CTF Vulnhub: Prime 1 Walkthrough

Hello dear friends, welcome back for another CTF Walkthrough. Today we will solve Prime:1machine.

Description
This machine is designed for those one who is trying to prepare for oscp or OSCP-Exam.

This is first level of prime series. Some help at every stage is given. Machine is lengthy as OSCP and Hackthebox’s machines are designed.

So you have a target to get root flag as well as user flag. If stuck on a point some help are given at a level of enumeration. If any extra help needed

Visit our website http://hacknpentest.com and http://hnpsecurity.com.

Some extra improvement needed to my VM please contact me on my email- suraj at hnpsecurity dot com.

Interesting, we got a user

Information gathering

TCP Scanning

Banner Grabbing

Exploring the web application

Nothing of special on this webpage, now we will use dirb to try to find other pages

dirb http://192.168.1.195 -X .txt,.php
Fantastic we found 3 pages


The author suggested to use wfuzz and also he gave to us another hint (file)

The author suggested to use wfuzz, so we will use wfuzz in the following way

Fantastic we found the correct path (file)


2020-08-24_13-51-43
As suggested we will continue to use wfuzz but on different file with different parameter

wfuzz -c -w /usr/share/wfuzz/wordlist/general/common.txt --hc 404 --hw 500 --hl 6 http://192.168.1.195/image.php?secrettier360=FUZZ
Fantastic we found the right parameter

LFI

LFI
Because the web app accept some parameter I like to test if the web app is vulnerable to LFI and bingo it is : )


With the same technique, we can read the password.txt file


Fantastic we got the password ( follow_the_ippsec) so now we can access to wordpress using as user victor and password follow_the_ippsec

Reverse shell

Now . we can “install” a reverse shell into Wordpress, we will use this web shell /usr/share/webshells/php/php-reverse-shell.php and we will copy it into secret.php (is the only file that we have writable privileges)


Now go to http://192.168.1.195/wordpress/wp-content/themes/twentynineteen/secret.php
Fantastic we got a web shell

2020-08-24_13-59-36

Privilege Escalation


We will use this exploit

  • cd /tmp
  • gcc exp.c exp
  • ./exp

Fantastic we are root


We have completed the Prime 1 machine