Core dump overflow

Core dump in progress...

Pentest lab - Primer

| Comments

I’ve decided to try a VM named Primer that was recently added to VulnHub. I was hooked by the description of it being a story driven VM that was inspired by William Gibson’s Spraw Trilogy, which was one of my first reads in hacking literature, after I became interested in the subject! And it also provided me with a new novel to read, since I didn’t know about Snow Crash:

Concept

This is a story based challenge written in a style heavily inspired by Neil Stephensons Snow Crash and William Gibsons Sprawl Trilogy. Each chapter is unlocked by solving the puzzle. From hardcoded clear text javascript password checks, SQL-injections and cracking hashes to a simulated terminal. You only need to start the VM, a webserver will come up and you can connect with your browser. In fact you never have to leave the browser.

Goal

Teach some basic well known techniques and attacks. Spark some curiosity, make the user look at the source code and try to figure out what’s going on behind the scenes. The main goal is to give a nice welcoming intro to the scene and hopefully also teach something about ethics and responsibility.

After you determine the IP address of the VM, point your browser to it and you will be greeted by this:

primer level 1

Read the story, it’s a nice way to get you immersed in the challenge, and it also contains hints for solving the level.

Looking in the source, I saw this:

1
2

Some f0rms are easier than others.
This one was just a means to get to the next level so there was no need for her to apply her full set of skills or fake credentials. Manufacturing a bo0le4n response would probably be enaugh to let her pass.

Well then, following the hint, I used a classic SQLi string that would be evaluated as True: yo ‘or 1=1—

primer level 2

The description points to the user agent, and when checking the source again, we can see a comment stating exactly what we need to fool the bot:

1
2

This bot was looking for a Sosū User Agent Identifier she had cracked weeks ago, easy sauce, just a simple md5 hash of the first 7 digits of
pi. It was basically common knowledge to the entities moving in these areas but obscurity does create a, albeit virtual, layer of security.

Ok..I took the first 7 digits of Pi (3.141592) and converted them to MD5, getting the string d483d00d07fcc80319d170ccf07fb5be. Then I changed my user agent to this string, and bam!

primer level 3

This time there is no hint in the source, but reading the plot description made me think about cookies, and I discovered an activeSession cookie with a value of false. Now let’s see what happens if I change it to true..

Reloaded the page..and!

primer level 4

I almost missed the hint hidden inside the tag:

1

<meta http-equiv="hint" content="Think, but don't act like a robot." />

This made me check if there is a robots.txt file, and there I found the next piece of the puzzle!

1
2

User-agent: *
Disallow: /4_8f14e45fceea167a5a36dedd4bea2543

primer level 5

Clicking the thing on this page that stands out will take you elsewhere.. :) you can see in the source exactly where:

1

<h1><a href="../5_6512bd43d9caa6e02c990b0a82652dca">[EOF]</a></h1>

primer level 6

So, the character in the story seems to be getting more and more familiar..:D Now, let’s go to the place that smells like a trap, and see what awaits us there!

primer level 7

You can see the page keeps reloading and you can’t right-click to view the source..but there are other ways! First, I entered something in the box to see what would happen:

beware

Yikes! Who knows what horrible thing we have disturbed! Better complete the rest fast! I looked at the source of the page with the view-source command:

1

view-source:http://192.168.80.149/6_c51ce410c124a10e0db5e4b97fc2af39/

There is a Javascript code that decides the redirection when entering something in the box. Let’s look at it:

1
2
3
4
5
6

var X;
var L="Ikdf076";
X=prompt('/()=','');
if (X === null){window.location = "./_.php";}
if (X.substr(2,7) == L){}
else {window.location = "./_.php";}

The only way not to get..noticed, is to enter something that would match substr() method. This method extracts parts of a string, beginning at the character at the specified position, and returns the specified number of characters. So the code is looking in our input for the string Ikdf076 starting at the third character. I entered 00Ikdf076 and penetrated deeper into the intranet!

primer level 7

Moving further, looks like another reloading page.

primer level 8

Reading the source, there is another script that we have to decipher:

1
2
3
4
5
6
7
8

<SCRIPT language="JavaScript">
var _0x5cf4=["","\x6C\x65\x6E\x67\x74\x68","\x73\x75\x62\x73\x74\x72\x69\x6E\x67","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x73\x70\x6C\x69\x74","\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x61\x62\x63\x64\x65\x66","\x6A\x6F\x69\x6E","\x68\x65\x6C\x6C\x6F","\x35\x64\x34\x31\x34\x30\x32\x61\x62\x63\x34\x62\x32\x61\x37\x36\x62\x39\x37\x31\x39\x64\x39\x31\x31\x30\x31\x37\x63\x35\x39\x32","\x30\x64\x32\x38\x63\x62\x61\x30\x62\x64\x34\x66\x32\x36\x65\x31\x36\x64\x37\x36\x36\x30\x30\x30\x64\x32\x37\x65\x34\x39\x66\x61","\xA7\x23\x2F\x24","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x2E\x2F\x5F\x2E\x70\x68\x70","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x6C\x6F\x61\x64\x69\x6E\x67","\x44\x4F\x4D\x43\x6F\x6E\x74\x65\x6E\x74\x4C\x6F\x61\x64\x65\x64","\x61\x64\x64\x45\x76\x65\x6E\x74\x4C\x69\x73\x74\x65\x6E\x65\x72","\x20\x20\x20\x20\x3C\x63\x65\x6E\x74\x65\x72\x3E\x20\x20\x20\x20\x20\x20\x3C\x68\x31\x3E\x5B\x2B\x2B\x51\x2B\x2B\x2B\x2B\x2B\x2B\x5D\x3C\x2F\x68\x31\x3E\x20\x20\x20\x20\x3C\x2F\x63\x65\x6E\x74\x65\x72\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x53\x68\x65\x20\x77\x61\x73\x20\x6E\x6F\x20\x6C\x6F\x6E\x67\x65\x72\x20\x73\x75\x72\x65\x20\x77\x68\x61\x74\x20\x68\x65\x72\x20\x6F\x72\x69\x67\x69\x6E\x61\x6C\x20\x61\x73\x73\x69\x67\x6E\x6D\x65\x6E\x74\x20\x68\x61\x64\x20\x62\x65\x65\x6E\x2E\x20\x42\x75\x74\x20\x69\x74\x20\x64\x69\x64\x6E\x27\x74\x20\x6D\x61\x74\x74\x65\x72\x20\x61\x6E\x79\x77\x61\x79\x2E\x20\x57\x68\x61\x74\x20\x73\x74\x69\x6C\x6C\x20\x6D\x61\x74\x74\x65\x72\x65\x64\x20\x77\x61\x73\x20\x67\x65\x74\x74\x69\x6E\x67\x20\x6F\x75\x74\x20\x6F\x66\x20\x68\x65\x72\x65\x2C\x20\x61\x6C\x69\x76\x65\x2E\x20\x20\x20\x20\x20\x20\x4C\x6F\x67\x20\x6F\x75\x74\x2C\x20\x74\x65\x6C\x6C\x20\x74\x68\x65\x20\x63\x6C\x69\x65\x6E\x74\x20\x74\x6F\x20\x67\x6F\x20\x66\x75\x63\x6B\x20\x68\x69\x6D\x73\x65\x6C\x66\x20\x61\x6E\x64\x20\x67\x65\x74\x20\x61\x20\x66\x69\x78\x20\x6F\x66\x20\x6E\x30\x69\x73\x65\x20\x74\x6F\x20\x73\x68\x75\x74\x20\x6F\x66\x66\x20\x68\x65\x72\x20\x6D\x69\x6E\x64\x2E\x20\x52\x65\x6C\x61\x78\x20\x77\x69\x74\x68\x20\x61\x20\x6D\x69\x6E\x64\x6C\x65\x73\x73\x20\x68\x6F\x6C\x6F\x20\x66\x6C\x69\x63\x6B\x20\x61\x6E\x64\x20\x6E\x65\x76\x65\x72\x20\x6C\x6F\x6F\x6B\x20\x62\x61\x63\x6B\x20\x61\x74\x20\x74\x68\x69\x73\x20\x77\x65\x69\x72\x64\x20\x6A\x6F\x62\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x41\x20\x76\x69\x6F\x6C\x65\x6E\x74\x20\x6E\x65\x6F\x6E\x20\x66\x6C\x69\x63\x6B\x65\x72\x20\x61\x70\x70\x65\x61\x72\x65\x64\x20\x61\x74\x20\x74\x68\x65\x20\x68\x6F\x72\x69\x7A\x6F\x6E\x2E\x20\x4E\x6F\x20\x74\x68\x75\x6E\x64\x65\x72\x20\x66\x6F\x6C\x6C\x6F\x77\x65\x64\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x53\x68\x65\x20\x73\x74\x61\x72\x65\x64\x20\x69\x6E\x20\x74\x68\x65\x20\x64\x69\x73\x74\x61\x6E\x63\x65\x20\x77\x69\x74\x68\x20\x61\x20\x62\x6C\x61\x6E\x6B\x20\x65\x78\x70\x72\x65\x73\x73\x69\x6F\x6E\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x22\x48\x65\x6C\x6C\x6F\x2C\x20\x4E\x69\x65\x76\x65\x2E\x22\x20\x41\x20\x64\x65\x65\x70\x2C\x20\x66\x65\x6D\x69\x6E\x69\x6E\x65\x2C\x20\x64\x69\x67\x69\x74\x61\x6C\x20\x76\x6F\x69\x63\x65\x20\x72\x6F\x61\x72\x65\x64\x20\x69\x6E\x20\x68\x65\x72\x20\x68\x65\x61\x64\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x46\x55\x43\x4B\x21\x20\x54\x68\x69\x73\x20\x77\x61\x73\x20\x68\x65\x72\x20\x72\x65\x61\x6C\x20\x6E\x61\x6D\x65\x2E\x20\x53\x68\x65\x20\x68\x61\x64\x6E\x27\x74\x20\x75\x73\x65\x64\x20\x69\x74\x20\x69\x6E\x20\x79\x65\x61\x72\x73\x2E\x2E\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x22\x49\x20\x77\x69\x6C\x6C\x20\x6C\x6F\x67\x6F\x75\x74\x20\x61\x6E\x64\x20\x73\x74\x6F\x70\x20\x74\x68\x69\x73\x20\x73\x68\x69\x74\x20\x72\x69\x67\x68\x74\x20\x66\x75\x63\x6B\x69\x6E\x67\x20\x6E\x6F\x77\x21\x22\x20\x53\x68\x65\x20\x73\x63\x72\x65\x61\x6D\x65\x64\x20\x69\x6E\x74\x6F\x20\x74\x68\x65\x20\x6E\x65\x6F\x6E\x20\x65\x78\x70\x61\x6E\x73\x65\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x4E\x6F\x74\x68\x69\x6E\x67\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E\x20\x20\x20\x20\x3C\x70\x3E\x20\x20\x20\x20\x20\x20\x53\x68\x65\x20\x64\x69\x64\x6E\x27\x74\x2E\x20\x53\x6F\x6D\x65\x74\x68\x69\x6E\x67\x20\x62\x65\x73\x69\x64\x65\x20\x74\x68\x65\x20\x66\x65\x61\x72\x20\x6F\x63\x63\x75\x70\x69\x65\x64\x20\x68\x65\x72\x20\x6D\x69\x6E\x64\x2E\x20\x49\x74\x20\x68\x61\x64\x20\x62\x65\x65\x6E\x20\x74\x68\x65\x72\x65\x20\x73\x69\x6E\x63\x65\x20\x74\x68\x65\x20\x73\x65\x63\x6F\x6E\x64\x20\x6E\x6F\x64\x65\x20\x61\x6E\x64\x20\x67\x72\x65\x77\x20\x73\x74\x72\x6F\x6E\x67\x65\x72\x20\x77\x69\x74\x68\x20\x65\x76\x65\x72\x79\x20\x6D\x6F\x76\x65\x2E\x20\x54\x68\x65\x72\x65\x20\x77\x61\x73\x20\x61\x20\x70\x61\x74\x74\x65\x72\x6E\x20\x69\x6E\x20\x74\x68\x65\x20\x70\x61\x74\x68\x20\x73\x68\x65\x20\x68\x61\x64\x20\x74\x61\x6B\x65\x6E\x20\x74\x68\x72\x6F\x75\x67\x68\x20\x74\x68\x65\x20\x6E\x65\x74\x77\x6F\x72\x6B\x2E\x20\x41\x6E\x20\x61\x72\x74\x69\x66\x69\x63\x69\x61\x6C\x20\x70\x61\x74\x74\x65\x72\x6E\x2C\x20\x6C\x61\x79\x65\x64\x20\x6F\x75\x74\x20\x62\x79\x20\x73\x6F\x6D\x65\x6F\x6E\x65\x20\x6F\x72\x20\x73\x6F\x6D\x65\x74\x68\x69\x6E\x67\x2E\x3C\x62\x72\x3E\x20\x20\x20\x20\x20\x20\x54\x68\x65\x72\x65\x20\x77\x61\x73\x20\x6E\x6F\x20\x68\x69\x6E\x74\x2C\x20\x6E\x6F\x20\x6F\x62\x76\x69\x6F\x75\x73\x20\x73\x74\x65\x70\x2E\x20\x46\x69\x6E\x64\x69\x6E\x67\x20\x74\x68\x65\x20\x6E\x65\x78\x74\x20\x6E\x6F\x64\x65\x20\x77\x6F\x75\x6C\x64\x20\x62\x65\x20\x74\x68\x65\x20\x63\x68\x61\x6C\x6C\x65\x6E\x67\x65\x2C\x20\x6F\x72\x20\x6D\x61\x79\x62\x65\x20\x6D\x6F\x72\x65\x20\x6C\x69\x6B\x65\x20\x61\x20\x74\x65\x73\x74\x2E\x20\x20\x20\x20\x3C\x2F\x70\x3E","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x66\x6F\x6F","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64"];

  /*"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and..." - The Plague*/

function md5cycle(_0xf6a0x2,_0xf6a0x3){var _0xf6a0x4=_0xf6a0x2[0],_0xf6a0x5=_0xf6a0x2[1],_0xf6a0x6=_0xf6a0x2[2],_0xf6a0x7=_0xf6a0x2[3];_0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[0],7,-680876936);_0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[1],12,-389564586);_0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[2],17,606105819);_0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[3],22,-1044525330);_0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[4],7,-176418897);_0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[5],12,1200080426);_0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[6],17,-1473231341);_0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[7],22,-45705983);_0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[8],7,1770035416);_0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[9],12,-1958414417);_0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[10],17,-42063);_0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[11],22,-1990404162);_0xf6a0x4=ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[12],7,1804603682);_0xf6a0x7=ff(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[13],12,-40341101);_0xf6a0x6=ff(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[14],17,-1502002290);_0xf6a0x5=ff(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[15],22,1236535329);_0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[1],5,-165796510);_0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[6],9,-1069501632);_0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[11],14,643717713);_0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[0],20,-373897302);_0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[5],5,-701558691);_0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[10],9,38016083);_0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[15],14,-660478335);_0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[4],20,-405537848);_0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[9],5,568446438);_0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[14],9,-1019803690);_0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[3],14,-187363961);_0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[8],20,1163531501);_0xf6a0x4=gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[13],5,-1444681467);_0xf6a0x7=gg(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[2],9,-51403784);_0xf6a0x6=gg(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[7],14,1735328473);_0xf6a0x5=gg(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[12],20,-1926607734);_0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[5],4,-378558);_0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[8],11,-2022574463);_0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[11],16,1839030562);_0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[14],23,-35309556);_0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[1],4,-1530992060);_0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[4],11,1272893353);_0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[7],16,-155497632);_0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[10],23,-1094730640);_0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[13],4,681279174);_0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[0],11,-358537222);_0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[3],16,-722521979);_0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[6],23,76029189);_0xf6a0x4=hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[9],4,-640364487);_0xf6a0x7=hh(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[12],11,-421815835);_0xf6a0x6=hh(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[15],16,530742520);_0xf6a0x5=hh(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[2],23,-995338651);_0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[0],6,-198630844);_0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[7],10,1126891415);_0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[14],15,-1416354905);_0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[5],21,-57434055);_0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[12],6,1700485571);_0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[3],10,-1894986606);_0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[10],15,-1051523);_0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[1],21,-2054922799);_0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[8],6,1873313359);_0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[15],10,-30611744);_0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[6],15,-1560198380);_0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[13],21,1309151649);_0xf6a0x4=ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x3[4],6,-145523070);_0xf6a0x7=ii(_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x3[11],10,-1120210379);_0xf6a0x6=ii(_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x3[2],15,718787259);_0xf6a0x5=ii(_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x4,_0xf6a0x3[9],21,-343485551);_0xf6a0x2[0]=add32(_0xf6a0x4,_0xf6a0x2[0]);_0xf6a0x2[1]=add32(_0xf6a0x5,_0xf6a0x2[1]);_0xf6a0x2[2]=add32(_0xf6a0x6,_0xf6a0x2[2]);_0xf6a0x2[3]=add32(_0xf6a0x7,_0xf6a0x2[3]);}function cmn(_0xf6a0x9,_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){_0xf6a0x4=add32(add32(_0xf6a0x4,_0xf6a0x9),add32(_0xf6a0x2,_0xf6a0xb));return add32((_0xf6a0x4<<_0xf6a0xa)|(_0xf6a0x4>>>(32-_0xf6a0xa)),_0xf6a0x5);}function ff(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){return cmn((_0xf6a0x5&_0xf6a0x6)|((~_0xf6a0x5)&_0xf6a0x7),_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)}function gg(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){return cmn((_0xf6a0x5&_0xf6a0x7)|(_0xf6a0x6&(~_0xf6a0x7)),_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)}function hh(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){return cmn(_0xf6a0x5^_0xf6a0x6^_0xf6a0x7,_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)}function ii(_0xf6a0x4,_0xf6a0x5,_0xf6a0x6,_0xf6a0x7,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb){return cmn(_0xf6a0x6^(_0xf6a0x5|(~_0xf6a0x7)),_0xf6a0x4,_0xf6a0x5,_0xf6a0x2,_0xf6a0xa,_0xf6a0xb)}function md51(_0xf6a0xa){txt=_0x5cf4[0];var _0xf6a0x11=_0xf6a0xa[_0x5cf4[1]],_0xf6a0x12=[1732584193,-271733879,-1732584194,271733878],_0xf6a0x13;for(_0xf6a0x13=64;_0xf6a0x13<=_0xf6a0xa[_0x5cf4[1]];_0xf6a0x13+=64){md5cycle(_0xf6a0x12,md5blk(_0xf6a0xa[_0x5cf4[2]](_0xf6a0x13-64,_0xf6a0x13)))};_0xf6a0xa=_0xf6a0xa[_0x5cf4[2]](_0xf6a0x13-64);var _0xf6a0x14=[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0];for(_0xf6a0x13=0;_0xf6a0x13<_0xf6a0xa[_0x5cf4[1]];_0xf6a0x13++){_0xf6a0x14[_0xf6a0x13>>2]|=_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13)<<((_0xf6a0x13%4)<<3)};_0xf6a0x14[_0xf6a0x13>>2]|=0x80<<((_0xf6a0x13%4)<<3);if(_0xf6a0x13>55){md5cycle(_0xf6a0x12,_0xf6a0x14);for(_0xf6a0x13=0;_0xf6a0x13<16;_0xf6a0x13++){_0xf6a0x14[_0xf6a0x13]=0};};_0xf6a0x14[14]=_0xf6a0x11*8;md5cycle(_0xf6a0x12,_0xf6a0x14);return _0xf6a0x12;}function md5blk(_0xf6a0xa){var _0xf6a0x16=[],_0xf6a0x13;for(_0xf6a0x13=0;_0xf6a0x13<64;_0xf6a0x13+=4){_0xf6a0x16[_0xf6a0x13>>2]=_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13)+(_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13+1)<<8)+(_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13+2)<<16)+(_0xf6a0xa[_0x5cf4[3]](_0xf6a0x13+3)<<24)};return _0xf6a0x16;}var hex_chr=_0x5cf4[5][_0x5cf4[4]](_0x5cf4[0]);function rhex(_0xf6a0x11){var _0xf6a0xa=_0x5cf4[0],_0xf6a0x19=0;for(;_0xf6a0x19<4;_0xf6a0x19++){_0xf6a0xa+=hex_chr[(_0xf6a0x11>>(_0xf6a0x19*8+4))&0x0F]+hex_chr[(_0xf6a0x11>>(_0xf6a0x19*8))&0x0F]};return _0xf6a0xa;}function hex(_0xf6a0x2){for(var _0xf6a0x13=0;_0xf6a0x13<_0xf6a0x2[_0x5cf4[1]];_0xf6a0x13++){_0xf6a0x2[_0xf6a0x13]=rhex(_0xf6a0x2[_0xf6a0x13])};return _0xf6a0x2[_0x5cf4[6]](_0x5cf4[0]);}function md5(_0xf6a0xa){return hex(md51(_0xf6a0xa))}function add32(_0xf6a0x4,_0xf6a0x5){return (_0xf6a0x4+_0xf6a0x5)&0xFFFFFFFF}if(md5(_0x5cf4[7])!=_0x5cf4[8]){function add32(_0xf6a0x2,_0xf6a0x1d){var _0xf6a0x1e=(_0xf6a0x2&0xFFFF)+(_0xf6a0x1d&0xFFFF),_0xf6a0x1f=(_0xf6a0x2>>16)+(_0xf6a0x1d>>16)+(_0xf6a0x1e>>16);return (_0xf6a0x1f<<16)|(_0xf6a0x1e&0xFFFF);}};var X;var L=_0x5cf4[9];X=prompt(_0x5cf4[10],_0x5cf4[0]);X=md5(X);if(X===null){window[_0x5cf4[11]]=_0x5cf4[12]};if(X==L){}else {window[_0x5cf4[11]]=_0x5cf4[12]};function ready(_0xf6a0x23){if(document[_0x5cf4[13]]!=_0x5cf4[14]){_0xf6a0x23()}else {document[_0x5cf4[16]](_0x5cf4[15],_0xf6a0x23)}}ready(function(){var _0xf6a0x24=_0x5cf4[17];document[_0x5cf4[20]](_0x5cf4[19])[_0x5cf4[18]]=_0xf6a0x24;});

</SCRIPT>

Now this is exactly the code that any sane person would like to read! Thankfully, you don’t need to read it, although the comment sure is interesting! I printed the contents of the _0x5cf4 variable and there was a lot to see, but I only show the important part:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

[ '',
  'length',
  'substring',
  'charCodeAt',
  'split',
  '0123456789abcdef',
  'join',
  'hello',
  '5d41402abc4b2a76b9719d911017c592',
  '0d28cba0bd4f26e16d766000d27e49fa',
  '§#/$',
  'location',
  './_.php',
...

I cracked those MD5 hashes, first is hello and second is GOD…so let’s say hello in the input box! I tried “helloGOD” but that just got me to another scary red page. Entering just “GOD” worked though!

primer level 8

If you glanced at the URL formats beginning at the second challenge, you probably noticed they begin with a number for the level, that keeps going up as you progress (1,2,3 etc.), an underscore, and then what looks like an MD5 hash! I copied all of them to an online cracking site, and here is the pattern:

1st node = 2

2nd = 3

3rd = 5

4th = 7

5th = 11

6th = 13

7th = 17

Following this, I surmised that the next one would be 19, because from the order it appears that next increase should be by 2. The order being: 1st to 2nd: +1 –> 2nd to 3rd: +2 –> 3rd to 4th: +2 –> 4th to 5th: +4 –> 5th to 6th: +2 –> 6th to 7th: +4. So I constructed the URL for the next level with the hashed value of 19, like this: 8_1f0e3dad99908345f7439f8ffabdffc4/.

primer level 9

By now we know enough to click on the big EOF link :D

primer level 10

What’s this? It looks like a terminal prompt. I entered whoami in it:

primer complete

Hmmm, scary :D I tried some other other commands too:

primer cli

There is a help command:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67


help
[0]================================================================
 
ls [dir]
 
outputs contents of [dir]
prints contents of current directory if no [dir] is specified
 
[1]================================================================
 
cd [dir]
 
changes the current directory to [dir]
outputs current directory if no directory is specified
 
[2]================================================================
 
cat [file]
 
displays the content of [file]
 
[3]================================================================
 
ps
 
displays a list of running processes
 
[4]================================================================
 
whoami
 
displays username
 
[5]================================================================
 
clear
 
deletes terminal command history
 
[6]================================================================
 
connect [user]@[host]
 
connects to a remote host using the credentials of user
 
[7]================================================================
 
hash [type] [file|string]
 
prints the hash of a file or "string"
supported hash functions are: 
md5, sha256, sha1, whirlpool and crc32
 
[8]================================================================
 
encode|decode [type] [file|string]
 
encodes/decodes the file or "string"
supported encodings are: 
uu, gz, base64 and rot13
 
[9]================================================================
 
enrypt|decrypt [file|string] [key]
 
encrypts/decrypts the file or "string"

Next I took a closer look at the AIs…I meant users! :D

chaos

I thought they were directories but couldn’t cd to them. Then I tried cracking the names that look like long hashes of something, but no success. I looked at wintermute next:

wintermute

Same thing, the hashes didn’t yield anything. Next..

zephis

More hashes, more nothing.

willis

Some text files! Let’s read them!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

cat log_0001.txt
 
3rd of July 2028

Working with Falken is amazing. He has a quick mind and is incredibly well informed on recent developements. I don't get why he left Sosu after setting up the Chaos c0re.
They must have offered him a position.
I'm not complaining here, just wondering because we are the only RnD team with unlimited funding and Falken was put in charge after all those years of absence.
---
cat log_0002.txt
 
8th of August 2028

Falken didn't show up today. I'm a bit worried because he has been strange lately.
According to the logs he's still logged in...
I haven't informed the admins yet. I don't know why...
---
cat log_0003.txt
 
10th of August 2028

The guys from the mainland called in today. Said some suits will be here tomorrow.
Apparently the Erebus Core started behaving strangely and the kill-switch didn't fire.
Chaos is still locked down. But I have a weird feeling about all this.
Falken disappearing, the incident with Erebus...

Some ominous stuff going down there! Let’s check falken:

falken

More logs!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

cat log_0001.txt
 
12th of Juli 2028

My work on getting the old core up and running continues to spark doubt among my colleagues. To be fair, no-one has ever attempted to get a corrupted AI back online.
But I am confident that I can isolate the malicious parts and rescue the data lost due the crash last year.
---
cat log_0002.txt
 
6th of August 2028

I am getting nowhere fast. If we cannot make the recovery until the end of the month the project will be abandoned and the Sosu core locked down.
A frozen BLOB, lost potential. I won't let that happen!
Today was Joshua's birthday. 44 years, time flies. We spent some time in a bar in Shenzen and talked. A nice Father-Son-Momement. I've missed those.
It took my mind of things but now that I'm here at the desk it all comes back.
I might have to make a bold move...

Well, clearly something went wrong. Restoring a corrupt AI doesn’t sound like the best idea. I’m getting more curious about this story! :D I checked the running processes next:

ps

Trying anything with the c0re command gave me an access denied error, but the connect looks interesting! I tried it, but it asked for a password. Damn! At this point, I tried many passwords, trying to glue information from the logs and also tried the previously hinted passwords. It actually took me a long time to score the right one, I had overlooked an easy one! Most of my tries revolved around joshua and something else, but it took me a while to realize I can figure out Joshua’s birth date because both his age and the year of the log are given. So 2028 – 44 = 1984! (no special significance for that, huh :D). So when I tried joshua1984, the screen changed..and we are on Erebus!

erebus

The commands are the same as on the previous host, so let’s check the users:

1
2

ls /usr
[wintermute] [mccarthy] [falken]

More unintelligible hashes in wintermute, mccarthy looks empty, but Falken has left us more logs :D

1
2
3
4
5
6

ls falken
log_0001._ log_0002._ log_0003._ log_0004._ 

cat log_0001._
 
OXRoIG9mIEF1Z3VzdCAyMDI4CgpJIGhhdmUgam9pbmVkIHRoZSBuZXR3b3JrIGZyb20gaG9tZSBhbmQgY29ubmVjdGVkIHRvIHRoZSBFcmVidXMgc2VydmVyLiBJIHdpbGwgY29udGludWUgbXkgd29yayBmcm9tIGhlcmUgYnV0IEkgd2lsbCBoYXZlIHRvIGJlIG1vcmUgY2FyZWZ1bC4KTm93LCBFcmVidXMgd2FzIHRoZSBzZWNvbmQgQUkgaW5zdGFsbGVkIGFmdGVyIENoYW9zLiBJIHdhc24ndCBwYXJ0IG9mIHRoZSB0ZWFtIGJ1dCBtb3N0IG9mIHRoZSBtZW1iZXJzIHdlcmUgbXkgZnJpZW5kcywgc28gSSBrbm93IG15IHdheSBhcm91bmQgaGVyZS4K

Uh-oh, this time it won’t be so easy to read them. But it doesn’t look as daunting as the ones I couldn’t crack..sure enough, it turns out a base64 decode will do the trick! It was faster for me to feed the strings into an online decoder, but you can use the decode command on the server too. Here are the decoded logs:

1
2
3
4
5
6
7

9th of August 2028 

I have joined the network from home and connected to the Erebus server. I will continue my work from here but I will have to be more careful. Now, Erebus was the second AI installed after Chaos. I wasn't part of the team but most of the members were my friends, so I know my way around here. 

10th of August 2028 

Ok, the problem I have with the Chaos c0re is that it's source is shifting too fast. Every time I execute a small part it breaks down or begins to morph and grow in order to replicate functions of different parts. The signaling is also going crazy even on segments that are relatively stable. Signaling to disconnected parts! And reactions to responses that would have but definitely have not been sent... Am I going crazy or is Chaos experiencing phantom pain?

Trying to read the 3rd and 4th logs kicked me out of the terminal or something..after reconnecting, I looked at the running processes:

1
2
3
4
5

ps
USER     PID    CPU    MEM   COMMAND
root     3251   5.2    3.9    connect falken@TrivialZ3r0
root     2677   33.8   43.8   c0re -t Erebus
nieve    84687  0.8    0.5    ps

Cool, let’s follow in Falken’s footsteps..uhm, connects. I tried, but the password I had wasn’t good! After more password guessing, I figured something suspicious is preventing me from reading the last logs. Also, all those decoding commands on the server must have been given for a reason! It’s funny, but if I had just used them from the beginning instead of going to external sites, I might have progressed faster. Anyway, only after I verified that I could read the first 2 logs with the decode command, instead of pasting the strings inside to an online decoder, I thought I should try using it for the remaining logs as well. I cycled through the options until the one that hit the jackpot!

1
2
3
4
5
6

decode gz log_0003._
 
12th of August 2028

I think they might be on to me and I can only change the encoding so often.
I will have to do something reckless... but not from here, they are already too close

So it’s Falken messing around that is hindering us..but it seems someone else is after him as well? I tried the same thing with the last log:

1
2
3

decode gz log_0004._
 
PCH ybnq vapernfrq abgvprnoyl, fbzrguvat vf tbvat gb unccra naq V jvyy abg or nebhaq gb jvgarff... GevivnyM3e0 frrzf gb or dhvrg, qba'g xabj jung'f tbvat ba bire gurer ohg vg pna'g or jbefr guna orvat genprq qbja ol znvaynaq fcbbxf. Svefg V arrq fbzr perqf, gubhtu. Uzz, GevivnyM3e0... gung erzvaqf zr bs fbzrbar, yrg'f whfg ubcr gubfr thlf nera'g zngu trrxf.

That looks like ROT13 to me, and thankfully, we can decode it:

1
2
3

decode rot13 "PCH ybnq vapernfrq abgvprnoyl, fbzrguvat vf tbvat gb unccra naq V jvyy abg or nebhaq gb jvgarff... GevivnyM3e0 frrzf gb or dhvrg, qba'g xabj jung'f tbvat ba bire gurer ohg vg pna'g or jbefr guna orvat genprq qbja ol znvaynaq fcbbxf. Svefg V arrq fbzr perqf, gubhtu. Uzz, GevivnyM3e0... gung erzvaqf zr bs fbzrbar, yrg'f whfg ubcr gubfr thlf nera'g zngu trrxf."
 
CPU load increased noticeably, something is going to happen and I will not be around to witness... TrivialZ3r0 seems to be quiet, don't know what's going on over there but it can't be worse than being traced down by mainland spooks. First I need some creds, though. Hmm, TrivialZ3r0... that reminds me of someone, let's just hope those guys aren't math geeks.

I followed the hint that Falken left us and googled for “trivial zero”. This returned info about a Riemann zeta function and I stopped reading after that because..well, it look complicated, and I thought I already had a good candidate for the password :D I tried connecting again, this time gave Riemann as password..new host, new things to do!

trivialzero

This one is a bit different, instead of a user folder, there is a password folder:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

ls /passwd
falken chaos mccarthy 

cat falken
 
61ea1974dd974297913b1fa2f0470d26
 
cat chaos
 
85241de03d1254ac40274b02caafcd99
 
cat mccarthy
 
f74bfa0e35e5089a0bb743a893b4c7e3

All right, let’s get cracking! In the meantime, I looked for where to next:

1
2
3
4
5
6

ps
USER     PID    CPU    MEM   COMMAND
root     3251   4.5    2.9    connect chaos@Wintermute
falken   2005   75.3   73.6   c0re -t Chaos
root     2677   87.1   43.2   c0re -t TrivialZ3r0
nieve    26588  0.5    0.5    ps

So it seems we will have to connect as chaos for the next one. I went to HashKiller and cracked the hashes as follows: FalkenRiemann (we already know), Chaos2.718281828459045 (wouldn’t have guessed this one! If you are curious, this is a mathematical constant known as Euler’s Number). Couldn’t crack McCarthy’s. But we have enough to pay Wintermute a visit:

Wintermute

Uhm, there are no more breadcrumbs to follow..and why is there a file called nieve in here? Uh-oh..

the end

An invitation from the AIs! Much better than a squad of hired assassins that would erase all the tracks of this unfortunate hacker..well then, let’s see what awaits on the other side!

credits

This was such a great VM, one of my favorites! It required less technical know-how and more detective thinking (or story immersion). I highly recommend it, great storyline and atmosphere! Many thanks to Arne Rick for this unconventional challenge!

1
2
3
4
5
6
7
8
9

 _______________________________________
/ Don't hate yourself in the morning -- \
\ sleep till noon.                      /
 ---------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Comments