Wednesday 10 February 2016

Write Up: PRIMER 1.0.1 (chp. 6 + 7)

PRIMER is a vulnerable VM developed by Arne Rick featured on Vulnhub. It can be found hereIf you intend to complete this VM yourself then this write up will spoil it for you. So I say in bold and caps - SPOILERS!
------------------------------------------------------------------------------------------------------

CHAPTER 6: [++Q++++++]

Chapter 6, much like chapter 5 begins with a javascript window prompt. Immediately I looked at the debugger to analyse the JS.


No hints to be found in the title of the JS prompt. The code, however was more revealing. It was clear that the JS had been obfuscated in some way, however there was some clear text.

"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and... - The Plague"


A reference to the timeless and ever accurate movie "Hackers". The four most common passwords (according to the movie) are love, sex, secret.. " Don't forget god, system operators love to use god, it's that whole male ego thing" as cereal killer says.

Well what a hint! I enter god then GOD and Im through. However thats not much fun. So I had a look at that more interesting obfuscated JS.

So I began by going to jsbeautifier.org to make use of their unpacking and deobfuscating tools. From scan reading the code, I noticed some escaped hex character codes which jsbeautifier can also take care of.


Suddenly all nice and at least readable. Theres still a large amount of obfuscated code, but none the less, allot to work with. The first var is an array of strings. At this point I guessed that the strings in this array are being used throughout the obfuscated code in some way, due to their nature; "location", "addEventListener" "DOMContentLoaded" etc.

I then read through the code, almost 500 lines, but fortunately I could gloss over most of it due to it being mostly garbage. However, at the end I discovered the function Im looking for, the window prompt function.


It appears that this is using the array thats declared on line 1 ( _0x5cf4) is key in this function.
The user input string is hashed using MD5 (on line 474) and then compared to the 9th element of _0x5cf4. If true, the window prompt is removed. 

I then went back to line 1 of the code and looked through the array for the 9th element. There I found the string "0d28cba0bd4f26e16d766000d27e49fa". This looked like an MD5 hash.
From reading the window prompt function, its clear that an un-hashed version of this string needs to be entered for it then to be hashed and compared against the relevant element in the array.

In order to reverse the hash, I navigated to hashkiller.co.uk to make use of their MD5 cracking tool. I entered the hash and got a result:


0d28cba0bd4f26e16d766000d27e49fa MD5 : GOD

This corresponds to the earlier "Hackers" hint, so it must be correct! I entered it into the window prompt and I was through.

CHAPTER 7: [KS(x)<=|(x)+4]

The story continues, the text on this page had some revealing hints. 


"There was a pattern in the path she had taken through the network. An artificial pattern, la[i]d out by someone or something. There was no hint, no obvious step. Finding the next node would be the challenge, or maybe more like a test."

This appeared to me to be hinting at the pattern of the URLs. I looked at the previous URLS, they all appeared to be MD5 hashes as well.
I again navigated to hashkiller.co.uk to crack the hashes. I entered them in the order that I had solved them. The following results were returned;

c81e728d9d4c2f636f067f89cc14862c MD5 : 2
eccbc87e4b5ce2fe28308fd9f2a7baf3 MD5 : 3
e4da3b7fbbce2345d7772b0674a318d5 MD5 : 5
8f14e45fceea167a5a36dedd4bea2543 MD5 : 7
6512bd43d9caa6e02c990b0a82652dca MD5 : 11
c51ce410c124a10e0db5e4b97fc2af39 MD5 : 13
70efdf2ec9b086079795c442636b55fb MD5 : 17


2, 3, 5, 7, 11, 13, 17.

I could immediately disregard the first number as the story also stated "It had been there since the second node".
I began to form a pattern, it quickly became apparent that there was a pattern of offsets between the numbers;

3  (+ 2)  5  (+ 2)  7  (+ 4)  11  (+ 2)  13  (+ 4)  17

2, 2, 4, 2, 4... ?2, 2, 4, 2, 4...?

:- 17 + 2 = 19


The next step was to hash the result.


I then prepended 8_ to the hash to adhere to the URL scheme and entered it into the browser. Success! On to Part 3, the final chapter!...