Prime: 1 – Walkthrough for OSCP Series

Posted on

Prime: 1 is a challenging boot2root machine created by Suraj Pandey. It is designed for those who are preparing for the OSCP exam and is a great way to practice your penetration testing skills. In this blog post, I will walk you through the steps I took to root the machine, including:

  • Performing a port scan to identify the open ports on the machine
  • Using nmap to enumerate the services running on those ports
  • Gaining a good understanding of the target machine
  • how to “not” get lost if more than one issue seems to be found.
  • Exploiting vulnerabilities to gain access

Let’s Begin!

Here is the link to Prime:1 : https://www.vulnhub.com/entry/prime-1,358/#download
The Prerequisite is just to have Pentesting OS running like Kali or Parrot.
To get the IP of the Prime:1, you can use #netdiscover, make sure both of them to be on the same network/reachable to each other.

  1.  A quick port scan with version using nmap:
    Command used:

     #nmap -sV -A 192.168.1.16 -p-

    SSH Port 22 and HTTP Port 80 Open – Check for Vulnerabilities

    When scanning a server, it’s important to check the versions of SSH and HTTP running on the ports. Sometimes, there are known exploits for these versions, so it’s a good practice to check.

    You can do a quick search using the searchploit command to check for any known exploits for these versions. In this case, there are a few RCE CVEs under the version 2.4.18 of Apache HTTP Server. I tried the OPTIONBleed exploit, but the server wasn’t vulnerable to it. I moved on to check for what other services were running.

  2. Visiting the website on port 80 would be the next step. Prime website index page just holds a picture and source code also doesn’t have anything. We will start by using Wfuzz to fuzz the directories: 
    #wfuzz -w /usr/share/wordlists/dirb/common.txt --hc 404 http://192.168.1.16:80/FUZZ

    Make sure to check for .txt, .php files :

    #wfuzz -w /usr/share/wordlists/dirb/common.txt --hc 404 http://192.168.1.16:80/FUZZ.txt 

#wfuzz -w /us/share/wordlists/dirb/common.txt --hc 404 192.168.1.16/FUZZ.php

    What we found:
    secret.txt
    dev
    index.php
    image.php
    /wordpress
    Sometimes, using Wpscan command you can find plugins and themes for direct RCE, make sure to check that but if you can’t then just move ahead.

  3. Secret.txt tells us about the parameter finding:I followed the exact technique mentioned in the github link and this is what I found:
    The secret.txt file also suggested to look for location.txt:We already have another php file which is image.php which we found in Step 2:
  4. image.php is nothing but an LFI, if you put /etc/passwd, you will be able to see file:
    If you look closely in below file, you will see: “1001:1001:find password.txt file in my directory: home saket:”
    So that’s what I did:
  5. Now, the main part was where to use this password – I tried it to SSH to Saket but it didn’t work but it did work on wordpress with user victor:
    To get the authors on WordPress, I used the technique:
    http://<ip/domain>/?author=1
    If you keep changing that “1” to different numbers, you will find different author usernames
  6. To get a shell in the system, we can use WordPress’ PHP capabilities. WordPress can run PHP in two places: the Theme Editor and the Plugin Editor. However, you will need to find a writable file to do this. After searching for a while, I found a writable file called secret.php.
    I used https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet to get a reverse shell. Make sure, you are listening on port using nc or netcat.
    Find the correct URL towards this file- For me it is:
    <ip>/wordpress/wp-content/themes/twentynineteen/secret.php
  7. The Next Step is to see what you can run as root in the system: 
    #sudo -l

    we can run /home/saket/enc on the system.
    When you run this, it will ask for a password.
    If you do a quick search on the kernel version, its 4.10.0-28-generic – There is an exploit for it, so there is an easy way to crack the machine.
    But we need to figure out what to do with enc.

    After searching for a while in every folder, I found this under /opt
    backup_password is the password.
    When you open this file, you will find :ippsec md5 is 366a74cb3c959de17d61db30591c39d1
    Finding the correct Encryption method took me sometime – it is : AES 256 ECB

  8. You can use “tribute_to_ippsec” password to SSH to saket.A quick sudo -l will tell you what you can run as root: Executing this gave a permission error on the /tmp/challenge file:This took me a while to figure out –
    – Create a challenge file in tmp:

    #touch /tmp/challenge

    – Make sure the permission of challenge file matches the permissions of /home/victor/undefeated_victor
    Permissions of file : undefeated_victor:
    Giving permissions to /tmp/challenge:
    – Copy /bin/bash to /tmp/challenge ( because we want shell as root) and Execute!
    Finally the root flag!

%d bloggers like this: