Wednesday, September 26, 2018

Pluck


PLUCK: 1

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Pluck.

- Pluck can be downloaded from here:

https://www.vulnhub.com/entry/pluck-1,178/

- Once downloaded, extracted and imported with VirtualBox:





2 - ENUMERATION

- Using netdiscover let's confirm that the IP is 192.168.1.115:




- Scanning with nmap:




- Browsing the web server:





- nikto helps discovering a very promising LFI (Local File Inclusion) vulnerability at the web application:






- Let's check that LFI works, for instance reading /etc/passwd:




- From /etc/passwd we learn that there are users like bob, peter, paul, backup-user,  ..

- Also, reading the last line it seems that there is a script for performing backups::





- Taking advantage of the LFI to read the script backup.sh:




- The backup script informs us about three issues:

  • backups can be transferred with TFTP
  • the compressed backup file is located at /backups/backup.tar
  • both folders /home and /var/www/html are usually backup

- Obviously, our next goal must be to download backup.tar



3 - EXPLOITATION

3.1 - Local File Inclusion

- Trying to get backup.tar using the browser and taking advantage of the LFI is a little bit messy, due to the hugh size of the file:




- tftp does a better job:



- Also, curl would be a good alternative:





- Opening backup.tar:





- Now we have Pluck's backup folders available at our Kali machine:




- Searching for information inside bob and peter's home folders, there is nothing out of the ordinary:






- However we find a collection of 6 private and public keys inside paul's home folder:








- Checking what type of file are these keys, they are valid for SSH connections:




- Now,  we can use these keys with option -i identity_file to establish SSH conections:




- First attempt with id_key1 is unsuccessful:




- Same thing with id_key2 and id_key3:







- However, id_key4 leads to a Pdmenu:






- Pdmenu is a simple menu program that displays a menu from which the user can pick programs to run, for instance to edit files:




3.2 - Limited remote shell with PHP reverse shell

- Now, using the Pdmenu we are going to create remotely a file called myshell.php at /home/paul folder, just buy adapting the well-known PHP script php-reverse-shell.php to our needs:










- Editing remotely with Pdmenu the file /home/paul/myshell.php and copying into it the content of the local myshell.php:






- Let's notice that the text editor is vim, so we save the file with writing and quitting :wq! 

- Now, it is time to start the actual explotaition, first by setting a listening nc session, and second by running myshell.php with curl:






- The exploitation is successful and we get a limited remote shell:




3.3 - Limited remote shell with VIM and external commands


- As an alternative now we are going to use Pdmenu to insert the command /bin/bash in the Vim editor, following these directions:

https://www.linux.com/learn/vim-tips-working-external-commands








- Just quitting Vim and Pdmenu comes back with a remote limited shell:





4 - PRIVILEGE ESCALATION

4.1 - Local Privilege Escalation with exim-4.84.7 exploit

- Finding the SUID files that exist on the system, we discover exim-4.84-7:




- Exim (current version 4.91) is an SMTP email message transfer agent (MTA) for use on Unix systems under GPL, similar in style to Smail 3

- Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531


- There is a Local Privilege Escalation exploit related to this vulnerability:





- Copying the script to a new file exim_exploit.sh:







- Transferring exim_exploit.sh from Kali to Pluck, specifically to /tmp folder:








- The transfer is successful, but exim_exploit.sh has no execution permissions:




- Giving execution permissions to exim_exploit.sh:




- Running the script finally we get a remote root shell:




4.2 - Local Privilege Escalation with Dirty Cow Kernel Exploit

- An alternative to method explained at 4.1 would be to use this exploit: 




- Downloading to Kali:




- Transferring to Pluck:







- Compiling:






- Running cowroot we get a remote root shell:







- Apparently cowroot  destabilizes the system, so we follow these directions to achieve a more stable shell:









5 - CAPTURING THE FLAG

- Reading flag.txt: