I am in the midst of my pursuit for the Offensive Security Certified Professional (OSCP) certification in May. Part of my preparation is to take on machines available on VulnHub. VulnHub provides materials that allow anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration. I am following this list which states machines that are similar to the current version of the OSCP course.
I will be taking on Prime:1 today!
Firstly, I will perform an Arp scan to identify other active hosts on my local network. This is done to identify the IP address of the machine that I will be attempting to take over.
After identifying the IP address of the machine
(192.168.239.131), I will perform my usual Nmap scan and add the IP address to my
/etc/hosts file for easy access to the web server.
From this, I was able to verify that 2 ports are open: Port 22 and 80. Upon visiting port 80, I was greeted with this page:
There was nothing much on the page. Thus, I proceeded to use Gobuster to perform a dictionary attack on the directory:
I visited the pages and found a WordPress server. Therefore, I decided to run
wpscan on the site to look for anything interesting to exploit. The only interesting result found was a user:
There was also a note in the
This was an indicator that I was heading in the right direction. Since WordPress primarily is made out of
.txt files, I ran another command with Gobuster specifically targeting those two file types:
The first page that stood out to me was
secret.txt. Upon visiting that page, I was greeted with a note. The note suggested two clues: a link to a Github page and
The Github link led me to page where it was prompting me to use a tool: WFuzz. Thus, I decided to run the following command:
wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://prime1.hub/index.php?FUZZ=something. There were multiple results:
Going through the list, I realised the ‘
file‘ parameter stood out as it has different word values:
Using the clue found from the previous step (
location.txt), I pieced them together and browsed the URL looking for location.txt and managed to find another clue!
secrettier360 was said to be a parameter of another
.php page. The only other
.php page was
image.php. Thus, I browsed to that page and was greeted with this:
I did not really know what to do at this stage. Therefore, I started to dig for web application vulnerabilities and tried to perform Local File Inclusion (LFI). I decided to manipulate the file location parameter and access the
/etc/passwd file and managed to exploit this successfully!
From this, I got my next clue: find
password.txt file in the directory of the user
saket. So, I simply manipulated the file location parameter and managed to retrieve the password:
Using the username, victor, found in the previous steps and the password I just retrieved, I decided to access the WordPress dashboard. The credentials used were correct and I now have access to perform anything to the site:
I decided to generate a reverse shell by injecting malicious code to the WordPress theme. The PHP reverse shell code I used is from PenTestMonkey. I modified the IP address and port to suit my needs. However, I realised all of the pages were not file writable:
Except for one… secret.php. I uploaded the malicious code there and opened a Netcat shell. Upon accessing the link
http://prime1.hub/wordpress/wp-content/themes/twentynineteen/secret.php, I managed to gain a dumb shell with the user
I decided to upgrade the shell with the following commands:
- python3 -c 'import pty; pty.spawn("/bin/bash")'
- export TERM=xterm-256color
I decided to run Linpeas on the target. Immediately, it detected that the version of the kernel was vulnerable.
Therefore, I decided to use Searchsploit to find for ways to escalate my priviledges:
The second result looked promising. Therefore, I located it on my Kali and opened a HTTP server to port it over to my target machine. Then, I used wget to download the file. I then used the following command to compile the code:
gcc privesc.c -o privesc. Then, I executed it!
I finally managed to obtain root privileges!