Sat. Oct 24th, 2020

Pentesting Fun Stuff

following the cyber security path…

Pluck

Location

https://download.vulnhub.com/pluck/pluck.ova.zip

Description

It’s the first boot2root from @ryanoberto.
Other then ‘enjoy’ there is not much of a description of the VM.

Getting started

Starting with a Sparta scan.

SSH, HTTP, MySQL and LLMNR.

Several interesting finds with Nikto. I start with the ‘path traversal’ vulnerability and view the ‘/ect/passwd’ file.

So ‘bob, ‘peter’, ‘paul’ and ‘backup-user’. Both ‘paul’ as ‘backup-user’ has some interesting shells.
When I use the same vulnerability as before I get the content of the ‘backup.sh’ file.

So there is a ‘backup.tar’ file. After downloading the file I extract it to see the content.

After examination I got the keys to Paul’s kingdom.
Like most keys…..you need to find the one which fits the lock and after a few tries, the fourth results in this.

Pdmenu‘…..I’ve seen that before. After some toying around I get to the ‘Edit file’ option.
When typing in the name of a file, I can alter that file. But because there is no (or at least poor) input validation, I can concatenate multiple commands.

With this knowledge I use bash to call out to my local machine and create a reverse shell.

A good way to start enumeration is to check which files has the SUID bit set. Users will get file owner’s permissions as well as owner UID and GID when executing these files. If there’s a vulnerability in the program of these files, I maybe can escalate my privileges.

No clue what ‘/exim/’ is, but after some google wisdom I can tell it’s a Mail Transfer Agent. And lucky for me……there is an exploit available.
I create a bash file in ‘/tmp/’ and run it to escalate my privilege.

Now to get the flag.

Conclusion

This was a fun first boot2root form this author. It had some nice features and I can’t wait for the next one. Keep up the good work!!!
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.