Unlocking the Secrets of Prime: A Comprehensive OSCP Walkthrough

In the vast landscape of cybersecurity, the Offensive Security Certified Professional (OSCP) certification stands as a beacon for aspiring penetration testers. It’s a rigorous, hands-on examination that tests your ability to identify vulnerabilities, exploit them, and secure systems. Among the many machines designed to challenge OSCP candidates, Prime:1 by Suraj Pandey is a standout. This article will take you through a detailed walkthrough of how to root Prime:1, providing insights, tips, and a step-by-step guide to help you navigate this challenging machine.

Understanding the Landscape: Prime:1

Prime:1 is a boot2root machine that simulates a real-world scenario where you, as a penetration tester, must identify and exploit vulnerabilities to gain root access. It’s designed to test your knowledge of network scanning, service enumeration, vulnerability assessment, and exploitation. The machine is accessible via a private network, and your goal is to find the root flag, which signifies complete control over the system.

Step 1: Initial Reconnaissance

The first step in any penetration testing engagement is reconnaissance. This involves gathering as much information as possible about the target system without triggering any security alerts. For Prime:1, this begins with identifying the machine’s IP address and open ports.

Finding the IP Address

To find the IP address of Prime:1, you can use a tool like netdiscover. This tool helps in discovering hosts on a local network. Ensure that both your penetration testing machine and Prime:1 are on the same network and reachable to each other. The command to use is:

“`bash

netdiscover

“`

This will display a list of hosts on the network, including Prime:1. Note down its IP address for the next steps.

Port Scanning

Once you have the IP address, the next step is to perform a port scan to identify the open ports on the machine. This can be done using nmap, a powerful network scanning tool. The command to use is:

“`bash

nmap -sV -A 192.168.1.16 -p-

“`

This command tells nmap to perform a version scan (-sV) and to scan all ports (-p-) on the machine with the IP address 192.168.1.16. The -A flag enables OS detection, version detection, script scanning, and traceroute.

The output of this command will list the open ports on the machine, along with the services running on those ports. In the case of Prime:1, the open ports are SSH (port 22) and HTTP (port 80).

Step 2: Service Enumeration

With the open ports identified, the next step is to enumerate the services running on those ports. This involves gathering more detailed information about the services, which can help in identifying potential vulnerabilities.

SSH Service

The SSH service running on port 22 is a secure shell that allows remote access to the machine. To enumerate this service, you can use nmap’s script scanning feature. The command to use is:

“`bash

nmap -sV -p 22 –script=ssh-auth-methods,ssh-hostkey,ssh-publickey 192.168.1.16

“`

This command tells nmap to perform a version scan (-sV) on port 22 and to run the specified scripts on the machine with the IP address 192.168.1.16. The scripts will provide information about the SSH service, such as the supported authentication methods, the host key, and the public key.

HTTP Service

The HTTP service running on port 80 is a web server that hosts a website. To enumerate this service, you can use a web browser to visit the website or use a tool like wfuzz to fuzz the directories. The command to use is:

“`bash

wfuzz -w /usr/share/wordlists/dirb/common.txt –hc 404 http://192.168.1.16:80/FUZZ

“`

This command tells wfuzz to use the specified wordlist to fuzz the directories on the website hosted on port 80 of the machine with the IP address 192.168.1.16. The –hc 404 flag tells wfuzz to hide the responses with the status code 404.

The output of this command will list the directories on the website. In the case of Prime:1, the directories include secret.txt, dev, index.php, image.php, and /wordpress.

Step 3: Vulnerability Assessment

With the services enumerated, the next step is to assess the vulnerabilities in those services. This involves identifying known vulnerabilities in the services and their versions, which can be exploited to gain access to the machine.

SSH Service

The SSH service running on port 22 is vulnerable to a brute force attack. This involves trying different combinations of usernames and passwords to gain access to the machine. However, this method is time-consuming and may trigger security alerts. Therefore, it’s recommended to use a more targeted approach, such as exploiting a known vulnerability in the SSH service.

HTTP Service

The HTTP service running on port 80 is vulnerable to a directory traversal attack. This involves manipulating the URL to access files and directories that are not intended to be publicly accessible. The secret.txt file, for example, contains information about the parameter finding technique.

The image.php file is vulnerable to a local file inclusion (LFI) attack. This involves manipulating the URL to include a local file on the machine. The /etc/passwd file, for example, can be included to display its contents. The contents of the /etc/passwd file reveal the presence of a user named saket, who has a password.txt file in their directory.

Step 4: Exploitation

With the vulnerabilities identified, the next step is to exploit them to gain access to the machine. This involves using the identified vulnerabilities to execute malicious code on the machine.

SSH Service

The SSH service running on port 22 can be exploited using a brute force attack. However, as mentioned earlier, this method is not recommended. Instead, you can use the information from the secret.txt file to find the password for the user saket. The password can then be used to gain access to the machine via SSH.

HTTP Service

The HTTP service running on port 80 can be exploited using a directory traversal attack. The secret.txt file, for example, can be accessed to display its contents. The contents of the secret.txt file reveal the presence of a user named victor, who has a WordPress installation on the machine.

The WordPress installation can be exploited using a remote code execution (RCE) vulnerability. This involves manipulating the URL to execute malicious code on the machine. The secret.php file, for example, can be used to execute a reverse shell on the machine. A reverse shell allows you to connect to the machine from your penetration testing machine, providing you with a command-line interface to the machine.

Step 5: Privilege Escalation

With access to the machine, the next step is to escalate your privileges to root. This involves exploiting vulnerabilities in the machine’s configuration or software to gain root access.

User Privileges

The user saket has a password.txt file in their directory. The contents of the password.txt file reveal the presence of a user named victor, who has a WordPress installation on the machine. The WordPress installation can be exploited using a remote code execution (RCE) vulnerability to gain access to the machine as the user victor.

The user victor has a file named undefeated_victor in their directory. The contents of the undefeated_victor file reveal the presence of a file named enc in the /home/saket directory. The enc file can be executed using the password ippsec to gain root access to the machine.

Root Privileges

The enc file can be exploited using a known vulnerability in the kernel version to gain root access to the machine. The kernel version can be identified using the uname command. The command to use is:

“`bash

uname -a

“`

The output of this command will display the kernel version. In the case of Prime:1, the kernel version is 4.10.0-28-generic. This kernel version is vulnerable to a local privilege escalation vulnerability, which can be exploited to gain root access to the machine.

Conclusion

Rooting Prime:1 is a challenging but rewarding experience that tests your knowledge of penetration testing techniques. By following the steps outlined in this article, you can gain a comprehensive understanding of the machine and its vulnerabilities. Remember, the key to success is patience, persistence, and a systematic approach to penetration testing.

FAQ

What is the OSCP certification?

The Offensive Security Certified Professional (OSCP) certification is a rigorous, hands-on examination that tests your ability to identify vulnerabilities, exploit them, and secure systems. It’s designed for aspiring penetration testers and cybersecurity professionals.

What is Prime:1?

Prime:1 is a boot2root machine created by Suraj Pandey. It’s designed to challenge OSCP candidates and test their knowledge of penetration testing techniques. The machine simulates a real-world scenario where you must identify and exploit vulnerabilities to gain root access.

What tools are used in this walkthrough?

The tools used in this walkthrough include nmap, wfuzz, and WordPress. These tools are essential for network scanning, service enumeration, and vulnerability assessment. They provide a comprehensive understanding of the target machine and its vulnerabilities.

What is the key to success in rooting Prime:1?

The key to success in rooting Prime:1 is patience, persistence, and a systematic approach to penetration testing. It’s important to take your time, carefully analyze the machine and its vulnerabilities, and follow a logical sequence of steps. This will help you gain a comprehensive understanding of the machine and its vulnerabilities, leading to a successful root.

What is the next step after rooting Prime:1?

After rooting Prime:1, the next step is to continue practicing and improving your penetration testing skills. This can be done by participating in Capture The Flag (CTF) competitions, taking online courses, and reading cybersecurity blogs and articles. These activities will help you stay up-to-date with the latest trends and techniques in penetration testing.