Hi everyone
Today we are going to look for a Box called Plum which is rated as Intermediate in terms of difficulty. This machine has various phases: Recon, Enumeration, Exploitation and Privilege Escalation.
Box Type: Linux
Recon & Enumeration
Enumeration plays a very significant role in pen testing. The more properly you enumerate the more it will be easy to get a foothold on the target.
First, we will check whether target is reachable or not with ping command:
ping Target_IP
With ping command output we found that the target is reachable.
Now let’s move ahead and run the port scan for which we will be using Nmap a popular tool for port scanning and it will provide details of the various ports which are in Open state. The command for that will be:
nmap -sC -sV -O -oA nmap/initial 192.168.181.28
nmap -sC -sV -O -p- -oA nmap/full 192.168.181.28 -T4
Now let’s also execute the full scan and UDP Scan:
nmap -sC -sV -O -p- -oA nmap/full 192.168.181.28 -T4
I discovered these ports are open:
- 22/tcp – SSH Service running OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
- 80/tcp – HTTP Service running Apache httpd 2.4.56 ((Debian))
- OS: Linux
Let’s move ahead and check the IP in the web browser and I found page:
The Gobuster showed the following output:
Exploitation
I was able to get the shell:
I found the local.txt
Privilege Escalation
Now it was a time for escalating the privileges:
The above image shows the proof.txt file.
Key Takeaways
- Proper enumeration is crucial — identifying the CMS and version can reveal exploitable vulnerabilities.
- Try default credentials — weak logins like admin/admin may grant quick access.
- Abuse CMS features — editors or input fields may allow PHP command execution.
- Use RCE for a reverse shell — gain a stable shell as www-data.
- Check sensitive files — configs, logs, or directories may expose credentials.
- Review mail/log files — plaintext credentials can lead to root access.
If you enjoyed this post, share it with your friends and colleagues!