Prime: 1 is a challenging boot2root machine created by Suraj Pandey. It is designed for those who are preparing for the OSCP exam and is a great way to practice your penetration testing skills. In this blog post, I will walk you through the steps I took to root the machine, including:
- Performing a port scan to identify the open ports on the machine
- Using nmap to enumerate the services running on those ports
- Gaining a good understanding of the target machine
- how to “not” get lost if more than one issue seems to be found.
- Exploiting vulnerabilities to gain access
Let’s Begin!
Here is the link to Prime:1 : https://www.vulnhub.com/entry/prime-1,358/#download
The Prerequisite is just to have Pentesting OS running like Kali or Parrot.
To get the IP of the Prime:1, you can use #netdiscover, make sure both of them to be on the same network/reachable to each other.
- A quick port scan with version using nmap:
Command used:#nmap -sV -A 192.168.1.16 -p-
SSH Port 22 and HTTP Port 80 Open – Check for Vulnerabilities
When scanning a server, it’s important to check the versions of SSH and HTTP running on the ports. Sometimes, there are known exploits for these versions, so it’s a good practice to check.
You can do a quick search using the
searchploit
command to check for any known exploits for these versions. In this case, there are a few RCE CVEs under the version 2.4.18 of Apache HTTP Server. I tried the OPTIONBleed exploit, but the server wasn’t vulnerable to it. I moved on to check for what other services were running. - Visiting the website on port 80 would be the next step. Prime website index page just holds a picture and source code also doesn’t have anything. We will start by using Wfuzz to fuzz the directories:
#wfuzz -w /usr/share/wordlists/dirb/common.txt --hc 404 http://192.168.1.16:80/FUZZ
Make sure to check for .txt, .php files :
#wfuzz -w /usr/share/wordlists/dirb/common.txt --hc 404 http://192.168.1.16:80/FUZZ.txt #wfuzz -w /us/share/wordlists/dirb/common.txt --hc 404 192.168.1.16/FUZZ.php
What we found:
secret.txt
dev
index.php
image.php
/wordpress
Sometimes, using Wpscan command you can find plugins and themes for direct RCE, make sure to check that but if you can’t then just move ahead. - Secret.txt tells us about the parameter finding:I followed the exact technique mentioned in the github link and this is what I found:
The secret.txt file also suggested to look for location.txt:We already have another php file which is image.php which we found in Step 2: - image.php is nothing but an LFI, if you put /etc/passwd, you will be able to see file:
If you look closely in below file, you will see: “1001:1001:find password.txt file in my directory: home saket:”
So that’s what I did: - Now, the main part was where to use this password – I tried it to SSH to Saket but it didn’t work but it did work on wordpress with user victor:
To get the authors on WordPress, I used the technique:
http://<ip/domain>/?author=1
If you keep changing that “1” to different numbers, you will find different author usernames - To get a shell in the system, we can use WordPress’ PHP capabilities. WordPress can run PHP in two places: the Theme Editor and the Plugin Editor. However, you will need to find a writable file to do this. After searching for a while, I found a writable file called secret.php.
I used https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet to get a reverse shell. Make sure, you are listening on port using nc or netcat.
Find the correct URL towards this file- For me it is:
<ip>/wordpress/wp-content/themes/twentynineteen/secret.php
- The Next Step is to see what you can run as root in the system:
#sudo -l
we can run /home/saket/enc on the system.
When you run this, it will ask for a password.
If you do a quick search on the kernel version, its 4.10.0-28-generic – There is an exploit for it, so there is an easy way to crack the machine.
But we need to figure out what to do with enc.After searching for a while in every folder, I found this under /opt
backup_password is the password.
When you open this file, you will find :ippsec md5 is 366a74cb3c959de17d61db30591c39d1
Finding the correct Encryption method took me sometime – it is : AES 256 ECB - You can use “tribute_to_ippsec” password to SSH to saket.A quick sudo -l will tell you what you can run as root: Executing this gave a permission error on the /tmp/challenge file:This took me a while to figure out –
– Create a challenge file in tmp:#touch /tmp/challenge
– Make sure the permission of challenge file matches the permissions of /home/victor/undefeated_victor
Permissions of file : undefeated_victor:
Giving permissions to /tmp/challenge:
– Copy /bin/bash to /tmp/challenge ( because we want shell as root) and Execute!
Finally the root flag!