The final flag! Let’s embrace our power at take a look!

Selection_138

Suddenly you feel dizzy and fall to the ground!

As you open your eyes you find yourself staring at a computer screen.

Congratulations!!! You have conquered……THE NECROMANCER!

Wooohooo!!!! We survived!!! The final flag is flag11{42c35828545b926e79a36493938ab1b1}, and we have defeated the necromancer!!

For shits and giggles we decrypt the final flag, and we get …. ‘hackergod’ :)

GAME OVER!

If you had a crack at solving The Necromancer, I hope you enjoyed the challenge. I had a great time creating it. :)

Big shoutout to @dooktwit and @RobertWinkel for being test bunnies, and cheers @TheColonial for the obfuscation help with the binary. Appreciate your help guys.

@vulnhub and @g0tmi1k; thank you so much for hosting these challenges for us all!

Until next time, tight lines and happy hacking.



3 Comments

  1. Silberwoelfin wrote:

    Great VM, thanks! One thing, though: it was not immediately clear that everything you do is a one off. So, when I accidentally declined the download of the necromancer file, nothing worked anymore and – since I did not know the VM would reset upon reboot – a reboot did not help either. I spent a lot of time trying to figure out what went wrong with my network set-up… until I decided to read this walkthrough instead.
    Nevertheless I had a lot of fun and will be trying your other VM “the wall” next.

  2. SlimGin wrote:

    Hello! First off, GREAT VM! I, much like you, have much difficulty doing software RE. Subsequently, when I saw your section on using ‘gdb’, I was thrilled as the syntax is exactly what I was looking for. Unfortunately, I was disappointed when I found the output was not natively enabled. So what plug-in or add-on did you use to highlight the sections in blue? Thank you much for your help and have a great day.