A WALK THRU PLUCK
The VM is kind enough to show its Ip in the login screen...
...so no need to host discovery and we can get right into business with some recon:
it looks like a standard ssh on port 22 (connecting to it provides no hints), a web server on port 80, a MySql server on 3306 and an unknown service running on port 5355.
Connecting to the latter one with nc shows non results, it is maybe a decoy.
So let's see what's on the web server... After checking the different pages I run sqlmap on contact.php (no joy) but I get my hopes high when I see this:
after running different instances on sqlmap with different settings I gave in.
I then remembered that I got so excited that I didn't run dirsearch.py... and nikto... Bingo!
so it looks like directory traversal is possible... let's get passwd...
...and let's see what users are present on the target box:
Interesting, there is a "back-user" which runs a /usr/local/script/backup.sh, so I get it:
So now there's a tar file under /backups which gathers /home* and /var/www/html, downloaded that too:
It seems like the download goes on forever, so I interrupt it out of fear of maxing out my VM memory, nonetheless the file appears to be uncorrupted and I can extract it:
After extraction I have access the various /home/* dirs and, under Paul's, there's a folder named keys which contains 6 pairs of ssh key.
Trying them all....
...until on id_key4 I get in...
...or so it would appear: I am greeted with a program called Pdmenu which gives the chance to run some commands on the machine.
It reminds me of a restricted bash, at least in the way I am going to escape it.
I manage to get a shell as paul:
One of the first things I do is checking the source of admin.php, to see what's up with that... it was a troll! :(
I start looking around and I find /var/www/html/images/rubber-duck.jpg which is owned by user bob, and upon which I spend/waste a lot of time and thoughts with the belief that it was the next step.
After running out of options, however, I move forward until I search for files with setuid 4000:
It is striking the presence of a program named exim-4.84-7. I searchsploit for any known vulnerabilities and get this:
Amongst the results I individuate one applicable, even if not entirely, so I change it a little to meet the environment:
...it seems to work :)I can now spawn a reverse shell:
I start a netcat listener and grab the flag! VICTORY :P
Great and fun challenge, so thanks to Ryan Oberto and VulnHub.com !!!
Happy rooting by Shell0ck :)