About Release
- Name: pluck: 1
- Date release: 11 Mar 2017
- Author: Ryan Oberto
- Series: pluck
Recognition
After turning on the victim machine and our Kali, we try to recognize the IP of our target with arp-scan.
sudo arp-scan -I eth0 --localnet --ignoredups
We see in the output that the victim machine is on and that we are in front of a Linux system since the ttl is 64, corresponding to Linux operating systems.
Now we do a scan with nmap to see what services the victim machine is running.
nmap -p- --open -sSV -n -Pn 192.168.128.137
.BTyjmelj_Z1q6bKa.webp)
Port 80 OPEN, lets check the website:
.kfUk3qPJ_Z1W0ftP.webp)
we see in the url the ?page=php points to different php files we play with wrappers and we see that it is vulnerable and we see commands
.bi5lKPFB_Zm3hRj.webp)
.C-ET-kzO_1wquAW.webp)
when we see the passwd we see the backup user and look at the bash script
we try to get via tfcp the backup.tar
.BMKeCjfF_Z1r43u2.webp)
we unzip and see the paul public and private keys and ssh
.CE_O3qrJ_Z2nKO1p.webp)
we see the private and public keys and try to login as paul via ssh
the private key should not ask for a password, so we find that 4 does not ask for it.
we see that paul is assigned this pdmenu
.DOg-ZmHm_Z1AF1Lg.webp)
we see that edit gives us the ability to run a vim and we look in gfibins for how to exploit the vi and we find :set shell=/bin/bash :shell we execute and we are inside as paul
.BPuQ5EM8_ZssPNG.webp)
we look for scaling our privilege now we search in searsploit looking for the 4000 binary exploit
.B2JkC4h8_Z1lJMXq.webp)
search for exim
we download the privilege escalation exploit
.rShFDpHh_1v89Ah.webp)
we execute it and chan
.DRYK4Ue5_24HFBR.webp)