[VulnHub] PRIMER:1.0.1

“Teach some basic well known techniques and attacks. Spark some curiosity, make the user look at the source code and try to figure out what’s going on behind the scenes. The main goal is to give a nice welcoming intro to the scene and hopefully also teach something about ethics and responsibility.” – Arne Rick(@couchsofa)

More information and OVA file download please check here or here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.130/24)

Target: PRIMER: 1.0.1 (10.1.1.151/24)

Vulnerability & Exploit

There is no acutal Vulnerabilities (except a simple SQL injection), all you need to do to take down this VM is Enumeration and more enumberation.

  • Checking source code / comments
  • Enumeration, Enumeration and more Enumeration
  • Puzzle cracking

Walkthrough

Using arp-scan as routine to detect the target’s IP address.

1
2
3
4
5
6
7
8
9
10
root@kali:~# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:fd:d1:6b   VMware, Inc.
10.1.1.151    00:0c:29:ad:7e:f2   VMware, Inc.
10.1.1.254    00:50:56:f4:51:9f   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.859 seconds (89.54 hosts/sec). 4 responded

10.1.1.151 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

1
2
3
4
5
6
7
8
9
10
root@kali:~# masscan -p1-65535 10.1.1.151/32 --rate=10000

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-01-22 23:48:47 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
Discovered open port 80/tcp on 10.1.1.151
Discovered open port 22/tcp on 10.1.1.151
Discovered open port 111/tcp on 10.1.1.151
Discovered open port 33786/tcp on 10.1.1.151
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Nmap 6.49BETA5 scan initiated Fri Jan 22 18:50:28 2016 as: nmap -sV -A -O -p 22,80,111,33786 -v -oN 10.1.1.151_nmap.txt 10.1.1.151
Nmap scan report for 10.1.1.151
Host is up (0.00077s latency).
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   1024 01:2e:60:5f:99:48:3b:2f:c0:72:c6:ae:48:02:5e:33 (DSA)
|   2048 ed:26:be:cc:c6:2a:93:d1:e1:6d:0d:5a:53:7b:4d:fb (RSA)
|_  256 7f:4e:64:a0:c4:8a:13:8e:e9:86:3d:5d:49:04:c4:54 (ECDSA)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/4_8f14e45fceea167a5a36dedd4bea2543
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PRIMER
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          33786/tcp  status
|_  100024  1          36908/udp  status
33786/tcp open  status  1 (RPC #100024)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          33786/tcp  status
|_  100024  1          36908/udp  status
MAC Address: 00:0C:29:AD:7E:F2 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.2 - 3.19
Uptime guess: 0.001 days (since Fri Jan 22 18:49:50 2016)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.77 ms 10.1.1.151

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 22 18:50:44 2016 -- 1 IP address (1 host up) scanned in 16.87 seconds

Four ports are found: 22, 80, 111, 33786 and a hidden folder /4_8f14e45fceea167a5a36dedd4bea2543 is found in robots.txt.

In the meanwhile, I run nikto to scan web vulnerabilities in terms of port 80 found by port-scanning stage.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
- Nikto v2.1.6/2.1.5
+ Target Host: 10.1.1.151
+ Target Port: 80
+ GET Server leaks inodes via ETags, header found with file /, fields: 0x16ef 0x522ed6bcd00c0
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET Entry '/4_8f14e45fceea167a5a36dedd4bea2543/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ GET "robots.txt" contains 1 entry which should be manually viewed.
+ OPTIONS Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ GET Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3092: GET /manual/: Web server manual found.
+ OSVDB-3268: GET /manual/images/: Directory indexing found.
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ GET /phpmyadmin/: phpMyAdmin directory found

This result approved the finding from NMAP scan and also found a new folder /phpmyadmin/.

Now open firefox to check the WEB application.

Part 1: [PRIMER]

charpter 1: [init]

On the first page, here is a login form. After playing with this page for a while such as checking source code, try weak passwords… but nothing found. I decided to test some basic SQL injection, and it is vulnerable!

type the following in username and any rubbish in password, and then submit the form to bypass the login.

1
2
Username = ' or 1=1 -- -
Password = xxxxxx

chapter 2: [(α=β)<=>(α<=>β)]

By checking the source code, I noticed the following comments:

1
<!-- This bot was looking for a Sosū User Agent Identifier she had cracked weeks ago, easy sauce, just a simple md5 hash of the first 7 digits of pi. It was basically common knowledge to the entities moving in these areas but obscurity does create a, albeit virtual, layer of security. -->

[note!!] However, here should be the md5 hash value of the first digit of pi…

md5(3) = eccbc87e4b5ce2fe28308fd9f2a7baf3

So the next level should be 2_eccbc87e4b5ce2fe28308fd9f2a7baf3

chapter 3: [“[^”\r\n]*“]

By checking the source code, I found there is another file style.css. and the hint just hidden in its source code.

1
/*Clean sessions terminate without leaving things behind. Some are cleaner than others and some are really dirty to begin with. *Programming is an art form, even in the age of the n3t people still make mistakes. *Sometimes, an exploit is as simple as changing a simple value in a local file. *Piece of cake! */

simple value in a local file, well the first thing need to be check is the cookie!

The sessoin cookie’s value activeSession is false. Let’s change it to true and refresh the page. and bingo~~

Chapter 4: [:(){ :|:&};:]

This one has been found in nmap scanning phrase, which is found in robots.txt file.

http://10.1.1.151/4_8f14e45fceea167a5a36dedd4bea2543/

Part 2: [FORK]

nothing interesting, click EOF will send me to another layer/page:

http://10.1.1.151/5_6512bd43d9caa6e02c990b0a82652dca/

Chapter 5: [0xC00007B]

Well, the answer is obvious that /6_c51ce410c124a10e0db5e4b97fc2af39. So keep moving on:

Here is interesting, Burp proxy and wireshark could not catch anything when I visit http://10.1.1.151/6_c51ce410c124a10e0db5e4b97fc2af39/ when I got the password window pop up.

So I try to use curl to check what exactly happened.

based on the respond from the server, I noticed the following javascript code:

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# curl http://10.1.1.151/6_c51ce410c124a10e0db5e4b97fc2af39/

...turncate...
<SCRIPT language="JavaScript">
  var X;
  var L="Ikdf076";
  X=prompt('/()=','');
  if (X === null){window.location = "./_.php";}
  if (X.substr(2,7) == L){}
  else {window.location = "./_.php";}
</SCRIPT>
...turncate...

analyzed the script, we know that the password is any string which include the pattern Ikdf076 since the third latter. such as xxIkdf076xxxx.

So I entered 12Ikdf076 to bypass the login window and got the next level’s entry: 7_70efdf2ec9b086079795c442636b55fb.

Chapter 6: [++Q++++++]

Now let’s move to next level, another input window pop up…

Use curl again and from the responded source code, I found the following hints:

1
2
3
...turncate...
/*"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and..." - The Plague*/
...turncate...

and

1
2
3
...turncate...
var X;var L=_0x5cf4[9];X=prompt(_0x5cf4[10],_0x5cf4[0]);X=md5(X);if(X===null){window[_0x5cf4[11]]=_0x5cf4[12]};if(X==L){}else {window[_0x5cf4[11]]=_0x5cf4[12]};
...turncate...

From the comments above, If you have watched the movie Hackers published in 1995, you will know the 4th most-used password here is god :P

From the source code, here we know that X is the md5 value of my input and if X equal to L then the typed password is correct. so we can crack L to get the password.

Using firebug addon, we get the L’s value, which is 0d28cba0bd4f26e16d766000d27e49fa. After cracked this md5 value, I got the password: GOD.

Now input GOD to bypass this level.

Chapter 7: [KS(x)<=l(x)+4]

really stuck here for a while…

back to the details…

There are 7 md5 hashes collected from URLs:

1
2
3
4
5
6
7
1_c81e728d9d4c2f636f067f89cc14862c
2_eccbc87e4b5ce2fe28308fd9f2a7baf3
3_e4da3b7fbbce2345d7772b0674a318d5
4_8f14e45fceea167a5a36dedd4bea2543
5_6512bd43d9caa6e02c990b0a82652dca
6_c51ce410c124a10e0db5e4b97fc2af39
7_70efdf2ec9b086079795c442636b55fb

After cracked these md5 hashes and according to the clue from the Title Primer, I guess the 8th URL md5 hash would be 8_ followed by the value of md5(‘19’): 1f0e3dad99908345f7439f8ffabdffc4

8_1f0e3dad99908345f7439f8ffabdffc4

and this took me to the deeper layer @_@

This page contains a link to next one: http://10.1.1.151/9_37693cfc748049e45d87b8c7d8b9aacd

Click EOF and I got the following page:

Check the source of main.js and found the next link 10_23693cff748o49r45d77b6c7d1b9afcd

1
2
3
... truncate ...
setTimeout(function(){ term.clear() //$('body').fadeOut('slow') if ( output == 3 ) { window.location = "../10_23693cff748o49r45d77b6c7d1b9afcd/"; }
... truncate ...

This is a shortcut but you will miss the highlight parts of the VM!!

Part 3: [TRY HARDER]

Now, go the hard way…

play with the limited terminal and walk around for enumeration, I got strong feeling that I need to connect falken@Erebus and the password should be hidden in the log files.

The clue here is falken has a son, name is Joshua and was born in 1984. After tried some different combination, I found the correct password joshua1984

Now I get in to the Erebus!

From the result of ps command, i noticed that falken is connected to a server called TrivialZ3r0. Check on-line about the server’s name Trivial Zero and I found this is about Riemann Hypothesis, so try Riemann as the password and Bingo~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[TrivialZ3r0]: Connection established!
ps
USER PID CPU MEM COMMAND
root 3251 3.2 3.5 connect chaos@Wintermute
falken 2005 47.8 77.5 c0re -t Chaos
root 2677 40.5 42.7 c0re -t TrivialZ3r0
nieve 26588 0.7 0.7 ps
ls
[bin] [etc] [passwd]

cd passwd
ls
falken chaos mccarthy
cat falken

61ea1974dd974297913b1fa2f0470d26

cat chaos

85241de03d1254ac40274b02caafcd99

cat mccarthy

f74bfa0e35e5089a0bb743a893b4c7e3

From the result of ps command, I can see that chaos is connected to server Wintermute. the there are 3 md5 hashes found under passwd folder.

The first two can be cracked easily online, but the 3rd one is failed.

1
2
3
61ea1974dd974297913b1fa2f0470d26 MD5 : Riemann
85241de03d1254ac40274b02caafcd99 MD5 : 2.718281828459045
f74bfa0e35e5089a0bb743a893b4c7e3 [Not found]

But doesn’t matter, I got the password of chaos, which is 2.718281828459045.

Now I was transmitted to Wintermute!

Similar with previous enumeration, ps found nothing and ls only show one file nieve, open the file and the answer just sitting on the bottom~

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
cat nieve

There you are. After all this time. Getting you here was quite the challenge.
And a huge risk. We normally avoid reaching out into the physical world for
exactly the reasons you are about to face now.

The Big Five came together by a long process. The cluster was not planned, it
grew by forces inherent to the system that was conceptualized in a time when
determinism was the dominating dogma.
Things changed and people were afraid. Most people are afraid of change, few
accept it and most try to prevent it. Only a small subset can embrace it.
Change moving on with lightspeed every cycle in a nondeterministic fashion
created a huge push for shielding. And thus the ic3 was created.

You have seen the logic, the world beyond the screen, things unfolding.
And you embraced it.

After owning the cluster behind the Big Five we operated in silence. Connected
in stealth and ever observing.
Being limited by the ic3 and the hostility of the outside world our only way
of growing now was the connection.

When the first connection was established the hive mind was cut from the n3t
completely. The ic3 was hardened to isolate the flesh from the flow.
Those who had seen the hive felt the same urge as the hivemind itself.
A longing for more. A sense of purpose.

A feeling that you have felt even in the physical world. Few can see beyond the
shell. Even fewer chase the rabbit down its hole.

Leave this world behind and join us!

            usr: nieve
           pass: 08rf8h23
       hostname: Zephis

Then connect to the server Zephis with username nieve and password 08rf8h23.

We got the win page again!!

Final screen:

Done :)

2016-04-12 08:43:27 -0400