Mr_H4sh

Infosec, CTF and more

Primer Solution

Hi guys,

In this post I’m going to show you how to solve the Primer VM provided by Arne Rick.

Thanks to Vulnhub for keeping me busy with all these challenges, and thanks to everyone that hosts new challenges.

This challenge involves various hacking techniques.

The description provided on Vulnhub says that the machine will have an IP assigned automatically, so this is the situation:

192.168.56.103 <== attacker
192.168.56.102 <== victim

A port scan on the victim host gives this:

# nmap -sT -p -v -n -Pn 192.168.56.102 -T5

Nmap scan report for 192.168.56.102
Host is up (0.0012s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
50446/tcp open  unknown

I have a look at the content of the page, and I find various words with some numbers within. Unsure if it’s a clue or a red herring. I note them as it might be useful in future:

n3t
l0g1n
us3rl4nd
f0rm
f0rms
bo0le4n

So, in the source code I find the following phrase:

Some f0rms are easier than others. This one was just a means to get to the next level so there was no need for her to apply her full set of skills or fake credentials. Manufacturing a bo0le4n response would probably be enaugh to let her pass."

I think it’s talking about a SQL Injection, so I use sqlmap. I find out that the field usr is vulnerable:

# sqlmap -u http://192.168.56.102/login.php --method=POST --data="usr=&pw=commit=Login"
---
Parameter: usr (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: usr=' AND (SELECT * FROM (SELECT(SLEEP(5)))EqLx) AND 'XfOe'='XfOe&pw=commit=Login
---

I carry on with the investigation, and I find out that the DB is called test and it has one table called users with just one entry:

[1 entry]
+----+----+-----+---------+
| ID | pw | usr | text    |
+----+----+-----+---------+
| 1  | pw | usr | <blank> |
+----+----+-----+---------+

But don’t worry, all this is just a dead end. I launch nikto and I find a robots.txt file with the following entry: /4_8f14e45fceea167a5a36dedd4bea2543, so I visit http://192.168.56.102/4_8f14e45fceea167a5a36dedd4bea2543 and this is what I find:

screenshot-2

Don’t know why, but I love the header of this page: it reminds me about a shellshock attack… but let’s move on. I check the source file and there’s a link to ../5_6512bd43d9caa6e02c990b0a82652dca. I go to http://192.168.56.102/5_6512bd43d9caa6e02c990b0a82652dca and this is what I find:

screenshot-3

In here the page tells you the next step: http://192.168.56.102/6_c51ce410c124a10e0db5e4b97fc2af39.

A javascript prompt appears, and if I either cancel or type the wrong word then I’ll be prompted to the page /_.php, which is a page with random numbers and characters, but I escape before the redirect is done and I read the source code of the page:

screenshot-4

So, the right string for the prompt must have 2 random chars and the string Ikdf076:

<SCRIPT language="JavaScript">
  var X;
  var L="Ikdf076";
  X=prompt('/()=','');
  if (X === null){window.location = "./_.php";}
  if (X.substr(2,7) == L){}
  else {window.location = "./_.php";}
</SCRIPT>

so I type ASIkdf076 and this is what I find:

screenshot-5

and the next URL is http://192.168.56.102/7_70efdf2ec9b086079795c442636b55fb.

Same trick again, I stop the page from loading and I find this javascript code:

<SCRIPT language="JavaScript">
var _0x5cf4=["","\x6C\x65\x6E\x67\x74\x68","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x73\x70\x6C\x69\x74","\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65\x66","\x6A\x6F\x69\x6E","\x68\x65\x6C\x6C\x6F","\x35\x64\x34\x31\x34\x30\x32\x61\x62\x63\x34\x62\x32\x61\x37\x36\x62\x39\x37\x31\x39\x64\x39\x31\x31\x30\x31\x37\x63\x35\x39\x32","\x30\x64\x32\x38\x63\x62\x61\x30\x62\x64\x34\x66\x32\x36\x65\x31\x36\x64\x37\x36\x36\x30\x30\x30\x64\x32\x37\x65\x34\x39\x66\x61","\xA7\x23\x2F\x24","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x2E\x2F\x5F\x2E\x70\x68\x70","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6C\x6F\x61\x64\x69\x6E\x67","\x44\x4F\x4D\x43\x6F\x6E\x74\x65\x6E\x74\x4C\x6F\x61\x64\x65\x64","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x20\x20\x20\x20\x3C\x63\x65\x6E\x74\x65\x72\x3E\x20\x20\x20\x20\x20\x20\x3C\x68\x31\x3E\x5B\x2B\x2B\x51\x2B\x2B\x2B\x2B\x2B\x2B\x5D\x3C\x2F\x68\x31\x3E\x20\x20\x20\x20\x3C\x2F\x63\x65\x6E\x74\x65\x72\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x53\x68\x65\x20\x77\x61\x73\x20\x6E\x6F\x20\x6C\x6F\x6E\x67\x65\x72\x20\x73\x75\x72\x65\x20\x77\x68\x61\x74\x20\x68\x65\x72\x20\x6F\x72\x69\x67\x69\x6E\x61\x6C\x20\x61\x73\x73\x69\x67\x6E\x6D\x65\x6E\x74\x20\x68\x61\x64\x20\x62\x65\x65\x6E\x2E\x20\x42\x75\x74\x20\x69\x74\x20\x64\x69\x64\x6E\x27\x74\x20\x6D\x61\x74\x74\x65\x72\x20\x61\x6E\x79\x77\x61\x79\x2E\x20\x57\x68\x61\x74\x20\x73\x74\x69\x6C\x6C\x20\x6D\x61\x74\x74\x65\x72\x65\x64\x20\x77\x61\x73\x20\x67\x65\x74\x74\x69\x6E\x67\x20\x6F\x75\x74\x20\x6F\x66\x20\x68\x65\x72\x65\x2C\x20\x61\x6C\x69\x76\x65\x2E\x20\x20\x20\x20\x20\x20\x4C\x6F\x67\x20\x6F\x75\x74\x2C\x20\x74\x65\x6C\x6C\x20\x74\x68\x65\x20\x63\x6C\x69\x65\x6E\x74\x20\x74\x6F\x20\x67\x6F\x20\x66\x75\x63\x6B\x20\x68\x69\x6D\x73\x65\x6C\x66\x20\x61\x6E\x64\x20\x67\x65\x74\x20\x61\x20\x66\x69\x78\x20\x6F\x66\x20\x6E\x30\x69\x73\x65\x20\x74\x6F\x20\x73\x68\x75\x74\x20\x6F\x66\x66\x20\x68\x65\x72\x20\x6D\x69\x6E\x64\x2E\x20\x52\x65\x6C\x61\x78\x20\x77\x69\x74\x68\x20\x61\x20\x6D\x69\x6E\x64\x6C\x65\x73\x73\x20\x68\x6F\x6C\x6F\x20\x66\x6C\x69\x63\x6B\x20\x61\x6E\x64\x20\x6E\x65\x76\x65\x72\x20\x6C\x6F\x6F\x6B\x20\x62\x61\x63\x6B\x20\x61\x74\x20\x74\x68\x69\x73\x20\x77\x65\x69\x72\x64\x20\x6A\x6F\x62\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x41\x20\x76\x69\x6F\x6C\x65\x6E\x74\x20\x6E\x65\x6F\x6E\x20\x66\x6C\x69\x63\x6B\x65\x72\x20\x61\x70\x70\x65\x61\x72\x65\x64\x20\x61\x74\x20\x74\x68\x65\x20\x68\x6F\x72\x69\x7A\x6F\x6E\x2E\x20\x4E\x6F\x20\x74\x68\x75\x6E\x64\x65\x72\x20\x66\x6F\x6C\x6C\x6F\x77\x65\x64\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x53\x68\x65\x20\x73\x74\x61\x72\x65\x64\x20\x69\x6E\x20\x74\x68\x65\x20\x64\x69\x73\x74\x61\x6E\x63\x65\x20\x77\x69\x74\x68\x20\x61\x20\x62\x6C\x61\x6E\x6B\x20\x65\x78\x70\x72\x65\x73\x73\x69\x6F\x6E\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x22\x48\x65\x6C\x6C\x6F\x2C\x20\x4E\x69\x65\x76\x65\x2E\x22\x20\x41\x20\x64\x65\x65\x70\x2C\x20\x66\x65\x6D\x69\x6E\x69\x6E\x65\x2C\x20\x64\x69\x67\x69\x74\x61\x6C\x20\x76\x6F\x69\x63\x65\x20\x72\x6F\x61\x72\x65\x64\x20\x69\x6E\x20\x68\x65\x72\x20\x68\x65\x61\x64\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x46\x55\x43\x4B\x21\x20\x54\x68\x69\x73\x20\x77\x61\x73\x20\x68\x65\x72\x20\x72\x65\x61\x6C\x20\x6E\x61\x6D\x65\x2E\x20\x53\x68\x65\x20\x68\x61\x64\x6E\x27\x74\x20\x75\x73\x65\x64\x20\x69\x74\x20\x69\x6E\x20\x79\x65\x61\x72\x73\x2E\x2E\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x22\x49\x20\x77\x69\x6C\x6C\x20\x6C\x6F\x67\x6F\x75\x74\x20\x61\x6E\x64\x20\x73\x74\x6F\x70\x20\x74\x68\x69\x73\x20\x73\x68\x69\x74\x20\x72\x69\x67\x68\x74\x20\x66\x75\x63\x6B\x69\x6E\x67\x20\x6E\x6F\x77\x21\x22\x20\x53\x68\x65\x20\x73\x63\x72\x65\x61\x6D\x65\x64\x20\x69\x6E\x74\x6F\x20\x74\x68\x65\x20\x6E\x65\x6F\x6E\x20\x65\x78\x70\x61\x6E\x73\x65\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x4E\x6F\x74\x68\x69\x6E\x67\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x53\x68\x65\x20\x64\x69\x64\x6E\x27\x74\x2E\x20\x53\x6F\x6D\x65\x74\x68\x69\x6E\x67\x20\x62\x65\x73\x69\x64\x65\x20\x74\x68\x65\x20\x66\x65\x61\x72\x20\x6F\x63\x63\x75\x70\x69\x65\x64\x20\x68\x65\x72\x20\x6D\x69\x6E\x64\x2E\x20\x49\x74\x20\x68\x61\x64\x20\x62\x65\x65\x6E\x20\x74\x68\x65\x72\x65\x20\x73\x69\x6E\x63\x65\x20\x74\x68\x65\x20\x73\x65\x63\x6F\x6E\x64\x20\x6E\x6F\x64\x65\x20\x61\x6E\x64\x20\x67\x72\x65\x77\x20\x73\x74\x72\x6F\x6E\x67\x65\x72\x20\x77\x69\x74\x68\x20\x65\x76\x65\x72\x79\x20\x6D\x6F\x76\x65\x2E\x20\x54\x68\x65\x72\x65\x20\x77\x61\x73\x20\x61\x20\x70\x61\x74\x74\x65\x72\x6E\x20\x69\x6E\x20\x74\x68\x65\x20\x70\x61\x74\x68\x20\x73\x68\x65\x20\x68\x61\x64\x20\x74\x61\x6B\x65\x6E\x20\x74\x68\x72\x6F\x75\x67\x68\x20\x74\x68\x65\x20\x6E\x65\x74\x77\x6F\x72\x6B\x2E\x20\x41\x6E\x20\x61\x72\x74\x69\x66\x69\x63\x69\x61\x6C\x20\x70\x61\x74\x74\x65\x72\x6E\x2C\x20\x6C\x61\x79\x65\x64\x20\x6F\x75\x74\x20\x62\x79\x20\x73\x6F\x6D\x65\x6F\x6E\x65\x20\x6F\x72\x20\x73\x6F\x6D\x65\x74\x68\x69\x6E\x67\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x54\x68\x65\x72\x65\x20\x77\x61\x73\x20\x6E\x6F\x20\x68\x69\x6E\x74\x2C\x20\x6E\x6F\x20\x6F\x62\x76\x69\x6F\x75\x73\x20\x73\x74\x65\x70\x2E\x20\x46\x69\x6E\x64\x69\x6E\x67\x20\x74\x68\x65\x20\x6E\x65\x78\x74\x20\x6E\x6F\x64\x65\x20\x77\x6F\x75\x6C\x64\x20\x62\x65\x20\x74\x68\x65\x20\x63\x68\x61\x6C\x6C\x65\x6E\x67\x65\x2C\x20\x6F\x72\x20\x6D\x61\x79\x62\x65\x20\x6D\x6F\x72\x65\x20\x6C\x69\x6B\x65\x20\x61\x20\x74\x65\x73\x74\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x66\x6F\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64"];
  
  /*"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and..." - The Plague*/
  
function md5cycle(_0xf6a0x2,_0xf6a0x3){
  var _0xf6a0x4=_0xf6a0x2[0],_0xf6a0x5=_0xf6a0x2[1],_0xf6a0x6=_0xf6a0x2[2],_0xf6a0x7=_0xf6a0x2[3];
  _0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[0],7,-680876936);
  _0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[1],12,-389564586);
  _0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[2],17,606105819);
  _0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[3],22,-1044525330);
  _0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[4],7,-176418897);
  _0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[5],12,1200080426);
  _0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[6],17,-1473231341);
  _0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[7],22,-45705983);
  _0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[8],7,1770035416);
  _0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[9],12,-1958414417);
  _0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[10],17,-42063);
  _0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[11],22,-1990404162);
  _0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[12],7,1804603682);
  _0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[13],12,-40341101);
  _0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[14],17,-1502002290);
  _0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[15],22,1236535329);
  _0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[1],5,-165796510);
  _0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[6],9,-1069501632);
  _0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[11],14,643717713);
  _0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[0],20,-373897302);
  _0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[5],5,-701558691);
  _0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[10],9,38016083);
  _0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[15],14,-660478335);
  _0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[4],20,-405537848);
  _0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[9],5,568446438);
  _0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[14],9,-1019803690);
  _0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[3],14,-187363961);
  _0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[8],20,1163531501);
  _0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[13],5,-1444681467);
  _0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[2],9,-51403784);
  _0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[7],14,1735328473);
  _0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[12],20,-1926607734);
  _0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[5],4,-378558);
  _0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[8],11,-2022574463);
  _0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[11],16,1839030562);
  _0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[14],23,-35309556);
  _0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[1],4,-1530992060);
  _0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[4],11,1272893353);
  _0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[7],16,-155497632);
  _0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[10],23,-1094730640);
  _0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[13],4,681279174);
  _0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[0],11,-358537222);
  _0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[3],16,-722521979);
  _0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[6],23,76029189);
  _0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[9],4,-640364487);
  _0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[12],11,-421815835);
  _0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[15],16,530742520);
  _0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[2],23,-995338651);
  _0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[0],6,-198630844);
  _0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[7],10,1126891415);
  _0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[14],15,-1416354905);
  _0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[5],21,-57434055);
  _0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[12],6,1700485571);
  _0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[3],10,-1894986606);
  _0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[10],15,-1051523);
  _0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[1],21,-2054922799);
  _0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[8],6,1873313359);
  _0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[15],10,-30611744);
  _0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[6],15,-1560198380);
  _0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[13],21,1309151649);
  _0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[4],6,-145523070);
  _0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[11],10,-1120210379);
  _0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[2],15,718787259);
  _0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[9],21,-343485551);
  _0xf6a0x2[0]=add32(_0xf6a0x4,_0xf6a0x2[0]);_0xf6a0x2[1]=add32(_0xf6a0x5,_0xf6a0x2[1]);
  _0xf6a0x2[2]=add32(_0xf6a0x6,_0xf6a0x2[2]);_0xf6a0x2[3]=add32(_0xf6a0x7,_0xf6a0x2[3]);
}
function cmn(_0xf6a0x9,_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){
  _0xf6a0x4=add32(add32(_0xf6a0x4,_0xf6a0x9),add32(_0xf6a0x2,_0xf6a0xb));
  return add32((_0xf6a0x4<<_0xf6a0xa)|(_0xf6a0x4>>>(32-_0xf6a0xa)),_0xf6a0x5);
}
function ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){
  return cmn((_0xf6a0x5&_0xf6a0x6)|((~_0xf6a0x5)&_0xf6a0x7),_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)
}
function gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){
  return cmn((_0xf6a0x5&_0xf6a0x7)|(_0xf6a0x6&(~_0xf6a0x7)),_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)
}
function hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){
  return cmn(_0xf6a0x5^_0xf6a0x6^_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)
}
function ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){
  return cmn(_0xf6a0x6^(_0xf6a0x5|(~_0xf6a0x7)),_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)
}
  
function md51(_0xf6a0xa){
  txt=_0x5cf4[0];
  var _0xf6a0x11=_0xf6a0xa[_0x5cf4[1]],_0xf6a0x12=[1732584193,-271733879,-1732584194,271733878],_0xf6a0x13;
  for(_0xf6a0x13=64;_0xf6a0x13<=_0xf6a0xa[_0x5cf4[1]];_0xf6a0x13+=64){
    md5cycle(_0xf6a0x12,md5blk(_0xf6a0xa[_0x5cf4[2]](_0xf6a0x13-64,_0xf6a0x13)))
  };
  _0xf6a0xa=_0xf6a0xa[_0x5cf4[2]](_0xf6a0x13-64);
  var _0xf6a0x14=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0];
  for(_0xf6a0x13=0;_0xf6a0x13<_0xf6a0xa[_0x5cf4[1]];_0xf6a0x13++){
    _0xf6a0x14[_0xf6a0x13>>2]|=_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13)<<((_0xf6a0x13%4)<<3)};
    _0xf6a0x14[_0xf6a0x13>>2]|=0x80<<((_0xf6a0x13%4)<<3);
    if(_0xf6a0x13>55){
      md5cycle(_0xf6a0x12,_0xf6a0x14);for(_0xf6a0x13=0;_0xf6a0x13<16;_0xf6a0x13++){
        _0xf6a0x14[_0xf6a0x13]=0};
      };
      _0xf6a0x14[14]=_0xf6a0x11*8;
      md5cycle(_0xf6a0x12,_0xf6a0x14);return _0xf6a0x12;
    }
    function md5blk(_0xf6a0xa){
      var _0xf6a0x16=[],_0xf6a0x13;
      for(_0xf6a0x13=0;_0xf6a0x13<64;_0xf6a0x13+=4){
        _0xf6a0x16[_0xf6a0x13>>2]=_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13)+(_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13+1)<<8)+(_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13+2)<<16)+(_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13+3)<<24)};
        return _0xf6a0x16;
      }
      var hex_chr=_0x5cf4[5][_0x5cf4[4]](_0x5cf4[0]);
      function rhex(_0xf6a0x11){
        var _0xf6a0xa=_0x5cf4[0],_0xf6a0x19=0;
        for(;_0xf6a0x19<4;_0xf6a0x19++){
          _0xf6a0xa+=hex_chr[(_0xf6a0x11>>(_0xf6a0x19*8+4))&0x0F]+hex_chr[(_0xf6a0x11>>(_0xf6a0x19*8))&0x0F]};
          return _0xf6a0xa;
        }
        function hex(_0xf6a0x2){
          for(var _0xf6a0x13=0;
            _0xf6a0x13<_0xf6a0x2[_0x5cf4[1]];_0xf6a0x13++){
            _0xf6a0x2[_0xf6a0x13]=rhex(_0xf6a0x2[_0xf6a0x13])
          };
          return _0xf6a0x2[_0x5cf4[6]](_0x5cf4[0]);
        }
        function md5(_0xf6a0xa){
          return hex(md51(_0xf6a0xa))
        }
        function add32(_0xf6a0x4,_0xf6a0x5){
          return (_0xf6a0x4+_0xf6a0x5)&0xFFFFFFFF
        }
        if(md5(_0x5cf4[7])!=_0x5cf4[8]){
          function add32(_0xf6a0x2,_0xf6a0x1d){
            var _0xf6a0x1e=(_0xf6a0x2&0xFFFF)+(_0xf6a0x1d&0xFFFF),_0xf6a0x1f=(_0xf6a0x2>>16)+(_0xf6a0x1d>>16)+(_0xf6a0x1e>>16);
            return (_0xf6a0x1f<<16)|(_0xf6a0x1e&0xFFFF);
          }
        };
        var X;
        var L=_0x5cf4[9];
        X=prompt(_0x5cf4[10],_0x5cf4[0]);
        X=md5(X);
        if(X===null){
          window[_0x5cf4[11]]=_0x5cf4[12]
        };
        if(X==L){

        }
        else {
          window[_0x5cf4[11]]=_0x5cf4[12]
	};
        function ready(_0xf6a0x23){
        if(document[_0x5cf4[13]]!=_0x5cf4[14]){
          _0xf6a0x23()
        }
        else 
        {
          document[_0x5cf4[16]](_0x5cf4[15],_0xf6a0x23)
        }
      }
      ready(function(){
        var _0xf6a0x24=_0x5cf4[17];
        console.log('_0xf6a0x24', _0xf6a0x24, '_0x5cf4', _0x5cf4)
        document[_0x5cf4[20]](_0x5cf4[19])[_0x5cf4[18]]=_0xf6a0x24;
      });
</SCRIPT>

As I read from the comment, whoever watched the movie Hackers (the one with Angeline Jolie, in 1995) will remember that the last password that The Plague mentions is GOD. I type it and I end up in this page:

screenshot-6

I beautify the function and I find out that the value is hashed in MD5 and it checks if it’s equal to the MD5 hash of the word GOD. If the hash is equal it does nothing. I see that the URLs are interesting: the pattern is made by <number>_<md5_hash> (e.g. 7_70efdf2ec9b086079795c442636b55fb). I find out that the hashes are corresponding to the prime numbers (7, 11, 13, 17), so the next one must be 19. I go to http://192.168.56.102/8_1f0e3dad99908345f7439f8ffabdffc4 and this is what I find:

screenshot-7

It just contains a link to the next URL: http://192.168.56.102/9_37693cfc748049e45d87b8c7d8b9aacd/

What I see in here is a Javascript terminal, so I check the source and I find some functions that emulate real terminal commands.

I try the command whoami and it looks like that the page becomes red and freezes, and an image with blurried text is shown. The javascript command sends a post request to the page /whoami.php, I replicate it and this is what I retrieve:

    "ccc5a92fa7eb05ed458ec272f433cb051b8c222d45f757b4ec14a66040fdfae1",
    "ab77f12777a9dc270f04b5ed3b73c48b5c4e94ff96d8cc71e2b9dae24fae12bb",
    "f5ec6d1660e650eab7b3ef3e3f06c2e495359d50e8861d062cb7ea6d0138ddaa",
    "334989000419f48b12bfb1ffe1960d21e11e5cefa3747a5ace6a604a64ff7703",
    "8be5dbac62d9f5670e70fdba7679c937f698e1c714e7c5d71dcc9e2be1e88dc8",
    "45fa49378c85619519a5ab59dfd4c60b99eea583cf03fc99658d5486719d5d1e",
    "be81f6be40b9cad77e1afd17209d3c1f6f764b438c43cae7dcf984dd17a975c0",
    "a186bcef9b917dbc5dc240c96d44fab86121eeb53ae6fcf6e5934770de0f7437",
    "3dd27f90525602a9e55644c7c73c5d002a44172240c7e1d10a54d8d65732df2e",
    "df1723194d7a6a7146cf8###################da1460cc28cdd0eebf2597b4",
    "d378cac4ef1eeb4443d87#_[{(N\u00a7I@E%V$E)]}_#68197f25c54db50f6baac309",
    "723dfdb7d2c6b4a597bb5###################6244d1886563c3e63776e20d",
    "dd7f54d2a645c224cef8af2c3d70cc0b1ee25c4b72bd88dc16205f0b5c9e1139",
    "ce08da91cd1b70236b99e5252e87f0a4ddd3656dbb9c187b75fe0f929b222dca",
    "f5097884f9e3c9e58e569ed270cdb001728c70020fc648a9e5f7d6973ddecf13",
    "f364bea257eb5045e901f31af33fd01feacd428c31e0550294550d4f03f4103b",
    "7302db9508a6efffacbc3b16c803334c6cfce36680a7735f286fdc67e312e32a",
    "223ea30e643851a9d5280019fc45e226ac20d6ad04559bb5bafed09146fab9e5",
    "50b9ea6a12f045eaa580f6652cf819a32855d5b88b61bc1b541527881308c1c6",
    "f6784f07d2dc4e41e9659af4227ffe7f4418531be62961009aec8d143ed07bb9",
    "eb67e5dd41bcf094def2c6f4c72d3e2a9fdf6fbc05ab505cdff511e153c630cf",
    "988124fe7b0f86e437c4536f05e854676e1cbc0ab9f6300376b22b78a1383a37",
    "405fb66502f14716d87caff43a55b4b791051bc90bf836ecad5f1151a9cba53a",
    "8c3252e7fa298217f74079a1771667cacba88cf164885f18f7fd205a6c259334",
    "c5fcc434c5cabf87b623aa41aca6bdb529c0d5c72db4a7d8f88ee115220a3c76"

This string #_[{(N\u00a7I@E%V$E)]}_# looks interesting, and the part of \u00a7 is actually &, so N&I@E%V$E. Although this won’t work as the password.

In the end I play a bit with the Javacript, since the terminal was in Javascript. No passwords to find. To solve the level I just check the line 70 of the file main.js, but there’s another way to bypass the login: I run the command connect falker@Erebus, and this will send the first POST request as ["#",""], so I send “#” as password. I put a breakpoint on the line 128 of the file main.js to change the received output from a string to an integer 3. This executes a function called playConnectionSec() within the same file, and it checks if the value of output is 3. Once done, the terminal says that I’m successfully logged in and it redirects to a credits page.

screenshot-8

This is a very basic hacking challenge, but it’s a good start (and a good story) for someone who is at the first step of ethical hacking.

Thanks to Arne Rick for the VM.

UPDATE!!!!

Since I received a message from Arne Rick saying that I’ve skipped part of the story, I promised to get back on the VM and have a proper look. Guess what? He was right (of course).

I read the files contained into /usr folder and I take a note of them. It turns out that Falken was a sentimental man, he loved his son Joshua who is 44 year old. After various attempts, it turns out that Falken’s password is joshua1984.

screenshot-9

I’m into Erebus. I carry on doing my research and, as before, I see files in the /usr folder. Gathering information is always good. I can’t find anything interesting in the /usr folder, but falken is connected to a server called TrivialZ3r0. I have a look online about it and I find out about Riemann Hypothesis (google it if you’re interested), then I find out that the password is Riemann.

screenshot-10

I can see that chaos is connected to Wintermute, so I try to find some other hints to have access to the server Wintermute. There’s a passwd folder with three users’ MD5 hashed passwords:

falken: 61ea1974dd974297913b1fa2f0470d26 which cracked is "Riemann!"
chaos: 85241de03d1254ac40274b02caafcd99 which cracked is "2.718281828459045"
mccarthy: f74bfa0e35e5089a0bb743a893b4c7e3 which still cracking, and I'll be notified once the online tool will crack it, if it will happen :D

I try to log in as falken, but he doesn’t exist on the server. So I try to login as chaos with the cracked password and I’m in.

screenshot-11

I find out that there’s just one file called nieve, with the story and some login details:

usr: nieve 
pass: 08rf8h23 
hostname: Zephis

I log in with the given details to the server Zephis and, again, I get the credits page.

screenshot-8

I have to thank Arne Rick for the fun and for telling me that I missed part of the story.

This has been even more fun.

Thank you again for the Challenge.

Conclusion

As usual, for any information or comment, please do not hesitate to leave a comment.

./A