https://www.vulnhub.com/entry/pluck-1,178/
This is my first so be gentle.
After boot up I ran Zenmap
Browsing around the website we see that the URL looks interesting:
index.php?page=about.php
I tried SQL map as the port 3306 was opened during the scan but that did not work. I then tried to read files since it showed the .php in the url.
That resulted in some interesting info:
index.php?page=../../../../etc/passwd
I tried the etc/shadow file but that did not show as I am sure permissions were denied. Looking through the passwd file I noticed:
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh
in viewing that script:
index.php?page=../../../../usr/local/scripts/backup.sh
Interesting : /backups/backup.tar
A little: curl index.php?page=../../../..//backups/backup.tar > backup.tar
it errors out at the 6 gig mark (GULP) and the file is corrupt but with some luck we can get something
cpio -ivd -H tar < backup.tar
This gave me some nice home directories. In the Paul home directory there is a folder called keys:
I started trying them all and hit pay-dirt with id_key4
ssh -i id_key4 paul@192.xxx.xxx.xxx
What is this???
I started messing around and looking at files. Looking at the admin.php file resulted in that whole vector not really doing anything. It is just a way to waste time:
Now to try to get a reverse shell so I can get a console. Using this Pdmenu I tried creating files as it use VIM. Looks like Paul does not have write access to /var/www/html. But he does to /home/paul/
lets use this Pdmenu to create a test file in his home directory then see if our site can view it. I create /home/paul/test.php that contained
<?php
phpinfo();
?>
Saved it and tried to reach it and:
index.php?page=../../../../home/paul/test.php
After messing around and learning about Pdmenu I found the config file in /home/paul/.pdmenurc
Using the menu I was able to edit the file and add my own bash shell
Now exit VIM and Pdmenu and reconnect to SSH
and pick bash
After playing around a bit I could not find anything. So I ran http://pentestmonkey.net/tools/unix-privesc-check
This gave a tone of info, but right at the top:
WARNING: /etc/cron.weekly/man-db is run by cron as root. /etc/cron.weekly/man-db contains the string /proc/self/status. The user paul can write to /proc/self/status
This sounds like something I have worked with before…. a quick google search “proc self status linux exploit” and there it was Dirty Cow.
https://www.exploit-db.com/exploits/40616/
download, compile, run…
This was fun. Thank you