Pluck 1

This is my writeup for the Pluck VM from vulnhub.com.

Intelligence Gathering

I run my own recon script, which contains nmap and nikto:

Recon

LFI

First I'm interested in the LFI.

LFI
In passwd file we can see:

backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

So let's check /usr/local/scripts/backup.sh

Backup
It looks like we have a full backup of /home and /var/www/html in /backups/backup.tar
Remember that open udp port 69?

tftp

What is TFTP?

connect __IP__
get backup.tar
quit

Now let's check what in it:

tar -xf backup.tar

The only interesting thing in /var/www/html is that there's a SQLI Trap in admin.php

if ($_POST){
echo '
<br><br>
<div class="container">
    <div class="row">
        <div class="col-md-8 col-md-offset-2">

<div class="alert alert-danger" role="alert">';

if(strpos($_POST['email'], '\'') !== false) {
    echo  "<strong>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1</strong>";
}else{
    echo  "<strong>Incorrect Username or Password!</strong>";
}

What's more interesting is, Paul's private keys were backuped as well. This allows us to connect to the machine using ssh.
We test all of the keys, until we have a successful login.

ssh [email protected]__IP__ -i home/paul/keys/id_key4

pdmenu
https://joeyh.name/code/pdmenu/

Exploitation

The Edit file option uses vi. Let's try to spawn a shell.

Edit

Shell

Shell

Kernel
Oh, kernel version 4.8.0-22-generic. This looks like an oppurtunity to play with dirtycow. :)

Root
The exploit indeed worked on first try. Let's now read the flag.

Flag

Learnings

I pimped my recon script since it first didn't look for udp ports.
From nmap man:

Because UDP scanning is generally slower and more difficult than TCP, some security auditors ignore these ports. This is a mistake, as exploitable UDP services are quite common and attackers certainly don't ignore the whole protocol.

vulnhub writeup spoiler oscp