Pluck: 1 Walkthrough

Yesterday, a VM was published on Vulnhub called Pluck: 1. You can get that here. This was a pretty interesting VM, as you shall soon see.

Quick run-down:

  1. Enumeration
  2. Get ass kicked
  3. Exploitation
  4. Read flag

Exploits used:

  1. DirtyCow

The author of the VM had done us a favor by showing the IP address the VM gets once booted. The only thing to do was immediately start scanning and see what we get!

Sweet. The only interesting thing at the moment for me is port 80.

After poking around a bit, I had nothing interesting stand out. I fired up dirb to run in the background while I continued to search around for anything interesting. In the About section, it went to great detail on the definitions for pluck. It’s a good thing that I had read through that because I had no idea what pluck was. So if you have a need to know what pluck is, reach me through Twitter or email and I will let  you know what pluck is 😉

Running the site through Nikto, it had mentioned a very interesting vulnerability.

An LFI?! Does it woik?!?!

Indeed it does 🙂

At this point, two things pop up almost immediately to me. The first thing is if you pay attention to the output of /etc/passwd, we have an interesting file path.

The second thing is LFI’s can always lead to juicy information if you know the path of a file you are looking for. I checked out the file in the browser but it was garbled and hardly readable, but I took note of it anyhow.

Thanks to a good friend of mine, he was able to give me a pretty decent sized list of all types of possible file paths. So using those, I created a script to check for each path and see if it can grab anything for it using requests and BeautifulSoup. You can check it out below:

The output was MUCH better than seeing it in the browser, so it was much more readable getting it from the script rather than seeing it in the browser. It was also much easier than checking manually through the browser, than viewing the page source. All in all, this was a great solution to the problem.

Back to the interesting file path we found in the /etc/passwd file, we get this:

So we get two folders in a single tar. This part was what took me the longest because I can be retarded at times. Here are the mistakes I had done that took me a while:

  1. I checked /backups/backup.tar in the LFI. Saw very interesting output which included RSA and DSA keys. So what did I do? I went on a wild goose chase trying to grab it. Then I had a brilliant idea…or so I thought…
  2. I used wget to try and get that. The gigs had piled it and they were piling up quickly. 1gb, 3gbs, 5gbs, and finally at 6gbs, it would crash. So I had another brilliant idea…Since I now have a somewhat backup, let me hexdump and pull keys out. So I spent a good amount of time using awk, sed to grab the files. Finally grabbed keys, and none of them worked.
  3. Refer to my previous statement of, “I can be retarded at times”

Anyways, it dawned on me…

So I gave it a shot with tftp and VOILA! It worked. So all that craziness I was doing was such a waste of time!

After unzipping, there was home and var. What stood out to me where the keys I was trying to extract earlier only this time, they are there ready to be touched and felt on.

All the keys were wanting some sort of password or passphrase until I got to id_key4. It had stated that it had an unprotected private key file. To fix that, I had changed the permissions of the file to 600. Trying again, it gave me access to…whatever type of shell this was:

So this was a pretty interesting shell that I have ever seen. Tried several ways of getting an actual shell and had failed but what caught my eye was editing files. It was in Vim. My arch nemesis. The only editor I use where I restart the computer to get out of it, BUT!!! I was able get out of this by issuing these commands in the editor:

After doing so, I was presented with a shell!

Escalation time!!

After I had seen that, i had used the Dirty Cow exploit just to see if it would work, and guess what? It did!



Leave a Reply

Your email address will not be published. Required fields are marked *