Safetech Blog - Security Tips and Tricks


by Oana Stoian

Stapler Writeup

In this article I will present you the way I have completed the Stapler machine challenge hosted on Vulnhub. Stapler is particularly interesting because it allows you to perform and obtain a lot of various information through enumeration – one of the best machines for this actually – thanks to @g0tmi1k for this!

 

  1. Information gathering

First things first, so I fire-up nmap to discover the open ports:

 

Quite a lot of interesting ports are revealed, and we have some interesting data to be written down: a potential user named Tim and a company named Initech.

Having learned from previous experiences that amap tool – while old – could help with more information from fingerprinting the services, I gave it a shot:

amap

Amap proves to be useful, giving us more usernames (Harry, Dave, Pam) that we will try to use later, and other interesting information…like for port 12380 that matched http protocol, but also ssl and ntp (?)… we will check that later.

Now, we will take the information we have about open ports and will try to find our way in…

1.1 Port 21

We connect to FTP service with anonymous account, we also notice the banner that we already knew from amap. On the FTP server we find a file named note with the following content:

ftp

1.2 Port 22

Connecting to ssh will reveal a new potential username from the banner:

ssh

1.3 Port 80

Seems to be a light HTTP server, no banners, no headers… running nikto against it will reveal two files from a user`s home dir:

I have tried a more advanced directory and file bruteforce with wfuzz, but no other files were found

 

1.4 Port 139 – SMB

Listing the shares will give us some more information… two shared folders (kathy and tmp) and two potential new usernames (kathy and fred):

smb

Browsing shares will give us more information and interesting files

kathy

 

1.5 Port 666

Running a netcat against it reveals that there is a binary content, and a string message2.jpg indicates us that it might be a picture…after downloading it we realize that it is not viewable or it is corrupt, or it is something else – an archive:

666

Finally, opening message2.jpg will reveal new information:

message2

 

1.6 Port 12380

Opening it in the browser shows us a website… we note the title of the page, which include information about another potential user – Tim:

site12380

Looking through the source code we find an interesting message:

source

And… this is pretty much everything, no other files or directories were found.

Having in mind that amap also matched port 12380 as ssl, we also try to access it over https:

site12380_https

This is kind of strange – having http and https on the same port, I guess the web server was intentionally misconfigured.

Running nikto against the https version will give us some hints to go further:

 

 

So we have an /admin112233 and an /blogblog paths. While I will let you discover what is behind /admin112233 path 🙂 , we will further focus on https://172.16.100.63/blogblog which is an wordpress CMS.

 

2. Exploitation

We start by running wpscan against the website to gather intelligence about potential plugins that are used and other information:

 

After a quick look on exploitdb for some known vulnerabilities of advanced-video-embed-embed-videos-or-playlists plugin, we have a hit:

Exploit

After adapting our URL to the exploit details we try to read wp-config.php :

https://172.16.100.63:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php

wp_lfi

Going to the frontpage we will identify the path of the created “thumbnail” file and download it:

wp_lfi2

Of course this is not a picture, but the whole wp-config.php file which will give us the credentials to the database:

wp-config.php_din_poza

Having so many usernames collected from various sources, we also started a brute-force attack on wordpress administrative interface and got some accounts, but none of them is administrator of the blog:

intruder

Having a username (root) and password on the database server we think of another plan….

Connecting to mysql works – so considering that we are root and have all privileges, we will create an web shell through mysql:

Now we can give commands to the server:

webshell

Next step is to obtain a reverse shell and root the machine 🙂

We first tried to run netcat on the vulnerable machine, to get the reverse shell, but it seems that it does not allow to run commands with -e flag. So, we have another alternative in mind, using a python code we could get our reverse connection.

 

Next we start enumerating the host, to obtain more information that would allow us to escalate privileges to root.

We noticed a strange running process which belongs to a user named JKanode:

proces_jknode

The home folder of the user has some permissions problems allowing us to see his bash history:

 

We tried to list all the bash history for all the users, but no other important information was obtained:

 

Having the ssh password of the user Peter, we connect through ssh to the host, and we notice that he might have sudo rights:

 

Indeed Peter has root rights, and we can list our flag content.

Thats all folks 🙂

3,253 total views, 5 views today





Leave a Reply

Your email address will not be published. Required fields are marked *