Whitelist: Pluck

PLUCK: 1

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Pluck.

- Pluck can be downloaded from here:

https://www.vulnhub.com/entry/pluck-1,178/

- Once downloaded, extracted and imported with VirtualBox:

2 - ENUMERATION

- Using netdiscover let's confirm that the IP is 192.168.1.115:

- Scanning with nmap:

- Browsing the web server:

- nikto helps discovering a very promising LFI (Local File Inclusion) vulnerability at the web application:

- Let's check that LFI works, for instance reading /etc/passwd:

- From /etc/passwd we learn that there are users like bob, peter, paul, backup-user, ..

- Also, reading the last line it seems that there is a script for performing backups::

- Taking advantage of the LFI to read the script backup.sh:

- The backup script informs us about three issues:

backups can be transferred with TFTP
the compressed backup file is located at /backups/backup.tar
both folders /home and /var/www/html are usually backup

- Obviously, our next goal must be to download backup.tar

3 - EXPLOITATION

3.1 - Local File Inclusion

- Trying to get backup.tar using the browser and taking advantage of the LFI is a little bit messy, due to the hugh size of the file:

- tftp does a better job:

- Also, curl would be a good alternative:

- Opening backup.tar:

- Now we have Pluck's backup folders available at our Kali machine:

- Searching for information inside bob and peter's home folders, there is nothing out of the ordinary:

- However we find a collection of 6 private and public keys inside paul's home folder:

- Checking what type of file are these keys, they are valid for SSH connections:

- Now, we can use these keys with option -i identity_file to establish SSH conections:

- First attempt with id_key1 is unsuccessful:

- Same thing with id_key2 and id_key3:

- However, id_key4 leads to a Pdmenu:

- Pdmenu is a simple menu program that displays a menu from which the user can pick programs to run, for instance to edit files:

3.2 - Limited remote shell with PHP reverse shell

- Now, using the Pdmenu we are going to create remotely a file called myshell.php at /home/paul folder, just buy adapting the well-known PHP script php-reverse-shell.php to our needs:

- Editing remotely with Pdmenu the file /home/paul/myshell.php and copying into it the content of the local myshell.php:

- Let's notice that the text editor is vim, so we save the file with writing and quitting :wq!

- Now, it is time to start the actual explotaition, first by setting a listening nc session, and second by running myshell.php with curl:

- The exploitation is successful and we get a limited remote shell:

3.3 - Limited remote shell with VIM and external commands

- As an alternative now we are going to use Pdmenu to insert the command /bin/bash in the Vim editor, following these directions:

https://www.linux.com/learn/vim-tips-working-external-commands

- Just quitting Vim and Pdmenu comes back with a remote limited shell:

4 - PRIVILEGE ESCALATION

4.1 - Local Privilege Escalation with exim-4.84.7 exploit

- Finding the SUID files that exist on the system, we discover exim-4.84-7:

- Exim (current version 4.91) is an SMTP email message transfer agent (MTA) for use on Unix systems under GPL, similar in style to Smail 3.

- Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531

- There is a Local Privilege Escalation exploit related to this vulnerability: