Pluck 1 VM Walkthrough
for the Pluck: 1 VM hosted on Vulnhub from Ryan Oberto.
An initial nmap scan pretty much just shows us port 80 for now:
Visiting the site shows a basic set of pages, they’re parameterised but sqlmap doesn’t find anything exciting from that (Even though the Admin login form was interesting, but we’ll come to that later).
Nikto, in the meantime, has found something definitely promising, a path traversal issue:
so let’s check that out by replacing one of those parameterised pages with a path to /etc/passwd:
This works and is useful for enumerating users, but there’s also a very interesting mention of a backup process at the end of the file, so let’s have a look at the shell script it references using the same path traversal:
What we can discern from this is that: 1-lots of possibly useful things are being backed up to a single tarball and 2-this is accessible via tftp (A simple FTP process which doesn’t require authentication). Since we know the location let’s use TFTP to grab it and see what it contains:
untarring it shows there are a few home directories, Paul’s in particular looks interesting as it contains a load of ssh keys, so we can just dump them all in our keys dir for now and see what happens when we ssh in:
(Incidentally, if we move to the html dir and view the code for the site pages, the Admin page earlier that showed a potential SQLi vulnerability was a blatant red herring from the author; who outputs an SQL syntax error string if it detects an attempt at SQLi in the form of a single apostrophe, but doesn’t actually connect to any database or authenticate the password!)
so within the pdmenu we get on sshing in our choices are really limited, moreso than the usual restricted shell we might find ourselves in. We can navigate around a bit and edit files, which doesn’t sound like much, but it calls vim for editing and there’s always a well-known thing to check when you’ve no other choice:
and that gives us a nice TTY shell again!
after enumerating the kernel I did try to use exploit 40762, but unfortunately it wouldn’t work due to non-installed libraries. so after the usual enumeration of suid or writeable files I summoned dirtycow to do the work for me. This would freeze the vm after a few seconds, but it always gave Root and with some quick work I looked in the usual place for the flag: