PRIME 1 - Vulnhub Walkthrough

Himanshu Shukla 0

Machine Info

 

MACHINE NAME

PRIME 1

MACHINE TYPE

LINUX

DIFFICULTY

EASY

MACHINE IP

192.168.1.35

RELATED TAGS

LFI, WordPress, Leaked Credentials, Kernel Exploit, CTF Like

PLATFORM

VULNHUB

 

 

Open Ports & Services



PORT  

STATE

SERVICE

VERSION

22/TCP

open 

ssh    

OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)

80/tcp

open

http   

Apache httpd 2.4.18 ((Ubuntu))

 

NOTE : PORTS HIGHLIGHTED IN RED ARE INVOLVED IN THE PROCESS OF PENETRATION TESTING

 

 


Initial foothold

 

Found this page via directory busting :

 

http://192.168.1.35/secret.txt

 

 



 

So this text is clearly saying that one of the parameters are pointing towards location.txt file

 

My instincts say that it has to be a file parameter but let's confirm it by doing fuzz fuzzing

 

So as the secret.txt says that we need to search on all possible PHP pages for the correct parameter, we will start off with index.php

 

So here is wfuzz syntax :

 

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt  --hc 404 http://192.168.1.35/index.php?FUZZ=location.txt

 

So here my prediction was right and here is the result :

 



 

Let's go to the page to view the content :

 

 http://192.168.1.35/index.php?file=location.txt

 

 



 

 

Here is our second hint so there is a parameter secrettier360 on some other page.

 

I tried this parameter on this page :

 

 http://192.168.1.35/image.php

 

And it worked :

 



 

Now I tried using wfuzz to see what can be inputted on this parameter :

 



 

 

We found this dev parameter :

 


 

Now trying to see if there is any LFI here : 

 



 

 

LFI is present as we can see the file

 

Also etc/password says that "find password.txt in /home/saket" so we tried that :




 

So we found a password: follow_the_ippsec

 

Now we tried ssh with saket:follow_the_ippsec but we failed.

Used same creds for wp-login page but still failed

 

Now using this password with victor on ssh also failed

 

At last  victor:follow_the_ippsec worked on the wp-login page and we got logged in.

 

 

Now our aim is to get a  remote shell and I tried the theme edit method first.

 

Go to appearance > edit and put your PHP code on any of the PHP pages.

 

But this one failed as no PHP file is writable.

 

At last I found secret.php which is writable so we can inject our PHP code there :

 

 



 

 

Using reverse-shell-php from pentest money

 

To execute the reverse shell we need to go here : http://192.168.1.35/wordpress/wp-content/themes/twentynineteen/secret.php

 

And we got a  reverse shell as soon as we execute php shell :

 



Initial Foothold Gained Successfully!

 


Privilege escalation


 

Searching for kernel exploits:

 

uname -a ; cat /etc/issue

 



 

Searchsploit :    searchsploit linux 4.10.0-28

 



 

This one matched our config so let's try it :

 



 

Successfully Privilege Escalated to root user!

Post a Comment

Post a Comment

Previous Post Next Post