Vulnhub – Prime Series Level-1 Walkthrough

We start by scanning the target with nmap –A –T4 –p- 192.168.1.13 –vv

Then we run dirb http://192.168.1.13 /usr/share/dirb/wordlists/big.txt

So the target is running WordPress service, let’s enumerate the user:

Wpscan –url http://192.168.1.13/wordpress -e u

The username is victor, now we brute force it with our wordlist:

Wpscan –url http://192.168.1.13/wordpress -U victor -P /root/pass/rockyou.txt

And after a lot of time looks like a rabbit hole, and while it was brute forcing I made another dirb searching with txt and php files and I got a hit:

http://192.168.1.11/secret.txt

So I visited the link provided and I got some instructions on fuzzing the website with wfuzz:

So I made a fuzz and I got two webpages I’ve already found before using dirb, but anyway index.php and image.php, then I followed the command to find that “location.txt” and it was something like this:

Wfuzz –c –w /usr/share/fuzz/wordlist/general/big.txt –hc 404 –hw 500 http://192.168.1.13/index.php?file=FUZZ.txt

So I only replaced the file=FUZZ.txt with location.txt and I found the file:

Ok the other page is image.php, trying secrettier360 didn’t work, but it worked with ../../../etc/passwd:

If you take a good look you will find this:

So there is a username saket and there is a file in his directory with the name password.txt ok let’s view it by typing:

http://192.168.1.13/image.php?secrettier360=../../../home/saket/password.txt

Now we have a username saket and the password follow_the_ippsec let’s ssh to it:

Well didn’t work, but trying the password with WordPress and the username victor worked:

Now after trying for a long time to upload a shell through plugins or images, didn’t work at all.. tried to edit plugins pages but it’s not writable, tried to edit themes pages also not writable EXEPET for one page which is secret.php … finally I can put my php shell code inside it and get a shell:

Now head to http://192.168.1.13/wordpress/wp-content/themes/twentynineteen/secret.php and on shell nc –lvp 4444

Checking for the host version and kernel:

Searching for exploit with searchsploit came to exploit NO. 45010.c next is transfer the exploit with wget and SimpleHTTPServer to the host and compile it, run it and we are ROOT!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s