templatemo easy profile

A WALK THRU PLUCK


The VM is kind enough to show its Ip in the login screen...

...so no need to host discovery and we can get right into business with some recon:

it looks like a standard ssh on port 22 (connecting to it provides no hints), a web server on port 80, a MySql server on 3306 and an unknown service running on port 5355.
Connecting to the latter one with nc shows non results, it is maybe a decoy.
So let's see what's on the web server... After checking the different pages I run sqlmap on contact.php (no joy) but I get my hopes high when I see this:

after running different instances on sqlmap with different settings I gave in.
SqlMap

I then remembered that I got so excited that I didn't run dirsearch.py... and nikto... Bingo!
NiktoLog

so it looks like directory traversal is possible... let's get passwd...
catPasswd

...and let's see what users are present on the target box:
allusers

Interesting, there is a "back-user" which runs a /usr/local/script/backup.sh, so I get it:
ShScripts

So now there's a tar file under /backups which gathers /home* and /var/www/html, downloaded that too:
It seems like the download goes on forever, so I interrupt it out of fear of maxing out my VM memory, nonetheless the file appears to be uncorrupted and I can extract it:
Hint2

After extraction I have access the various /home/* dirs and, under Paul's, there's a folder named keys which contains 6 pairs of ssh key.
Trying them all....
Step1

...until on id_key4 I get in...
Screen
...or so it would appear: I am greeted with a program called Pdmenu which gives the chance to run some commands on the machine.
It reminds me of a restricted bash, at least in the way I am going to escape it.


Escape1

Escape2

Escape3

I manage to get a shell as paul:
Step2

One of the first things I do is checking the source of admin.php, to see what's up with that... it was a troll! :(
troll

I start looking around and I find /var/www/html/images/rubber-duck.jpg which is owned by user bob, and upon which I spend/waste a lot of time and thoughts with the belief that it was the next step.
After running out of options, however, I move forward until I search for files with setuid 4000:
foundVuln

It is striking the presence of a program named exim-4.84-7. I searchsploit for any known vulnerabilities and get this:
searchsploit

Amongst the results I individuate one applicable, even if not entirely, so I change it a little to meet the environment:
exploit

...it seems to work :)I can now spawn a reverse shell:
sendshell

I start a netcat listener and grab the flag! VICTORY :P
final
Great and fun challenge, so thanks to Ryan Oberto and VulnHub.com !!!

Happy rooting by Shell0ck :)