Monday, May 30, 2016

Primer: 1.0.1 ~VulnHub

Primer: 1.0.1

Environment:
Attacker: Kali Linux 2016
Vulnerable Machine: Primer 1.0.1
URL:  https://www.vulnhub.com/entry/primer-101,136/
VMWare Workstation 12 Player
Networking: Host-based Internal
Target: Not Stated


 

Walk-Through: 


1) Find IP

Use netdiscover -i eth0 -r 192.168.204.0/24 to find IPs in that range. This is the range for my host-based network segment.




The IP 192.168.204.131 looks like the target.



2) Find open ports

Use nmap to scan for open ports




Looks like port 80 is open and that there is a Robots.txt file in that directory. This matches what was said in the description for this machine so that's going to be the main focus.



3) Index.php




Loading up the web-server gives us a basic home page with a login and some text. Not much to go off of so let's take a look at the robots.txt page.



4) Robots.txt






Looks like there is a directory within this web-server.



5) 4_8f14e45fceea167a5a36dedd4bea2543

Navigating to the directory lands us the following page.






There is a link at the bottom.



6) 5_6512bd43d9caa6e02c990b0a82652dca


Looks like these are levels, and we are now on level 5. We can see that the info for level 6 is at the bottom of the page.





6)  7_70efdf2ec9b086079795c442636b55fb


Browsing to the page for level 6 gives the following login screen.





Looking at the page source gives us two options. First, the level 7 information is listed in plain text towards the bottom of the page. Second, we can see the algorithm that is set for the login.





L="Ikdf076"
If we look at the code we can see the if we plug in L starting at either the 2nd or the seventh character it will let us in. Remember that it will count starting at char 0.






7) 7_70efdf2ec9b086079795c442636b55fb






Here is the hex code decrypted:


lengthsubstringcharCodeAtsplit0123456789abcdefjoinhello5d41402abc4b2a76b9719d911017c5920d28cba0bd4f26e16d766000d27e49fa�#/$location./_.phpreadyStateloadingDOMContentLoadedaddEventListener    <center>      <h1>[++Q++++++]</h1>    </center>    <p>      She was no longer sure what her original assignment had been. But it didn't matter anyway. What still mattered was getting out of here, alive.      Log out, tell the client to go fuck himself and get a fix of n0ise to shut off her mind. Relax with a mindless holo flick and never look back at this weird job.    </p>    <p>      A violent neon flicker appeared at the horizon. No thunder followed.<br>      She stared in the distance with a blank expression.    </p>    <p>      "Hello, Nieve." A deep, feminine, digital voice roared in her head.<br>      FUCK! This was her real name. She hadn't used it in years...    </p>    <p>      "I will logout and stop this shit right fucking now!" She screamed into the neon expanse.<br>      Nothing.    </p>    <p>      She didn't. Something beside the fear occupied her mind. It had been there since the second node and grew stronger with every move. There was a pattern in the path she had taken through the network. An artificial pattern, layed out by someone or something.<br>      There was no hint, no obvious step. Finding the next node would be the challenge, or maybe more like a test.    </p>innerHTMLfoogetElementById



From this I am able to see two md5 hashes:


5d41402abc4b2a76b9719d911017c592
0d28cba0bd4f26e16d766000d27e49fa


Decoding them using https://hashkiller.co.uk/md5-decrypter.aspx I am able to see that they are hello and GOD.


Plugging in GOD as the password gives me the following:






Notice the hint in the page source. It's from the movie Hackers. I had originally tried to guess God as the password but didn't realize until I had the md5 that it was in all caps.























Now unfortunately there isn't anything stating what the url of the next level is going to be. But, I have noticed a pattern. "Level Number_md5 Hash" If I take a look at what these hashes consist of maybe I will have better luck moving forward. Back to https://hashkiller.co.uk/md5-decrypter.aspx



Looks like the hashes are of prime numbers. Knowing that, my next hash should be of 19!

8) 8_1f0e3dad99908345f7439f8ffabdffc4

Looks like I was correct. There is just a link at the bottom of the page to take me to the next level.



9) 9_37693cfc748049e45d87b8c7d8b9aacd

On this page I am given a text box. The last page had given me the idea that this might be a terminal. Let's see.



Giving it some simple commands gives me return information. This is a terminal, but it does not like the whoami command.



I started looking around the /usr directory and was able to find some log files.

Starting with Willis:






Then moving to Falken:

 

I then looked around at some of the commands in the /bin directory.



 The ps command will show me a list of the current processes, let's take a look at that. 



The connect process looks interesting. Running that command prompts me for a password. Looking back on the logs I have gathered that Falken has a son Joshua that is 44 years old. I tried several password combinations utilizing this information. I finally was able to correctly guess it when I figured out Joshua's birth year based off of the current year 2028. That gave me the password of joshua1984.

 


10) Erebus

 


Looks like another terminal. Let's check again for some logs that might give me some information. Falken Doesn't disappoint:






The logs are base64 encrypted. Luckily there is a resource on the box to decode the file.






I am able to get the second log file in the same way, but once I try 3 and 4 I get errors.





I am able to read 3 by changing the encryption type, but 4 doesn't come out correctly. It looks like it is encrypted with rot13 as well. 







Feeding that string into the built-in tool I was able to read it. Sounds like we are going to make another pivot. Let's run the ps command again to see if "Falken" has run another command.




Our hint from the last log was that the password will probably be related to mathematics and the trivial zero. Using Google I was able to find the following:


 

Trying Riemann as the password got me in.


11) TrivialZ3r0




Looking around the first thing I found was a passwd directory.







Looks like it contains md5 hashes of several password. I was able to decode them using https://hashkiller.co.uk/md5-decrypter.aspx






Falken's password we already know, but now we have a password for chaos. Now all I have to do is run the ps command just like before.




12) Wintermute




Looking around the directory the only interesting file is the one called nieve.





Now all I have to do is leave the world behind and connect.






13) Beer!!


No comments:

Post a Comment