Open in app

Sign in

Write

Sign in

Primer CTF by Sahil

Security_Nerd07
6 min readAug 9, 2021

--

___________________________________________________________________

Hello friends! Today we are going to take a look at a CTF challenge known as Primer. The credit for making this VM goes to “Arne Rick” from vulnhub.

This VM is much like a riddle designed to teach you some basic of web pentesting.

So without further ado let’s hack!! :)

You can download the VM from here , And configure it onto your preferred virtualization software.

Step #1 (Find the VM’s IP using netdiscover or arpscan )

Ouput:

You can identify the correct IP by running a simple “Nmap” scan on each ip.

Step #2 (Recon the available ports & services running on to target ip)

From above scan we see port 80 is open which is running on a apache web server so let’s browse it!

As we can see it has a nice website loading onto it, along with a login prompt.

Step #3 (Let’s try bypassing the login using SQL injections)

We are using statement's:
Username = ' or 1=1 -- -
Password = admin

As we can see after SQL input onto field we are able to successfully bypass the login section, which now leads us to another page!

If we look carefully at the page source we can identify it’s hinting towards some pi value..

Step #4 (Find first digit value of pi & convert it to md5 hash, add 2_ before hash to locate the new page )

Step #5 (Check source code again & vice versa)

In the source code of previous page we found a hint in “style.css” which leads us to changing a value in local file & loading the next page for us.

Step #6 ( Nothing much in the source this time but a clue word “robot”. So i immediately ran a URI scanner)

We found many directories but robot.txt interests me the most so let’s check that first.

And Voila! we found our next clue.

Step #7 (Found another clue in source)

The new page welcome’s us with a straight clue:

When we visit the new page it has a input box which i checked with burpsuite repeater to see what can we do with it!

And in the response we get link for our next page..

Step #8 (Spot something interesting)

Since we couldn’t find any clue in the source we check the hash value of previous pages we can see it’s a series of prime numbers converted into md5 hashes.

So we take the next prime number that is “19” convert it into md5 hash add 8_ in the start just like previous pages.

And here we go again!

Step #9 (Check source & repeat)

New page welcomes like:

In our latest page we see a browser based terminal so we decide to interact with it to see what’s inside & found some log file’s which is related to a character called “joshua”

We see where this system is running with “ps” command and interestingly we found a clue in it in form of a command: connect falken@Erebus.

If we type connect falken@Erebus in the terminal to connect to this user it prompt’s for a password so after fiddling with the available files on this system we are able to make out a conclusion that it’s something related to “joshua”.

Step #10 (We use a tool called “cupp” to create a custom wordlist to find the right password for the user connected)

We then use burpsuite intruder to bruteforce the password section & after a while we finally found that “joshua1984” is the correct password which was related to the birth date of this character which was a hint from the previous log files!

We then log in and a new page welcomes us..

As the result of ps command, i noticed that falken is connected to a server called TrivialZ3r0. I googled a bit about the server’s name Trivial Zero and I found this is something related to Riemann Hypothesis, so we try Riemann as the password and Bingo.

Step #11 ( When we check the available files on this page we can locate ourselves to passwd directory wherein we find hash values of 3 different character’s )

From the result of “ps” command, we can see that chaos is connected to server Wintermute, there are 3 hashes found under “passwd” folder.

The first two can be cracked easily, but the 3rd one failed.

But doesn’t matter, I got the password of chaos, which is 2.718281828459045.

Now I was transmitted to Wintermute!

Same with previous enumeration, ps found nothing and ls only show one file nieve, open the file and the answer was that easy!

We found credentials for our next user & Voila!

I know it was a bit lengthy to be solved for a CTF but hey it was fun isn’t it? ;)

Primer
Ctf
Ctf Writeup
Web
Cybersecurity

--

--

Security_Nerd07

Written by Security_Nerd07

39 Followers

Cyber Security Analyst

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams