Hello friends! Today we are going to take another
CTF challenge known as Primer. The
credit for making this vm machine goes to “couchsofa” and it is another boot2root challenge where we
have to root the VM to complete the challenge. You can download this
VM here.
Let’s Breach!!!
Let us start form getting to know the IP of VM
(Here, I have it at 192.168.1.115 but you will have to find
our own)
netdiscover
nmap -sV 192.168.1.115
We found port 80 is open so we open this ip
address in our browser.
dirb http://192.168.1.115/ -w
Inside the robots.txt we find a link to a
page.
We open this link, it leads to page that
has a story written on it.
We take a look at the source code at the and
found another link.
When we open the link we found a link on
the page.
When we open the link we are prompted for a
password.
We capture the request of this
page in burpsuite and and send it to repeater. In the response from the server,
we find another link.
When we open the link we find another page
that prompts for password.
Now we take a look at the url, it looks
like md5 so we removed the first and underscore we find something interesting.
We find that the url are actually prime
numbers converted into md5 hashes. We were at the 7 page, and the hash to that
is 17. So we convert 19(next prime number) to md5 hash.
To open the it we add “8_” in
front of the hash to complete the url. We open it in our browser and find a
page.
We take a look at the source code and find
another url.
We open it and find a custom made terminal
that uses javascript to execute certain commands.
In the ~/usr/falken/ folder we find a hint,
when we take a look at the processes we find a command that we need to run.
When we run connect falken@Erebus It prompts for password. We get a hint from the log
files that the password might be related to Joshua. In the logs we find that
his date of birth i 6th august 1984. We use cupp to create a
dictionary file.
We use burpsuite to bruteforce the
password, we find that joshua1984 is
the password.
When we login, we find a page again with
terminal.
We check the files and find a
few log files that are encoded. We use the decode command provided by the
terminal to decode the files.
There we find our next clue, we googled
trivial zero and found it was discovered by Riemann. We use cupp to create a
dictionary with the given information.
When we login we are again prompted with
another terminal.
When we look through the files we find the
md5 encoded string for the usernames. We check for processes and again find a
command.
When we crack the md5 password, we find
that these are password for the respective username.
When we login, we are again prompted with
another terminal.
Looking through the files we find username,
password and hostname.
We use these to login and find a page
greeting us for completing challenge.
0 comments:
Post a Comment