Prime 1 — Walkthrough
This is the tenth post of a series of posts I’m creating to study for OSCP. You can find the previous post by clicking here.
URL: https://www.vulnhub.com/entry/prime-1,358/
Release date: 1 Sep 2019
Author: Suraj Pandey
Provided description: This machine is designed for those one who is trying to prepare for OSCP or OSCP-Exam.
This is first level of prime series. Some help at every stage is given. Machine is lengthy as OSCP and Hackthebox’s machines are designed.
So you have a target to get root flag as well as user flag. If stuck on a point some help are given at a level of enumeration. If any extra help needed
Visit our website http://hacknpentest.com and http://hnpsecurity.com.
Some extra improvement needed to my VM please contact me on my email- suraj at hnpsecurity dot com.
This Virtual machine is part of the NetSecFocus list.
Vulnerabilities found:
Local File Inclusion
Sensitive Data Exposure
Privilege Escalation
#Scanning and Enumeration
Nmap
A basic nmap scan shows us that there are only 2 ports open:
Our attack vector looks like the port 80. Let’s see what we can get from that port.
Gobuster
This time I ran gobuster to check for an additional file extension, the .txt one:
gobuster dir -u http://<ipaddress> -w /usr/share/wordlists/dirb/common.txt -t 50 -x .html,.php,.txt
We have a wordpress directory to check, and this secret.txt file to read:
There is a link to access, and it instructs us to use a fuzzing tool. Another thing to take note is our next target, which is the location.txt file. Going to the link, here is its content:
It teaches you how to use wfuzz, a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, files, etc) for example.
Enumerating the /wordpress directory, there is nothing special, only some default files and folders from wordpress:
There is nothing much we can use to enumerate. What we have now is enough for a good start, let’s jump in the exploitation phase.
#Exploiting
After reading that link provided in the secret.txt file, I decided to test wfuzz in the initial page to see what we can find, here is the command:
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt — hc 404 — hw 12 http://<ipaddress>/index.php?FUZZ=something
Where:
- -c -Output with colors;
- -w -the wordlist you are using, I’m using common.txt from wfuzz;
- -hc - Hide responses with the specified code, in this case, I don’t want 404 responses;
- - hw - Hide responses with the specified number of words, in this case, I had to remove all the responses with 12 words, they were all wrong;
- lastly, the url itself, with the word FUZZ where you want to change on each request. On every request, the word FUZZ will be replaced by the word on the wordlist until you get a correct response or the list gets exhausted;
As we can see on the image above, we found a parameter called “file”, so, if we replace the word FUZZ for file in the url we just fuzzed, and really search for, let’s say, /etc/passwd, here’s what we get:
The parameter is really working! After trying to read many system files such as shadow, the HTTPd conf files, the wordpress ones, I decided to move forward and try to fuzz the site again, but this time insted of fuzzing the parameter, we will fuzz the file:
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt — hc 404 — hw 12 http://<ipaddress>/index.php?file=FUZZ.txt
Note the difference from the previous command, now we are fuzzing the file, not the parameter! And look what we got here, the file we saw in the secret.txt file, I wish I had try this file before doing all of this work :/
Let’s try to open this file in the browser:
And here we go again, another parameter to use, but this time in other php page. I tried the ones from Wordpress page, but they didn’t work. Then I moved back to the initial pages and tried the image.php page:
If I got the right parameter, what if we try to read the /etc/passwd file?
It’s working, and I also saw that we have a hint on this file, have a look at this:
Let’s open up the mentioned file using our browser:
That’s a password! Is it for saket user? I tried to access the user via ssh (both victor and saket) but no luck. Then I realized that we have a wordpress application to exploit.
If you go to http://<IpAddress>/wordpress/wp-admin, you’ll have the admin page that you can log in. I tried saket’s user first, but it didn’t work. Then I tried victor’s:
We are in. But how can we exploit wordpress to get a shell? We have to edit a page that we can have access via URL and put a reverse shell on it. I then went to Appearance >>Theme Editor and found many files, but not all of them were editable. After going through all of them, I found a file called secret.php that was writable:
You can use the famous pentestmonkey php reverse shell by getting the code from here:
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
Don’t forget to edit the IP address and the port you want the reverse shell to connect to, in this case your attacker machine. Mine, I used the port 53, so if you go to the following url where the file is located:
http://<IPAddress>/wordpress/wp-content/themes/twentynineteen/secret.php
You’ll finally get the shell:
That’s it! We entered the server, let’s start digging and see how we can escalate our privileges.
#Escalating Privileges
To run the command sudo -l you have to have an active TTY for the user. To do so, you can spawn one using python:
python -c “import pty; pty.spawn(‘/bin/bash’)”
The sudo -l command is used to see what commands you can run as root without prompting for password. In this case it asked password because someone didn’t know how to configure the /etc/sudoers file properly:
We know that this is the correct path, but we have to find the password first. After poking around, I found a /opt/backup directory/server_database with a file in it:
Is this the password we were looking for? Let’s try that out:
Is this it? Good? What happened? Actually, if you list the files in this directory, you will find two new files:
It looks like base64 encoded. Let’s read the other file:
To convert the string ippsec to md5, we can use the following:
echo -n ippsec | md5sum
Well, now we have a base64 string and an MD5 hash to use. If I try to decode the base64 hash, I don’t get anything useful:
It does not seems to be an ordinary base64 hash, I then searched on the internet about encryption. There’s lots of contents out there, and then I searched any website that could help me to decrypt this string. I ended up with the following website:
There is not a way to identify which encryption is using, so you have to try it harder. After playing around with many encryptions, I found the correct one: It is an aes-256-ecb encryption.
Using the website above, I filled the fields with the following information:
- On (1) you select the encryption that you want to decode from;
- On (2) is the encrypted message;
- On (3) is the key;
- And then when you click to decrypt the string, you can see the message on (4)
Phew! That was a hard one to find out! Now, take it to your notes and let’s continue our priv esc. Now that you have saket’s password, you can log in with his account:
su saket
Once you are there, we run the sudo -l like we did with www-data user:
And if we run that file with sudo, here’s what we get:
We don’t have any file called challenge on /tmp. I tried to create a directory there, but it didn’t save anything on the folder and I kept receiving the same error. Finally, I copied a shell there with the name of the file it is trying to execute and assigned a sticky bit on it to see what happens:
When I ran the script again, I got the root shell:
We rooted this box! The flag is in /root directory.
#Conclusion
We reached the end of this box. Lot’s of things to learn till here, my skills with encryption were really bad, but after reading a lot about encryptions and how to decrypt them correctly I think I can root the next box faster than this one. The wfuzz challenge was another thing that helped me to brush my skills on that tool, because frankly, I didn’t have that much experience fuzzing the websites.
That’s it guys, if you have any questions or comments, leave me a comment, I will be here to help.
Happy Hacking All!
