Vulnhub - The Necromancer (Lessons learnt for newbies!)

6 minute read

Had my first hands-on experience with a CTF machine (The Necromancer:1) at Vulnhub and here are the lessons/key tools learnt from clearing stages/flags. Vulnhub is a great place with many downloadable Vulnerable-ready-to-be-exploited VM images (created with the purpose to help others gain practical knowledge on digital security). With my friend’s help (Mr. Google) and all the walkthroughs readily available out there (so many that there is no reason for me to do another walkthrough/guide here!), I had spent a few days following through different people’s walkthrough, youtube to see how other’s try to tackle each stage/flags and learning them by imitation.

My initial thoughts after hands-on this whole thing was there is definitely no one sure way of doing things, it depends on the ability to see things from different angles eg. possible ways to find entry into a system. I’m also mind-blown by how powerful Kali Linux is – a Linux distribution packed with many-many readily available tools needed to do pentesting/security auditing. All the tools that was used to break into the system is already in the Kali Linux. Having the tools is one thing, knowing when to use them is the key. I felt that there was a good share by this writer for newbies starting out in Pentesting that helps in this learning journey. He mentioned that Exploiting a machine is a Systematic Process and this is really evident in all the guides/walkthrough I followed while practicing on this machine:

1.  Find the open ports and services running on ports
2.  Enumerate the services and the machine
3.  Exploit the correct vulnerability and gain access
4.  Do proper post exploitation enumeration
5.  Privilege Escalation

TOOLS USED – Note: These are not all the commands used to clear this CTF but just a short brief examples of tools used to get root.

  • nmap network discovery
  • nc/ncat networking utility
  • wireshark network packet analyzer
  • binwalk binary file analyzer
  • cewl word list generator from online source
  • dirb web content scanner
  • gdb program debugger (software memory hijacker)
  • aircrack-ng wifi wep/wpa cracker
  • hydra brute force dictionary attacker

Nmap

for network discovery

nmap -p- -sU -n -v 192.168.1.106
# -p- 	scan all ports from 1 to 65355
# -sU 	scan UDP ports
# -n 	don't resolve dns
# -v 	verbose mode to get more details

When and Why? Most start to scan for an opening port to ‘attack’ when they start. This is usually the first step in discovering any possible open doors for entry. Nifty to use arp-scan -l to discover a list of ip address first before scanning for the open posts on a single host. For this machine, there was only a single opened port (UDP) thus the option -sU (out of all 65535 ports). There are many more different options (advanced level stuff) eg. T[1-5] to adjust how fast (and noisy) you want your scan to be. -sS to go in stealthy.


nc/ncat

networking utility

nc -vlp <port number>
# -v 	verbose mode to get more details
# -l 	listen for inbound
# -p 	port number

When and Why? The Netcat tool is the must-know for all pentesters. There were a few times nc was used in this machine where we need to listen to specific TCP/UDP ports on own machine, or “say things” into target host specific ports eg. pipe echo outputs into this command. Sidenote: If you need to deal with any SSL related stuff, use Ncat instead which is the newer version of nc.


wireshark

network packet analyzer

When and Why? Another must-know tool. There were a few scenarios where wireshark was needed to watch for traffic. One of the hints to capture a flag was using wireshark to find out that target machine was broadcasting some messages using a specific port to us - using this identified the port number for us to listen in. Another scenario was using wireshark to analyse a .cap file where there was a wireless EAP authentication handshake taking place (see screenshot above) the key was subsequently decrypted using one a wireless password cracker.


binwalk

binary file analyzer

binwalk -B <filename>
# -B 	scan to see any hidden files
# -e 	extract common files hidden

When and Why? Useful when trying to ‘unbox’ files that have files hidden in images through steganography (eg. inside JPEG files).


cewl

word list generator from online source

cewl http://www.url-here.com/something.html -m 4 -d 0 -w wordlist.txt
# -m 4 	look for words that are 4 characters
# -d	how deep the level that you want to 'search' the site
# -w 	write outputs to a file

When and Why? CeWL returns a list of words that can be used for dictionary attack. In this case, there was a hint to look for a keyword related to a ‘magical item’ so we use this tool to generate our own dictionary words such as against a wiki page of all the magical items ever known or (from some fan-frictions blog/webpage). Its useful to use uniq and tr unix tools to help get the list of words nicely arranged. Once the “dictionary” is prepared, we could then use other tools such as bruteforce attacks to run through all the words in this dictionary.


dirb

web content scanner

dirb http://192.168.1.106/target_website.html wordlist.txt

When and Why? At one point, there was a hint that a certain web page could be accessed but we would need to find out what is that page name (directory). Using DIRB we could enumerate the website directory eg. via dictionary. This tool was used with the CeWL to first generate a list of words. When using this tool, the tool will try to get a HTTP response from accessing each of the webpage. Assuming you have 100 words in your dictionary file, dirb will try to access… eg. www.url-here.com/word1 www.url-here.com/word2 ….so on and on… www.url-here.com/word100 A successful result would be a ‘HTTP 200 OK’ response indicating that the keyword that was used was a valid webpage.


gdb

program debugger (software memory hijacker)

gdb <binary program name>

When and Why? This tool can change how a program should run normally and you can hack it such that it can run a function that you are not suppose to run. Using this tool, you could see whats inside the program eg. what are the functions available, what is the next executing function, set breakpoints in how the program runs etc etc. There was a function that would display key information which we should not have access to, so we use gdb to go around the normal sequence flow of execution, eg. replacing the next executing function in memory to the function we want to run. Good tutorial here in youtube-how to use gdb.


aircrack-ng

wifi wep/wpa cracker

aircrack-ng tcp_dump_file.cap -w wordlist.txt
# -w 	bruteforce using dictionary file

When and Why? A traffic dump file was provided at a stage and using wireshark reveals that the was a 4-way EAP authentication handshake being carried out. Using aircrack, we were able to retrieve the password being used against a dictionary file available in /usr/share/wordlists/rockyou.txt


hydra

brute force dictionary attacker

hydra -l loginname -P wordlist.txt 192.168.1.106 ssh
# -l	single login name<
# -P	provide the passwords used to bruteforce
# "ssh"	specify authentication method 

When and Why? I was given a single login name for ssh but does not have the password details, using hydra I was able to find a matching common password from using the word lists provided in /usr/share/wordlists/rockyou.txt which gave me a password ‘12345678’. I believe there are many other tools such as John the Ripper, Medusa etc etc. You can use tools like this to perform Bruteforce attacks, Dictionary attacks, Rainbow table attacks.

Tags:

Categories:

Updated: