rootđź’€muzec-sec:~#

Hack. Sleep. Repeat

View on GitHub

image

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/pluck]
└─$ cat nmap.nmap  
# Nmap 7.91 scan initiated Thu May 27 09:53:42 2021 as: nmap -sC -p- -sV -oA nmap 172.16.139.187
Nmap scan report for 172.16.139.187
Host is up (0.00019s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA)
|   256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA)
|_  256 18:98:5a:5a:5c:59:e1:25:70:1c:37:1a:f2:c7:26:fe (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pluck
3306/tcp open  mysql   MySQL (unauthorized)
5355/tcp open  llmnr?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 27 09:56:10 2021 -- 1 IP address (1 host up) scanned in 148.17 seconds

We have our scan result 22,80,3306 and 5355 we know the the web server is running apache let try accessing it to see what we have in the home page.

image

Seems we have some pages let click on admin page we have login page trying some default credentials also i try some sql injection but we have no luck.

image

Let try to check other pages.

image

Now the page parameter look like it vulnerable to LFI let give it a shot.

image

It vulnerable to LFI cool we can view in page source to see the passwd file in order.

image

backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh seems cool let try to read it with the LFI.

image

We know the script is backing up directories of the home folders with files to the backups directory so we can get it via tftp.

What Is TFTP??

Trivial File Transfer Protocol is a simple lockstep File Transfer Protocol which allows a client to get a file from or put a file onto a remote host. One of its primary uses is in the early stages of nodes booting from a local area network.

Now let get the backup file on the tftp client.

image

We extract the tar file and we have the home directory so i decide to go through it but the user paul folder have some interesting files in it.

image

SSH private keys checking the size i was able to know the real SSH key now let SSH into the machine with user paul.

image

But we are stuck in Pdmenu screen.

What Is Pdmenu??

Pdmenu is a full screen menuing system for Unix. It is designed to be easy to use, and is suitable as a login shell for inexperienced users, or it can just be ran at the command line as a handy menu. … It was developed on Linux, and has now been compiled on many other unixes without problems.

Let try to escape it.

Edit file

image

Now let type in anything for the filename and hit enter.

image

And we have vim now let type.

:set shell=/bin/sh
:shell 

Hitting enter give us a shell.

image

Privilege Escalation

image

I transfer linpeas.sh on the target now let run it.

image

Seems we have what to abuse to give us root shell with some little research i found the exploit.

image

Now let get the exploit to the target and run it.

image

we have root after running the exploit and we are done.

Greeting From Muzec



Back To Home