Vulnhub

Pluck

keith / March 13, 2017

https://www.vulnhub.com/entry/pluck-1,178/

This is my first so be gentle.

After boot up I ran Zenmap

Browsing around the website we see that the URL looks interesting:

index.php?page=about.php

I tried SQL map as the port 3306 was opened during the scan but that did not work. I then tried to read files since it showed the .php in the url.

That resulted in some interesting info:

index.php?page=../../../../etc/passwd

I tried the etc/shadow file but that did not show as I am sure permissions were denied. Looking through the passwd file I noticed:

backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

in viewing that script:

index.php?page=../../../../usr/local/scripts/backup.sh

Interesting : /backups/backup.tar

A little: curl  index.php?page=../../../..//backups/backup.tar  > backup.tar

it errors out at the 6 gig mark (GULP)  and the file is corrupt but with some luck we can get something

cpio -ivd -H tar <  backup.tar

This gave me some nice home directories. In the Paul home directory there is a folder called keys:

 

I started trying them all and hit pay-dirt with id_key4

ssh -i id_key4 paul@192.xxx.xxx.xxx

What is this???

I started messing around and looking at files. Looking at the admin.php file resulted in that whole vector not really doing anything. It is just a way to waste time:

Now to try to get a reverse shell so I can get a console. Using this Pdmenu I tried creating files as it use VIM. Looks like Paul does not have write access to /var/www/html.  But he does to /home/paul/

lets use this Pdmenu to create a test file in his home directory then see if our site can view it. I create /home/paul/test.php that contained

<?php

phpinfo();

?>

Saved it and tried to reach it and:

index.php?page=../../../../home/paul/test.php

After messing around and learning about Pdmenu I found the config file in /home/paul/.pdmenurc

Using the menu I was able to edit the file and add my own bash shell

Now exit VIM and Pdmenu and reconnect to SSH

and pick bash

After playing around a bit I could not find anything.  So I ran   http://pentestmonkey.net/tools/unix-privesc-check

This gave a tone of info, but right at the top:

WARNING: /etc/cron.weekly/man-db is run by cron as root. /etc/cron.weekly/man-db contains the string /proc/self/status. The user paul can write to /proc/self/status

 

This sounds like something I have worked with before….  a quick google search “proc self status linux exploit” and there it was Dirty Cow.

https://www.exploit-db.com/exploits/40616/

download, compile, run…

 

 

This was fun. Thank you

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *