What the Pluck!?

If you want to play along Pluck can be found here:

https://www.vulnhub.com/entry/pluck-1,178/

The usual arp-scan entry point to find our host.

The obligatory nmap giving us 4 ports to consider.

Let’s start with Nikto’ing the web server



— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

+ Target IP: 192.168.56.101

+ Target Hostname: 192.168.56.101

+ Target Port: 80

+ Start Time: 2017–03–11 12:48:00 (GMT-5)

— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -

+ Server: Apache/2.4.18 (Ubuntu)

+ The anti-clickjacking X-Frame-Options header is not present.

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)

+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.

+ /index.php?page=../../../../../../../../../../etc/passwd: The PHP-Nuke Rocket add-in is vulnerable to file traversal, allowing an attacker to view any file on the host. (probably Rocket, but could be any index.php)

+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from

+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from

+ OSVDB-3092: /admin.php: This might be interesting…

+ OSVDB-3268: /images/: Directory indexing found.

+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.

+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80

+ OSVDB-3233: /icons/README: Apache default file found.

+ 7535 requests: 0 error(s) and 12 item(s) reported on remote host

+ End Time: 2017–03–11 12:48:19 (GMT-5) (19 seconds) - Nikto v2.1.6— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -+ Target IP: 192.168.56.101+ Target Hostname: 192.168.56.101+ Target Port: 80+ Start Time: 2017–03–11 12:48:00 (GMT-5)— — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — -+ Server: Apache/2.4.18 (Ubuntu)+ The anti-clickjacking X-Frame-Options header is not present.+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.+ OSVDB-3092: /admin.php: This might be interesting…+ OSVDB-3268: /images/: Directory indexing found.+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.+ Server leaks inodes via ETags, header found with file /icons/README, fields: 0x13f4 0x438c034968a80+ OSVDB-3233: /icons/README: Apache default file found.+ 7535 requests: 0 error(s) and 12 item(s) reported on remote host+ End Time: 2017–03–11 12:48:19 (GMT-5) (19 seconds)

So we have a reasonably juicy directory traversal to play with. Lets see what we can do with it.