We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/pluck] └─$ cat nmap.nmap # Nmap 7.91 scan initiated Thu May 27 09:53:42 2021 as: nmap -sC -p- -sV -oA nmap 172.16.139.187 Nmap scan report for 172.16.139.187 Host is up (0.00019s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA) | 256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA) |_ 256 18:98:5a:5a:5c:59:e1:25:70:1c:37:1a:f2:c7:26:fe (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Pluck 3306/tcp open mysql MySQL (unauthorized) 5355/tcp open llmnr? Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu May 27 09:56:10 2021 -- 1 IP address (1 host up) scanned in 148.17 seconds
We have our scan result 22,80,3306 and 5355 we know the the web server is running apache let try accessing it to see what we have in the home page.
Seems we have some pages let click on
admin page we have login page trying some default credentials also i try some sql injection but we have no luck.
Let try to check other pages.
Now the page parameter look like it vulnerable to LFI let give it a shot.
It vulnerable to LFI cool we can view in page source to see the passwd file in order.
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh seems cool let try to read it with the LFI.
We know the script is backing up directories of the home folders with files to the backups directory so we can get it via tftp.
What Is TFTP??
Trivial File Transfer Protocol is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network.
Now let get the backup file on the tftp client.
We extract the tar file and we have the home directory so i decide to go through it but the user paul folder have some interesting files in it.
SSH private keys checking the size i was able to know the real SSH key now let SSH into the machine with user paul.
But we are stuck in Pdmenu screen.
What Is Pdmenu??
Pdmenu is a full screen menuing system for Unix. It is designed to be easy to use, and is suitable as a login shell for inexperienced users, or it can just be ran at the command line as a handy menu. … It was developed on Linux, and has now been compiled on many other unixes without problems.
Let try to escape it.
Now let type in anything for the filename and hit enter.
And we have vim now let type.
:set shell=/bin/sh :shell
Hitting enter give us a shell.
linpeas.sh on the target now let run it.
Seems we have what to abuse to give us root shell with some little research i found the exploit.
Now let get the exploit to the target and run it.
we have root after running the exploit and we are done.
Greeting From Muzec