Boot To Root, Info Sec 9-May-2017 .NetRussell No comments

Vulnhub Stapler VM Walkthrough

Here is another fun VM, this one was created by g0tmilk and I’m happy to say, was a lot of fun.

Step 1: Reconnaissance

I started with a simple nmap of the target. I always start with top ports and checking if they’re open. The hope here that a light scan will go unnoticed.

After I do my light scan, I like to do a full sweep just to see if there’s anything hiding in the weeds. Sure enough we see that port 666 is open as well as 12380.

Our service scan identified an HTTP server running on port 80. When we navigate there we get a 404… hmm weird. Moving on.

There’s something running on 12380 so on a hunch I check that in the browser too. Sure enough we get another web service running. Looks like a coming soon message? Looks fishy.

 

Web servers tend to be the weak spot in the armor so let’s stick with that. Now that we know we’re dealing with a couple webservers, we should probably run nikto to see if there’s any obvious openings.

The webserver on port 80 appears to be someone’s home directory. Nikto found a couple default files. I’m not going to waste time trying to brute this dir. With my luck there’s nothing it. Moving on…

Let’s run nikto on port 12380

Sure enough, we find some new fun on port 12380. Looks like SSL is enabled. Also, there’s some directories uncovered.  Let’s go check them out!

https://192.168.11.3:12380/admin112233 seems to lead to a dead end.

https://192.168.11.3/blogblog/ leads to a WordPress page!

 

 

Step 2: Penetration

After searching around the site a little, I read the three default posts. It appears that there’s some plugins that were recently installed. I’m willing to bet these are a great target. Let’s go find them.

 

 

Plugins for wordpress are under the wp-content directory.

 

Digging into the plugins dir we see three plugins installed. If we look inside of each plugin there’s a readme that has version information in it.

Staring with the first plugin, Advanced Video Embed, we check our favorite tool, searchsploit. Sure enough it looks like there’s an exploit available for this plugin.

Now I messed with this exploit for a while and couldn’t get it to work.

I started trying to run it by hand and I noticed that instead of outputting the content of a file, it output a filename. It took me forever to figure out what was happening because when I navigate to this url it was a broken link.

Finally I realized that the exploit was creating a new blog entry each time I ran it. That blog entry had a title of a jpeg.

Go look in the wp-content/uploads directory and you’ll find an image. Now how to get the content out?

Easy! Just go to the terminal and wget your jpeg. Then cat it out to the screen. As you can see, my first one has etc/passwd in it. We can now retrieve files from the system!

 

Now that I have a userlist, let’s filter this down and clean it up. By grepping for /bin/bash and then cutting I can get the users that are configured for shells.

Now that we have a userlist, let’s go hunt for a password. An obvious location to start is the wp-config.php file.

 

A few steps later and we have the wp-config.php file. As you can see there’s a password in it “plbkac” let’s see if it works…

This was a bit of a long shot I’ll admit, but it paid off. I just ran hydra with my new users list and the password we just acquired. Sure enough we get a valid login! Right, I was just as shocked as you!

Let’s try and log in with our creds. Yup! They work! We now have a stable local shell into the machine.

Step 3: Enumeration

So I’ve learned my lesson with enumeration. I now start with digging through the files that are available to me. This leads to a quick root so follow along.

Now that we have our shell I head straight for the /home directory. I SHOULDN’T be able to navigate through the other users home directories, but I can. One by one I moved through each directory and echoed out the .bash_history file. Until I found this that is.

It looks like in the user JKanode’s home directory, they have a .bash_history file that has some password information in it. I tried both of these accounts and both of the passwords do in fact let you log in.

Let’s log into peter’s account.

Once we’re in and at the prompt, you’ll see that peter has an interesting hidden file in his home directory. “.sudo_as_admin_successful”

Well shit, if that’s not a big red flag to try sudo on this account I don’t know what is lol.

Yup! When we run sudo cat /etc/shadow we get root access! w00t!

Last step here is to log into the root account. Now I could have done some fanciness and spun a reverse root shell. However, it’s after midnight. I want to sleep. Change the root password and su in lol.

WE HAVE ROOT!

 

Summary:

I’m getting better! This was a fun machine. I liked it because it wasn’t super easy but also not super hard. The exploits seemed reasonable. Nothing was blatant and there were some good red herrings along the way. (I still don’t know why there was an image hidden in that doom server port lol)

I look forward to the next!

 

Leave a Reply

Your email address will not be published. Required fields are marked *