[PRIMER] – VulnHub #1

PRIMER is a vulnerable VM which you can find on VulnHub.Anyways,let’s get started.

First off I ran a netdiscover scan.Since I’m using VirtualBox I know the MAC Vendor,so the IP is 192.168.1.6.Screenshot from 2016-08-26 01-10-40
I ran nmap to scan for open ports and got 3 open ports,but only 2 of them were of some value.I decided to lay off SSH for now and focus on port 80 instead.
Screenshot from 2016-08-26 01-11-18

This is the webpage.I noticed the login form and tried to bypass the login via SQLi but I’ve failed.
Screenshot from 2016-08-26 01-11-25Since I didn’t manage to bypass login I peeked at the robots.txt and found a interesting discovery.
Screenshot from 2016-08-26 01-11-39
I pasted the directory in the URL bar and got this page.
Screenshot from 2016-08-26 01-11-51Which lead me to this one…
Screenshot from 2016-08-26 01-12-01The next ‘node’ was a little bit different.It was just a prompt.First thing I did was view the source and there I found the next location.

This slideshow requires JavaScript.


The next node was a prompt also but the JavaScript was obfuscated.I didn’t bother decoding it since I noticed something very nice.

This slideshow requires JavaScript.


Every directory name is crafted in a special way…A number and a MD5 hash.
4_MD5(7),5_MD5(11),6_MD5(13) and 7_MD5(17)
Using this simple algorithm I figured out the next URL,
http://192.168.1.7/9_37693cfc748049e45d87b8c7d8b9aacd/
Screenshot from 2016-08-26 01-14-11
And I was correct.
Screenshot from 2016-08-26 01-14-19Click on the [EOF] link lead me to a page that seemed like a terminal.I ran the help command to see what commands I can use.
Screenshot from 2016-08-26 01-14-35
When I ran whoami the text went corrupt and red,but I could make out ‘nieve’ from it.
Screenshot from 2016-08-26 01-14-46
I refreshed the page and took a look at the running processes.
Screenshot from 2016-08-26 01-15-02
I assumed nieve,falken,root and c0re were all SSH users so I fired up hydra and found out the password for nieve.

This slideshow requires JavaScript.


I SSH’d to the box and took a look around.
Screenshot from 2016-08-26 01-17-47I navigated to the directories I haven’t been to and finally finished at the URL, http://192.168.1.6/10_23693cff748o49r45d77b6c7d1b9afcd ,which was the end screen signalizing my victory.Hooray!

This slideshow requires JavaScript.


I gotta admit this VM was very fun and I hope you enjoyed reading my walkthrough.Thanks to VulnHub and the creator of this VM,couchsofa or Arne Rick.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s