In this post we're going to work on a short, but still great machine from Vulnhub called Pluck. Let's start!
Our Pluck machine was assigned with 10.0.2.6 IP address, so firstly we have to scan it in order to check any open ports. As always, Nmap is our best friend.
Great, we can now check the website running at port 80.
Really simple, but with potential components to exploit, like admin panel. In addition, we can see that the about page may contain some clues.
Before further looking, let's fire up Nikto scan. Maybe it will show us the way?
File Traversal vulnerability? Great, we can take a look at /etc/passwd file.
After looking at the source code we can see it in plain format, not in this... something. What got me interested is the entry for backup user.
Maybe we can further exploit vulnerability and view backup.sh script?
Awesome! We know that backups are available via tftp so let's connect and download them.
After unpacking it, I wondered around a few directories, finally finding ssh keys in /home/paul/keys directory.
Now we have to test which key is valid. After a few moments I've found that the working one is id_key4. Remember to set proper permissions!
And now let's log in using ssh.
Hmm... That's a little different from normal screen you see after log in.
Here, I decided to perform Command Injection and try to get bash shell by typing ;/bin/bash.
We have the paul's shell!
Now, last part - privilage escalation. Let's firstly see, which version of Linux kernel we're running.
Linux 4.8? DirtyCow should work against this kind of kernel. We will firstly download it, compile and hopefully it will give us root.
Amazing, we have the flag!
It was nice little challenge with little dose of surprises. Thanks Ryan Oberto for creating this great challenge, Vulnhub for hosting and Yodak#2187 for joining!
Keep learning and stay safe! ~ W3ndige