Skip to main content

CTF – Hacking Necromancer

Capture The Flag - Necromancer. Practicing my penetration testing skills to hack a target machine.  Here's my test environment in my own private virtual network.
I setup my Kali Linux in host virtual network and my target machine (Necromancer) which I downloaded a OVA image from VulnHub website.
When I started my Kali Linux virtual machine, I have an assigned IP Address This most likely a different IP address when you setup your own private network. And my target machine Necromancer IP address is I saw this when I started the Necromancer virtual machine. This save me some time to scan all /24 within my network.
Anyway, if you still want to scan your network you can use "netdiscover" tool. If you're not sure what options to use simply run "netdiscover --help". Okay, got it? Now run # netdiscover -r [Enter] to scan your private network. Here's the result of my network. I run "ifconfig" in my Kali to know the assigned IP address, then the other IP most likely for my target network. 00:50:56:c0:00:01 1 60 VMware, Inc. 00:0c:29:a5:8c:67 1 60 VMware, Inc. 00:50:56:f0:0a:96 1 60 VMware, Inc.
With this information I can simply run nmap to my target IP address.
Note: IP Address renewal in 900 seconds.
Now my private network, Kali and target machine are ready. Let's begin hacking my target machine.
From Kali Linux virtual machine run # nmap to see what I can discover.
I found port 80 open and 1 host up. That's a good start. Let's run # nmap -sU -n -r -T4
Now it's getting interesting. I found UDP port 666 a service for doom.
Let's fire up netcat using the newly discovered UDP port 666 # nc 666 [Enter].
Hmm. Nothing happen. I wonder what's going on in the background. One way to find out, let's run our network snipping tool wireshark. I filter the result using my target machine IP Address and found out it is trying to connect to the destination port 4444.
I open another terminal window, and setup to listen using port 4444 # nc -lvp 4444 [Enter]. And re-run # nc -u 666 [Enter], then wait to see the output in listening terminal window.
This is the result.
My first guess, it is a base64 code. I copied the code to my dumptext.txt file. And run #base64 -d -i dumptext.txt [Enter]
Woohh. I got the first flag.
I copied  flag1{e6078b9b1aac915d11b9fd59791030bf}  to my flags.txt file for recording purpose, just like a trophy :)

Thank you.

Popular posts from this blog

Alternative Social Networks

If you are planning to create your social network e.g. similar to Facebook. Here's a short list of alternative software's:

Open Source and Free​ - Wordpress (Open Source and Free) - (Open Source and Free)Commercial Social Networks software ($299 Stand Alone, $29/mo Cloud) (run with Joomla, need to know CMS) (very expensive, $399 for Standard) (from free to Commercial, I left my networks and they are selling it (I used this before, it's hard to maintain. I moved to NING but left too after it was sold to another company) (I don't recommend using this service, it's hard to export your data when it's time to move)Something to check when selecting your next soc…

Frequent Account Lockout in Active Directory

I have a user in Windows Pro 7, and Windows Server 2003 environment that is frequently account locked out. I tried many different scenarios to resolve this account lockout issue, from resetting his password, changing a new password, remove and re-join the domain, rebooting the workstation and active directory servers.

I tried to use the command prompt utility to run "rundll32.exe keymgrdll, KRShowKeyMgr" (case sensitive) to delete the account in Windows 7 password cache, and still no luck.

Still searching for answer ... Let me know if you encounter a similar issue in Windows Pro 7 and Windows Server 2003.

Continue reading updated post here:

Example of Out of Office Reply for Terminated Employee

This is a sample message that I used for terminated employees, unless HR staff specified a different message.
=== Example for KING.NET Employee === John Doe (employee or consultant) is no longer with KING.NET effective June 1, 2008 (termination date). For matters relating to "Project Name here" please direct your concerns to John Smith at (Manager or Supervisor). For all other matters, please direct your email to Mary Smith HR at
Please call our main office 703-345-6789 if you have other concerns.
Thank you.
=== end of message ===