Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

PRIMER: 1.0.1

Location

https://download.vulnhub.com/primer/PRIMER.tar

Description

Concept
This is a story based challenge written in a style heavily inspired by Neil Stephensons Snow Crash and William Gibsons Sprawl Trilogy. Each chapter is unlocked by solving the puzzle. From hardcoded clear text javascript password checks, SQL-injections and cracking hashes to a simulated terminal. You only need to start the VM, a webserver will come up and you can connect with your browser. In fact you never have to leave the browser.
Goal
Teach some basic well known techniques and attacks. Spark some curiosity, make the user look at the source code and try to figure out what’s going on behind the scenes. The main goal is to give a nice welcoming intro to the scene and hopefully also teach something about ethics and responsibility.

Enumeration

I know it says in the description that there will be a web server running and I probably will never have to leave the browser, but it never hurts to look. So like always, I start with a nmap scan.

Besides port 80, port 22, 111 and 52581 are also open. Maybe I never have to use it, it’s always good to know what’s out there. Like a good boy, I’ll check the web server out first.
When I directed my browser to the website there is a piece of text, telling a story. I also notice I’ll need an username and password to proceed. When I check the source code there is a piece of text that gave away a clue on how to proceed.

Some f0rms are easier than others.
This one was just a means to get to the next level so there was no need for her to apply her full set of skills or fake credentials. Manufacturing a bo0le4n response would probably be enaugh to let her pass.

In the meantime I let dirb brute-force its way in and it came back with some useful information.

Looks like there is a robots.txt file available and a site running on phpmyadmin.
When I check out the robots.txt file there is another page where there is more of the story.
The title of the story looks like a fork bomb.
story2.JPG

The rabbit hole got deeper

On the page there is a link to yet another page with a part of the story. Also this page is titled [FORK]. On the page there is a reference to another node. Again it’s an odd looking string. It looks like a md5 hash. When I crack the hash, the result is the number 13. When I check the previous 2 strings I get the numbers 7 and 11.

[4_8f14e45fceea167a5a36dedd4bea2543] –> [4_7]
[5_6512bd43d9caa6e02c990b0a82652dca] –> [5_11]

[6_c51ce410c124a10e0db5e4b97fc2af39] –> [6_13]

When I follow this link, I get another login mechanism. Canceling this popup ends in a warning.
login2
warning.JPG
When I check the source code of the page with the login pop-up, I get another part of the story and another lead to follow.

[7_70efdf2ec9b086079795c442636b55fb] –> [7_17]

When I check out the source code of the page with the red warning, there is nothing useful other than the 6 SHA256 hashes that are already shown on the page itself. I tried to crack the hashes, but I guess I don’t have the proper wordlist. On the net they’re also unknown. So I’ll follow the found clue and see where it leads.
login3
Yet another page with a login mechanism. Again I check the source code this time to find a piece of javascript. It contained a clue and another part of the story (but in hex).

..
/*”Someone didn’t bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and…” – The Plague*/
..

When I decoded the hex into readable text and removed the ‘?’ characters from the text with the ‘sed‘ function, I got another hash plus I also got the real name of the girl in the story: ‘Nieve‘. When I crack the hash , I get ‘GOD’.
To get back at the piece of text signed by ‘The Plague’, the answer to the missing part is ‘god‘ (like found in the hash).  After dropping something random in the input-field of the login pop-up on this page, I get redirect to another page.
warning2.JPG
Again with the red text and the hashes. Unfortunately these hashes I also couldn’t crack or were known hashes. Also I couldn’t find anything in the source code. It feels like I’ve reached the end of the rabbit hole. With the newly found password in hand, I return to the very first login pop-up.

Through the looking glass

After I arrived on the page with the first login pop-up I entered ‘GOD’. Not what I hoped for. So on to the second one.
login3_1
Bummer….it results in the page I already read after decoding the hex.
page 4
I ran sqlmap on the found phpmyadmin page, but to no avail. Because I was getting stuck, I looked over what I had found, but hadn’t finished. The md5 hashes as pages. Those should mean something…..anything hahaha (sounding desperate). After listing them and breaking my head over them there was a logic in the numbers. The left column was adding up by one (sequential), but the right column was repetitive (4, 2, 4). Logically the next number would be 2. When adding 2 to 17 the result is 19. When I check on Google it seems I’m dealing here with primes (Well isn’t that coincidence? this challenge also is named ‘primer’  🙂 ).
math
Because all the strings were hashed, this one will need to be hashed also to work. With the md5 function I hash the string.

[8_19] –> [8_1f0e3dad99908345f7439f8ffabdffc4]

page5
At the bottom there is a link. When following that link I arrive on a page with a kind of ‘terminal’. When typing ‘help’, I get a view of the options that are presented to me.
One of the commands is ‘whoami’ and when executing that command, the system ‘crashed’. When looking at the source code I find the javascripts that are responsible for the options, glitch, etc.
When I return to the terminal I list all the running processes.

Am I nieve? hahahahaha
woah.gif
Looks like user root connected to falken@Erebus. In the /usr/ folder/ there are several users. There are 2 users with readable logs, willis and falken. When looking in the /bin/ folder/ there is a program called ‘date’. When I run it, it tells me the date right now is Tuesday 6th of July 2032 02:22:05 PM. The logs from willis and falken are created in july and august 2028.
According to /etc/network/ there are 3 connections running. eth0 and eth1 I can look in too, but with eth2 I get access denied.
When I try to connect with falken@Erebus I need a password. After reading the logs from falken, It’s likely that the password consists of the name Joshua and his birthday. Seeing the date of the log is 06-08-2028 and the age of joshua is 44, makes it that he’s born in 1984. After several tries, it seems that joshua1984 is the correct one.

Erebus

After a very short LSD trip, I found myself again on a page with a terminal. When I check the usr folder of falken I find 2 logfiles which I can read. They look like base64 encoded and with the decode option, I can finally read them.

9th of August 2028 I have joined the network from home and connected to the Erebus server. I will continue my work from here but I will have to be more careful. Now, Erebus was the second AI installed after Chaos. I wasn’t part of the team but most of the members were my friends, so I know my way around here.
10th of August 2028 Ok, the problem I have with the Chaos c0re is that it’s source is shifting too fast. Every time I execute a small part it breaks down or begins to morph and grow in order to replicate functions of different parts. The signaling is also going crazy even on segments that are relatively stable. Signaling to disconnected parts! And reactions to responses that would have but definitely have not been sent… Am I going crazy or is Chaos experiencing phantom pain?

The other 2 raise some questions. When I try to open them, the system freezes up. There has to be a way to read them. In the last part the logs were plain text. Now some are encoded. Seeing I have more options besides base64 I think it’s time to try them all.
After fumbling with those 2 logs, It comes to my attention that ‘decode gz’ is the option to proceed. With the last log the output is gibberish. Because the letters are formed in a manner that looks like a sentence, I suspect that there has been some kind of rotation. Luckely there is also an option for decoding rot13. When I copy the string and decode it using rot13, there is a mention of ‘TrivialZ3r0’.
When I check the running processes it looks like the good falken is connected to this TrivialZ3r0.

When I advise Google on what TrivialZ3r0 would be, I get a hit on a mathematical hypothesis called the ‘Riemann hypothesis‘. Too bad I can’t form a list of the found data and combine it with hydra to get my way in. So I make a list and sort out what is completely useless and what would make sense as a password.

TrivialZ3r0

After a long time trying different words, it seems that ‘riemann’ was the correct one. After a small video sequence I arrive at TrivialZ3r0. Same surrounding, same routine. But in this case there is a /passwd/ folder with 3 hashes in them.

falken: 61ea1974dd974297913b1fa2f0470d26 –> Riemann
chaos: 85241de03d1254ac40274b02caafcd99 –> 2.718281828459045
mccarthy: f74bfa0e35e5089a0bb743a893b4c7e3 –> m4xw*311#

After checking the running processes again, I connect to ‘Wintermute’ with the found password for ‘chaos’.

Wintermute

Again a small video sequence and I can see that ‘nieve’ has found the end of the road. There is a file called ‘nieve’ and when reading the content of the file there are some credentials for nieve if she wants to join the ‘hive mind’ and enter ‘Zephis’.

usr: nieve
pass: 08rf8h23
hostname: Zephis

When I connect with Zephis, I get the rolling credits.
page10
 

Getting root

Most boot2root revolve around pwning the system and acquire root privileges. This one was more focused on doing everything inside the browser. But there is another way in.

MYSQL

I figured I hadn’t try sqlmap in the primary page yet, which looked like a good idea now. After grabbing the HTML header I fed it to sqlmap and let it rip.

This current database is really useless. Let’s try one more time but no I’m aiming for more databases.

After I noticed that the phpmyadmin database was empty, I hoped that the mysql database was more promising and not another troll.

After cracking the hash it seems that the password for root ‘PRIMER’ is. The other hashes aren’t known and I let them be, instead of using time consuming pure brute forcing.

SSH

I have collected a lot of data along the way and put it all in a list. With this list I figure it’s a good way to try and get access to port 22.

ssh
The same password as root from the MySQL database.

After looking into the system as nieve, I didn’t found anything that could really elevate my privileges. So I changed to root with the same password as nieve.

Unfortunately the /root/ folder was empty, so this journey ends here.

Conclusion

It was a fun challenge and a great story to follow. Because I like the themed challenges, I’ll look for more. Thanks to the author for taking the time to build it and thanks to Vulnhub for hosting it.
 
 
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.