Tuesday, September 11, 2018

Stapler


STAPLER

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Stapler.

- According to Stapler's author there are multiple methods to hack this vulnerable machine, let's try some of them.

Stapler can be downloaded from here:

https://www.vulnhub.com/entry/stapler-1,150/

- Once downloaded and extracted with VMware:





2 - ENUMERATION

- Scanning  all the ports with Nmap:




- Scanning thoroughly just the open ports:





















2.1 - Enumeration for FTP

- Login FTP with anonymous credentials:



- There is a file called note:




- Getting note:




- It is an ASCII text:




- Opening the file:





2.2 - Trying SSH

- SSH-rooting is not allowed:




2.3 - Enumerating SMB

enum4linux gives us interesting information about SMB shares: /kathy and /tmp:






- Accessing SMB resources with smbclient:




- Because Fred and Kathy seem to be related, let's try this share:








- Listing, getting and opening content:











2.4 - Enumerating the Web Servers

- Now let's go to the two web servers working at Stapler, one at port 80 and the other at port 12380:

- port 80:




- port 12380:





nikto helps us to discover folders /admin112233, /blogblog, /phpmyadmin, also the robots.txt and the fact that HTTPS is used:













- Connecting againg to port 80, now with HTTPS instead of HTTP:





- Connecting to robots.txt  at port 12380 via HTTPS:




- Going to /blogblog we discover that wordpress is used:









- Going to /phpmyadmin:






dirb discovers another directory:







- Browsing announcements:




- Reading the message.txt, nothing special:





2.5 - Enumerating Wordpress

wpscan enumerates Wordpress vulnerabilities.

- First try is unsuccessful because there is an ssl_cacert error at checking the cerficate used with HTTPS:




- Disabling the certificate check with option --disable-tls-checks:










wpscan yields important information like a lot of login, usernames, vulnerabilities, and the existence of two folders: /wp-content/uploads and /wp-includes.



3 - EXPLOITATION

- There are different approaches for exploiting Stapler.

3.1 - Advanced Video Embed exploitation

Going to wp-content there are 3 folders: plugins, themes and uploads:



- Going to uploads it is empty:




- Goint to plugins, let's notice the first one:








- There is an exploit for the Wordpress plugin Advancedd Video Embed 1.0, it can be found here:





- Using searchsploit we find the Python script 39646.py:







- Reading the exploit we find the Proof of Concept:






- Copying 39646.py, renaming to advanced_video_LFI.py and editing in two ways:

  • adadpting to HTTPS
  • adapting to IP, port and web page







- Giving execution permissions:




- Executing the Python script:




- As a result of the execution a file with .jpeg extension is created at the uploads folder:





- It seems that the .jpeg file is like an uploaded comment or blog entry at /blogblob:





- Downloading to Kali the .jpeg file:




- Actually it is a PHP script:




- Reading the content we find unvaluable information. Actually it returns the file wp-config.php containing credentials of the Wordpress MySQL database: :



- We have the password plbkac what will be of great interest later.

3.2 - MYSQL exploitation

- Taking advantage of the information obtained at previous point, let's dig into the database:






- Using wordpress:




- Describing wp_users:





- Selecting login and passwords:



- No we have a list of usernames with their corresponding hashes, what could be decrypted later.

- However, for now I am just going to insert a cmd file to the web server via an MySQL command:







- It works, for instance executing pwd:





3.3 - Decrypting the hashes  with John The Ripper


- Launching John The Ripper against the hashes:







- After a while we find most of the passwords:




3.4 - Accesing to phpmyadmin

- Also, using credentials root:plbkac we have total access to /phpmyadmin, where we can achieve same information about users and passwords than before:














3.5 - Getting a low privilege shell with php-reverse-shell.php

 - Now, let's bring php-reverse-shell.php to our working folder and rename it to keep the original one:





- Adapting the script to our needs:






- Having a look at the last picture from the last point 3.4 the first listed username is john, and it often happens that the first list user is the administrator. 

- Using john:incorrect as credentials let's try to login to /blogblog:









- Going to Plugins there is a tab Add New:





-  Uploading phpscript.php trough Add Plugins / Browse:








- The upload is successful:



- Setting with netcat a listening session on port 3333:




- Clicking phpscript.php:



- A low privilege reverse shell is successfully achieved:



3.6 - Getting a low privilege shell with Hydra and SSH

- Listing users:




- Let's try attacking SSH service with Hydra using password plbkac (obtained from the .jpeg file at point 3.1 of this exercise):






- Connecting from Kali to Stapler with SSH trying credentials zoe:plbkac:



- We have achieved another low privilege shell.



4 - PRIVILEGE ESCALATION 

- To achieve Privilege Escalation we will practice three different ways:

4.1 - Reading .bash_history

- Listing content of the /home directory we find folders for a lot of different users:




- Opening all the folders we find a different structure and content at peter user's home folder, in comparison with other users home folders.

- For instance the hidden file .sudo_as_admin_successful suggests the idea that user peter might be an administrator of Stapler:


.....

......


- At the same time, reading .bash_history for all users we find this self explanatory line:






- The line corresponds to user JKanode .bash_history, and tells us that user peter has got the passsword JZQuyIN5:




- Trying SSH with credentials peter:JZQuyIN5 the result is successful:




- Choosing the (q) option we are given a remote shell:






- Checking peter's sudoer abilities it happens that he may run (ALL:ALL) ALL commands: 





- Let's try changing root's password:




- Now peter can do su root and we finally have a root shell






4.2 - Abusing a cron job

- Listing for cron jobs:





- Checking logrotate we learn that the shell script cron-logrotate.sh is executed every 5 minutes with root privileges:




- Now, let's alter the content of cron-logrotate.sh so that every 5 minutes this small script is executed with the goal of launching a reverse root shell at the Kali machine. 

- Echoing to cron-logrotate.sh:






- Setting a Netcat listener at port 5555:



- After a while a root shell is achieved at the Netcat session



4.3 - Exploiting the Kernel and Operating System

- We know that Stapler is running Ubuntu 16.04 with a kernel 4.4:





- Looking for an exploit to achieve Privilege Escalation:





- Reading information about the exploit we find the link to the downloading page:




- Saving to Kali:







- Setting a simple HTTP server on port 8000:




- Transferring the exploit to the /tmp folder at Stapler:






- Unzipping:










- Extracting the exploit:







- Going to the new folder:




- Giving execution permissions to doubleput.c:




- Compiling:

 




- Running the executable ./doubleput:





- Finally we have a root shell:





5 - CAPTURING THE FLAG

- Capturing the flag: