Saturday, 18 March 2017

VulnHub -- Pluck -- Writeup

Plucking Pluck

I had a fun time going through Pluck, there were no tempting write ups available at time of testing so managed to steer clear of the easy ways out ;)

Firing up netdiscover we find the host to target (which actually I saw later was conveniently mentioned in the actual Pluck VM login screen)
netdiscover -i eth0 -P -r
bash tools/

With the target identified, next stage is to see what a port scan probing open ports for service/version information reveals;

nmap -sV -p - 2> /dev/null

OK so ssh, http, mysql and an as yet to be determined service to poke around at.

Going through the http pages, we see a Home, About, Contact and Admin pages.

The Admin page has a login, however it requires an email address and I was not able to find any information on correct email address formats.
Testing with various email formats did not get any helpful error message.

Tried to get some helpful sql errors, and entering  '  as email address did result in ;
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 6" 

I was unable to get any further so decided to leave that route for what it was for the time being.
Not sure whether there is anything to be found with the sql in the login, will have to dig a bit more.

With the hope of an easy entry fading, I checked if any easily identified files/directories could be found;


wfuzz -c -w /usr/share/seclists/Discovery/Web-content/big.txt --hc 404

Nothing interesting standing out..

I actually also even ran cewl on the 'About' page of the server and ran a forced browse attack using that custom wordlist, but also no dice.

Port 22 was open, so I decided to run a bruteforce with the most common 10k passwords on ssh with username admin as there appeared to be an admin login on http, you never know, right?
hydra -l admin -P /lists/10k.txt -e nsr -t 4 -Vf ssh 

Predictable outcome though; no dice.

Trying mysql login in turned out to be a no-go as well..
mysql -h uroot -ptoor

pfff... things were beginning to look a little bleak..

Running nikto showed an interesting LFI vulnerability, allowing viewing of any file on the target.

nikto -h

Checking the LFI vulnerabilty with curl indeed showed the file.. 
Finally.. progress!
curl -s

Ohh.. usernames, I took the usernames and went to town with yet more bruteforce attacks on ssh.. maybe bob, paul or peter would have better results than that crappy 'ol admin! was not meant to be..

Looking again at the passwd file some interesting information stands out on the backup-user showing a location of a backup script.

Let's see if we can dig that one out;
curl -s

OK, looks like there may be a backup file to poke at..

Let's see if we can download the backup file, despite the mention of tftp, I just tried with curl and man the download just kept on going.. at 2GB I cancelled the download in the hopes that something could be extracted..

curl > backup.tar

First I did a quick manual check to see if a quick scroll through the first few hundred lines had anything jumping out, and something did..!
cat backup.tar | head -n 500 | less

hmm.. user paul and ssh rsa keys?  Looking more promising now!

Some handy information which google was kind enough to cough up for me;

You could sed out the RSA key ( sed '0,/BEGIN RSA PRIVATE KEY/d;/END RSA PRIVATE KEY/,$d' backup.tar ) and add the BEGIN and END strings, or just be lazy and Select, Copy and Paste..

I named the file deployment-key.txt and edited permissions to 600;
chmod 600 deployment-key.txt

Then tried to log in ssh yet again, but now as user paul with an ssh-rsa key;
ssh -i deployment-key.txt paul@

OK, well this is different.. well I guess the passwd file did mention /usr/bin/pdmenu for user paul..

After messing around a bit with telnet and WWW I tried the edit file part remembering a trick a pal had once shown, gaining access by simply adding a user to the passwd file.

So decided to try and open up the /etc/passwd file

oh fuck.. Vim.. I seriously need to learn to use this.. how many times I have gotten stuck in it and have had to google how to just friggin exit the editor is just downright embarrassing.

So after spending a bit of time on trying to edit the file to get it to open and be able to break out into shell, I noticed that the file was, of course, read-only [facepalm]..

The breaking out of Vim is well-documented and a quick google session later I found the hidden gold I needed;

In Vim command mode;
:set shell=/bin/bash

Bingo! shell!

A bit of googling showed I could probably try out an easy way to root and use the dirty cow exploit.

I hosted the Dirty Cow exploit 40616.c on my attacking system and changed to the writeable /tmp directory on Pluck to wget the exploit to the target.
Then following the instructions in the exploit I compiled it with gcc.

gcc -o cow 40616.c -pthread
It compiled with some warnings, but fingers crossed..

I chmod-ed the file to make it executable, and ran it..
chmod +x cow

Fuck Yeah..!

I immediately ran the command to make the exploit more stable and avoid freezes on the target system (without this step, the target system froze pretty quick for me);
echo 0 > /proc/sys/vm/dirty_writeback_centisecs

Checked out the /root dir;
ls /root
cat /root/flag.txt

Big thanks to the creator and to VulnHub for hosting these awesome challenges :D

Happy & Content :)

Tools used; 

- netdiscover
- arp-scan

- nmap

- dirb
- dirbuster
- wfuzz

- nikto
- searchsploit

- wget
- curl

Speshull thanx to guugl :P

Google Analytics Alternative