Whitelist: Stapler

STAPLER

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Stapler.

- According to Stapler's author there are multiple methods to hack this vulnerable machine, let's try some of them.

- Stapler can be downloaded from here:

https://www.vulnhub.com/entry/stapler-1,150/

- Once downloaded and extracted with VMware:

2 - ENUMERATION

- Scanning all the ports with Nmap:

- Scanning thoroughly just the open ports:

2.1 - Enumeration for FTP

- Login FTP with anonymous credentials:

- There is a file called note:

- Getting note:

- It is an ASCII text:

- Opening the file:

2.2 - Trying SSH

- SSH-rooting is not allowed:

2.3 - Enumerating SMB

- enum4linux gives us interesting information about SMB shares: /kathy and /tmp:

- Accessing SMB resources with smbclient:

- Because Fred and Kathy seem to be related, let's try this share:

- Listing, getting and opening content:

2.4 - Enumerating the Web Servers

- Now let's go to the two web servers working at Stapler, one at port 80 and the other at port 12380:

- port 80:

- port 12380:

- nikto helps us to discover folders /admin112233, /blogblog, /phpmyadmin, also the robots.txt and the fact that HTTPS is used:

- Connecting againg to port 80, now with HTTPS instead of HTTP:

- Connecting to robots.txt at port 12380 via HTTPS:

- Going to /blogblog we discover that wordpress is used:

- Going to /phpmyadmin:

- dirb discovers another directory:

- Browsing announcements:

- Reading the message.txt, nothing special:

2.5 - Enumerating Wordpress

- wpscan enumerates Wordpress vulnerabilities.

- First try is unsuccessful because there is an ssl_cacert error at checking the cerficate used with HTTPS:

- Disabling the certificate check with option --disable-tls-checks:

- wpscan yields important information like a lot of login, usernames, vulnerabilities, and the existence of two folders: /wp-content/uploads and /wp-includes.

3 - EXPLOITATION

- There are different approaches for exploiting Stapler.

3.1 - Advanced Video Embed exploitation

- Going to wp-content there are 3 folders: plugins, themes and uploads:

- Going to uploads it is empty:

- Goint to plugins, let's notice the first one:

- There is an exploit for the Wordpress plugin Advancedd Video Embed 1.0, it can be found here:

- Using searchsploit we find the Python script 39646.py:

- Reading the exploit we find the Proof of Concept:

- Copying 39646.py, renaming to advanced_video_LFI.py and editing in two ways:

adadpting to HTTPS
adapting to IP, port and web page

- Giving execution permissions:

- Executing the Python script:

- As a result of the execution a file with .jpeg extension is created at the uploads folder:

- It seems that the .jpeg file is like an uploaded comment or blog entry at /blogblob:

- Downloading to Kali the .jpeg file:

- Actually it is a PHP script:

- Reading the content we find unvaluable information. Actually it returns the file wp-config.php containing credentials of the Wordpress MySQL database: :

- We have the password plbkac what will be of great interest later.

3.2 - MYSQL exploitation

- Taking advantage of the information obtained at previous point, let's dig into the database:

- Using wordpress:

- Describing wp_users:

- Selecting login and passwords:

- No we have a list of usernames with their corresponding hashes, what could be decrypted later.

- However, for now I am just going to insert a cmd file to the web server via an MySQL command:

- It works, for instance executing pwd:

3.3 - Decrypting the hashes with John The Ripper

- Launching John The Ripper against the hashes:

- After a while we find most of the passwords:

3.4 - Accesing to phpmyadmin

- Also, using credentials root:plbkac we have total access to /phpmyadmin, where we can achieve same information about users and passwords than before:

3.5 - Getting a low privilege shell with php-reverse-shell.php

- Now, let's bring php-reverse-shell.php to our working folder and rename it to keep the original one:

- Adapting the script to our needs:

- Having a look at the last picture from the last point 3.4 the first listed username is john, and it often happens that the first list user is the administrator.

- Using john:incorrect as credentials let's try to login to /blogblog:

- Going to Plugins there is a tab Add New:

- Uploading phpscript.php trough Add Plugins / Browse:

- The upload is successful:

- Setting with netcat a listening session on port 3333:

- Clicking phpscript.php:

- A low privilege reverse shell is successfully achieved:

3.6 - Getting a low privilege shell with Hydra and SSH

- Listing users:

- Let's try attacking SSH service with Hydra using password plbkac (obtained from the .jpeg file at point 3.1 of this exercise):

- Connecting from Kali to Stapler with SSH trying credentials zoe:plbkac:

- We have achieved another low privilege shell.

4 - PRIVILEGE ESCALATION

- To achieve Privilege Escalation we will practice three different ways:

4.1 - Reading .bash_history

- Listing content of the /home directory we find folders for a lot of different users:

- Opening all the folders we find a different structure and content at peter user's home folder, in comparison with other users home folders.

- For instance the hidden file .sudo_as_admin_successful suggests the idea that user peter might be an administrator of Stapler:

.....

......

- At the same time, reading .bash_history for all users we find this self explanatory line:

- The line corresponds to user JKanode .bash_history, and tells us that user peter has got the passsword JZQuyIN5:

- Trying SSH with credentials peter:JZQuyIN5 the result is successful:

- Choosing the (q) option we are given a remote shell:

- Checking peter's sudoer abilities it happens that he may run (ALL:ALL) ALL commands:

- Let's try changing root's password:

- Now peter can do su root and we finally have a root shell

4.2 - Abusing a cron job

- Listing for cron jobs:

- Checking logrotate we learn that the shell script cron-logrotate.sh is executed every 5 minutes with root privileges:

- Now, let's alter the content of cron-logrotate.sh so that every 5 minutes this small script is executed with the goal of launching a reverse root shell at the Kali machine.

- Echoing to cron-logrotate.sh: