Pluck

I have returned!  Now that I’ve finally gotten the OSCP, I can start doing writeups again.  And as luck would have it, Vulnhub has a bunch of new VM’s for us to root.

 

Today’s victim: Pluck

To start things off, let’s run an nmap scan against the target (This VM lets you know what the assigned IP address is above the login prompt):

 

The most interesting thing here is the http port.  Let’s have a look:

We’re presented with an index page containing the title of the VM.  There isn’t really too much interesting going on in the different pages, so I decide to run wfuzz against it to see if there’s anything hiding:

 

I head over to images and find a “rubber-duck.jpg” file, run steghide and exiftool against it to no avail.  I then move on to a Nikto scan:

The first thing that catches my eye is the LFI, so I run it in the browser:

Cool!  It works!  Let’s clean this up a bit:

 

So now we’ve got a several users: root, bob, peter, paul, and (The most interesting of them) backup-user.  The backup user has a full path to a script in the passwd file, let’s see if we can grab it with the LFI:

Let’s make this one pretty to look at too:

 

A few things to note here: The mention of tftp, the path to the backup.tar file, and what the contents of that tar file are. So let’s try to tftp to the server and download that backup.tar:

Awesome!  We’ve got the backup.  Going through the backup we notice a couple of interesting things:

 

It looks like bob has sudo privs and paul has a bunch of public/private ssh keys.  Since we’ve got no way to access bob’s account for the moment, our only other option is to try to log into paul with the key’s we’ve got. After we “chmod 700” the files in this dir, we finally get in with id_key4 using the following command:

 

As a result we’re presented with the following:

I’ve never seen this before, but immediately, “Edit file” catches my eye.  That has the potential to give us an escape. Let’s open a file and give it a shot:

After trying the traditional shell escapes, I stumble upon this website.  I learn here that you can find out the currently set shell for Vi/Vim and set it to something else, as demonstrated here:

And we’ve got low priv shell on the paul account!  Now, since several of my friends got to this machine before I did, I saw a bunch of mentions of dirtycow in chat.  So I figured I’d give it a try:

Now that the exploit is compiled, let’s run it:

Annnnd it worked.  I guess this is a good lesson in “Try the easy exploits first”.  Now that we have root, let’s grab the flag and finish out this VM!

Game over.