« Pluck » is a new « boot2root » VM-style. You just need to launch the VM and .. get root ! Note that you can find this VM on Vulnhub.
Scan all the ports !
Let’s have a look at the HTTP service.
Oh, "?page=about.php" ? Why not trying a local file inclusion ? With something like.../etc/passwd ?
It works ! For mor visibility (and fun), we can exploit the LFI with a simple python script, that'll use the php wrappers "filter" to encode the output in base64 (output is decoded).
We can see something unusual at the end of the file : "backups easier,,,:/backups:/usr/local/scripts/backup.sh". To get the content of the file, just modify the "file_lfi" variable in the script :
Two directories (/home and /var/www/html) are backing up in the file /backups/backup.tar. Let's grab it (uncomment the last lines in the python script to write it where you want).
Wow, many id_key ! And a SSH Server is up 🙂 Trying all the key, only the id_key4 seems to work !
Oops, bad perms ! Fix it !
W00t ! Connected .... but stuck in a pdmenu :/
Escape PDMENU / Reverse shell access
With this menu, we can list/browse directory, modify files (if we have permissions, of course), navigate with lynx, ping or etablish a telnet connexion. Every time I see a prompt that allow a ping command, I think "Command Injection" :-). Here we go :
Reverse shell time ! Set up a listener on port 8081, and inject the following payload :
Gaining root access / Privilege escalation
How to get root ? What's the kernel ? What's the OS ?
What about Dirtyc0w ?
Pluck seems to be vulnerable ! Exploit !
Got root 😉