Categories

Archives

CTF Challenges

Hack the Primer VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as Primer. The credit for making this vm machine goes to “couchsofa” and it is another boot2root challenge where we have to root the VM to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.115 but you will have to find our own)

netdiscover

Use nmap for port enumeration

nmap -sV  192.168.1.115

We found port 80 is open so we open this ip address in our browser.

We use dirb to list the directories and find robots.txt

dirb http://192.168.1.115/ -w

Inside the robots.txt we find a link to a page.

We open this link, it leads to page that has a story written on it.

We take a look at the source code at the and found another link.

When we open the link, we found a link on the page.

When we open this link, we are prompted for a password.

We capture the request of this page in burpsuite and and send it to repeater. In the response from the server, we find another link.

When we open the link, we find another page that prompts for password.

Now we take a look at the url, it looks like md5 so we removed the first and underscore we find something interesting.

We find that the url are actually prime numbers converted into md5 hashes. We were at the 7 page, and the hash to that is 17. So we convert 19(next prime number) to md5 hash.

To open the it we add “8_” in front of the hash to complete the url. We open it in our browser and find a page.

We take a look at the source code and find another url.

We open it and find a custom made terminal that uses javascript to execute certain commands.

In the ~/usr/falken/ folder we find a hint, when we take a look at the processes we find a command that we need to run.

When we run connect falken@Erebus It prompts for password. We get a hint from the log files that the password might be related to Joshua. In the logs we find that his date of birth i 6th august 1984. We use cupp to create a dictionary file.

We use burpsuite to bruteforce the password, we find that joshua1984 is the password.

When we login, we find a page again with terminal.

We check the files and find a few log files that are encoded. We use the decode command provided by the terminal to decode the files.

There we find our next clue, we googled trivial zero and found it was discovered by Riemann. We use cupp to create a dictionary with the given information.

We use burpsuite to bruteforce the password and find it to be Riemann.

When we login we are again prompted with another terminal.

When we look through the files we find the md5 encoded string for the usernames. We check for processes and again find a command.

When we crack the md5 password, we find that these are password for the respective username.

When we crack the md5 password, we find that these are password for the respective username.

When we login, we are again prompted with another terminal.

Looking through the files we find username, password and hostname.

We use these to login and find a page greeting us the end of the challenge.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here