pluck: 1 – Writeup

Getting ready for NetWars later this month it was time to sharpen my game. Let’s pick the first good Vulhub vm and have a go. Pluck: 1 – looked like a good start, no info what so ever.. lets see how it goes.

First let’s run a nmap and discover what service we have to deal with.

Okey, we’ve got a web server, and mysql? Let’s look at what webpage we have.

Looks like a bootstrap theme, and by clicking around I can see it’s using ?page=filename.php
This smells like LFI, quickly grab /etc/passwd to verify.

Look a the last line, that looks interesting…..
backup-user:x:1003:1003:Just to make backups easier,,,:/backup:/usr/local/scripts/backup.sh

Could there be a tftp server here as well? I know the filename I’m looking for, this should be a quick win.

By extracting the backup.tar file I’ve got a backup of the /home/ directory and /var/www/html

Quick side note, they are trolling the SQLi guys.. When ever you input the escape charc in admin.php You will get something that looks like a sql error message.

Back on track, let’s see what we have at the home directory. Paul is a user with a lot of keys. Check them all, and maybe we get lucky once more.

By using id_key4 I could log in as user paul without a password. I tested all other combination for know users (source /etc/passwd), but with no luck. The paul user was limited to pdmenu.

Here I got a little bit stuck. I looks like it was possible to do some escaping from “Edit file” meny, or even from the “www” (lynx), but no luck. There must be some basic protection within the pdmenu that prevents normal escape routines to work. Using the Directory listning and change directory I could move around and look at the file system but it was way to to slow, and you had to type/remember your path and files. After trying it out a bit, it was time to move on, let’s get a shell. I could use the edit file option and run Local-File-Inclusion to get me a www-user shell.

## Update ##
During some playing with another shell escape. My normal escape with :!/bin/bash would not work as an escape from the Edit file menu.
But by using the alias command :set shell=/bin/bash and invoking it with the :shell I could have skipped the php shell LFI workaround…

 

Dump pentest monkey php revereshell to /tmp and used LFI to get shell.

After running the most basic private escalation, and going back to the backup folder (It looks like the user bob had some sudo rights..) I start looking for kernel exploits. DirtyCow should work on this version, and they did have gcc on it. But missing some libs, and without a proper shell. Booting up a Ubuntu 16.10 64bit Server VM and build/test it there. And I’m glad I did it, cause dirtycow is unstable, and you have to be fast to input the magic line of “echo 0 > /proc/sys/vm/dirty_writeback_centisecs” otherwise the system will crash, and a reboot is necessary. Build/test and upload to target.

And that’s it.. I’ve got ROOT, and time to claim my flag.

This was a fun little evening session, but I do however think there is other ways getting in and around the system. But I’ll leave that for the next victime of pluck:1.

 

 

 

Leave a Comments