Tuesday, February 16, 2016

Vulnhub Primer boot2root walkthrough part 1

From vulnhub.com:


This is a story based challenge written in a style heavily inspired by Neil Stephensons Snow Crash and William Gibsons Sprawl Trilogy. Each chapter is unlocked by solving the puzzle. From hardcoded clear text javascript password checks, SQL-injections and cracking hashes to a simulated terminal. You only need to start the VM, a webserver will come up and you can connect with your browser. In fact you never have to leave the browser.


Teach some basic well known techniques and attacks. Spark some curiosity, make the user look at the source code and try to figure out what's going on behind the scenes. The main goal is to give a nice welcoming intro to the scene and hopefully also teach something about ethics and responsibility.

The nmap scan:

The nikto scan:

 Nikto found /phpmyadmin/ directory. After trying to guess various simple passwords, I got in with root:PRIMER.

I tried but was never able to insert a php backdoor using phpmyadmin. Later when I used sqlmap to get an --os-shell, I discovered that there wasn't a writable location to put a shell.

On to the webroot:

The main page at has a form for username and password. I read the source and found:

<center>  <form method="post" action="login.php">  <input type="text" name="usr" value="" placeholder="Username">  <input type="password" name="pw" value="" placeholder="Password">  <input type="submit" name="commit" value="Login">  </form>  </center>  <div style="color: #021D29;">  Some f0rms are easier than others.  This one was just a means to get to the next level so there was no need for her to apply her full set of skills or fake credentials. Manufacturing a bo0le4n response would probably be enaugh to let her pass.  </div>

In the Username field I inserted "' OR '1'='1';-- " (note the space after the second hyphen) and landed at URL:


When reading the source of this page I find:

<!-- This bot was looking for a Sosū User Agent Identifier she had cracked weeks ago, easy sauce, just a simple md5 hash of the first 7 digits of pi. It was basically common knowledge to the entities moving in these areas but obscurity does create a, albeit virtual, layer of security. -->

echo -n 3.141592 | md5sum


Since I was proxying my browser through Burp Suite, I set the Burp proxy to intercept then refreshed the page and replaced the user agent in the request with the md5sum above.

I landed at URL /2_eccbc87e4b5ce2fe28308fd9f2a7baf3/

In the page I noticed:

<p>  Mesmerized by the experience she moved around the newly unlocked ever changing outer layer of the company network.<br>  Diverted on a conscious level, her subconscious was working hard on finding the next piece of the puzzle.<br>  A realisation started to form. She needed to penetrate the next circle, blocked of to unauthorized access.<br>  But she felt a presence of something left behind. Like breadcrumbs, not intentional, but something forgotten by an incomplete piece of code to handle access.  </p>

Breadcrumbs? Could that be referring to cookies?

I refreshed the page again. Take a look at the cookie value in Burp:

 I changed the Cookie: activeSession=false to true and forwarded the request.

I landed at URL /3_e4da3b7fbbce2345d7772b0674a318d5/

I viewed the page source and in the header I see: "Think, but don't act like a robot."

One of the first things I did when starting out at the web root was to look at robots.txt, so I already knew that level 4 URL was listed there: Disallow: /4_8f14e45fceea167a5a36dedd4bea2543

After visiting this URL and reading the source I realized that the [ EOF ] at the bottom was a link to the next level, /5_6512bd43d9caa6e02c990b0a82652dca/.

This page has the location of the next level right out in the open:

Visiting this URL results in a JavaScript Window and we're unable to view the source.

Looking in the response in Burp I see that the JavaScript dialog has hidden the rest of the page. In the response source I see the URL of the next level, 7_70efdf2ec9b086079795c442636b55fb.

This page has another JavaScript prompt. Looking at the response in Burp I see what looks like a lot of obfuscated JavaScript and a hint in the middle of it.

/*"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and..." - The Plague*/

This was obviously a hint to the Hackers movie. I googled "The Plague most-used passwords" and found the answer on IMDB. The password is god.

Lowercase god didn't work, but GOD did. No need there to waste time with the JavaScript. I arrived at URL /7_70efdf2ec9b086079795c442636b55fb/

The hint on this page is in the last paragraph.

Hmmm, it had been there since the second node. An artificial pattern. I looked at the pattern of the URLs and noticed that after the level number and underscore, the rest of the URL looks like an MD5 hash. I used hash-identifier to verify that the URL's (minus the level_) were indeed MD5 hashes.

I pasted the hashes into crackstation.net and came up with the following results:

The results are all prime numbers. The next in the sequence would be 19. The MD5 sum of 19 is: 1f0e3dad99908345f7439f8ffabdffc4, so the next URL must be /8_1f0e3dad99908345f7439f8ffabdffc4.

This URL is where things really start to get interesting! Subscribe to my blog and come back for part 2... soon!

Update: As this boot2root seems to be more about a story line with hints, and less about actual security, I don't plan on finishing this one.