VulnHub — Stapler: 1

Setup:

I downloaded the Stapler Zip file from VulnHub.com and then extracted the contents to my local disk. I had issues with importing the OVA file into my instance of VMWare on my Ubuntu 16.04 Workstation host. So, I imported the OVA file into VirtualBox after I renamed the Stapler.mf to Stapler.mf.old.

Victim Description:

The VulnHub.com site did not list any vulnerabilities, but it did note there was a text flag. The Description section noted that there were two paths to a limited shell and three paths to obtain root. I have included the vulnerabilities that I found below:

Information Gathering:

Since I knew the isolated network IP Address range, I used Nmap to perform a host discovery scan of the 172.27.254.0/24 subnet.

nmap -sn -n 172.27.254.0/24

Next, I used the Nmap command to perform a port scan, probing all TCP ports, OS detection, and then outputting the findings into three different file formats starting with the name of NmapFullScan.

FTP Enumeration:

Identifying vSFTP was utilizing Port 21, I decided to test access by using an anonymous FTP login.

Truncated passwd file

SSH Enumeration:

Using the information from the Nmap scan, I decided to connect to the system with SSH. Based on the banner, there appears to be a user named Barry.

hydra -L sshusers -P /pentest/password-recovery/SecLists/Passwords/darkc0de.txt -e nsr 172.27.254.41 ssh

I waited a few minutes, but did not have any positive results. So, I decided to continue to enumerate the system based on the other protocols found with Nmap.

SMB Enumeration:

Once again, using the information from the Nmap scan, I decided to launch enum4linux to perform all scanning on the Stapler host and output the content to a file named enum_41.txt.

Port 666 Enumeration:

Using the information from the Nmap scan, I decided to launch netcat to connect to TCP Port 666 on the Stapler system.

Web Enumeration:

Continuing with Nmap, I used the vuln NSE script and then output the findings into three different file formats starting with the name of NmapVulnScan.

sudo wpscan — url https://172.27.254.41:12380/blogblog/ — enumerate u,ap — disable-tls-checks — log /home/ptester/Stapler/wpscan_41.txt

WPScan: Plugins
WPScan: Enumerated Users
WPScan: Enumerated Users 10–20

WordPress Exploit:

Researching the WordPress plugins for vulnerabilities, I found that the Exploit-DB website noted a LFI with the embedded Advanced Video plugin. So, I downloaded the exploit and made the modifications for the blogblog URL.

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

With the modification, the script ran without issue. Great, but now what?

MySQL Enumeration:

Using the root credentials found within .jpeg file, I use the MySQL client to enumerate the databases on Stapler.

WordPress Brute Force:

Prior to the executing the WordPress Exploit, I created a wp_users.txt file with the enumerated WordPress accounts. I then issued the wpscan command to brute force the wp_users.txt against the rockyou.txt dictionary and then output the findings into the wp_creds.txt file.

sudo wpscan — url https://172.27.254.41:12380/blogblog/ — disable-tls-checks — usernames /home/ptester/Stapler/wp_users.txt — wordlist /pentest/password-recovery/dictionary/Passwords/Leaked-Databases/rockyou.txt — log /home/ptester/Stapler/wp_creds.txt

In less than 30 minutes, I was able to obtain the credentials for john.

Remote Shell:

As previously noted, there were two paths to a limited shell. So, I documented both of the methods that I used.

Method 1 — WordPress Plugin:

Since the john account was listed as the first account, from the wpscan enumeration, I thought that the account may have been the admin account. So, I returned to the browser and entered the credentials.

Method 2 — MySQL, SELECT Statement:

In researching uploading shells with MySQL and PHPAdmin, I wanted to try to use a SELECT statement to upload a basic shell to the blogblog/wp-content/uploads/directory. So, I connected to the system with MySQL.

Local Information Gathering and Enumeration:

First things first, I issued the uname -mra && cat /etc/*release* commands to gather information about the system.

Privilege Escalation:

As previously noted, there were three paths to root the system. So, I documented the methods that I used.

Method 1 — Stored Password:

Having credentials for SSH, I opened a terminal and launched SSH with the JKanode account. Unfortunately, this account was not able to authenticate. However, I was able to successfully authenticate with the peter account.

Method 2 — Kernel Exploit:

Knowing the OS and Kernel versions, I launched searchsploit to perform a web search for Ubuntu 16.04.

wget on Stapler
SimpleHTTPServer on second attacking system

Method 3 — Cron Job:

I have to admit that I had to research this method and review a few other posts prior to figuring this one out. In addition, I found a useful enumeration tool by Mike Czumak called linuxprivchecker. Although, the amount of information was a little overwhelming for me at first.

echo ‘int main(void)

{

setgid(0);

setuid(0);

execl(“/bin/sh”, “sh”, 0);

}’ > rootpriv.c

I used the cat command to validate the newly created file.

echo ‘chown root:root /tmp/rootpriv; chmod u+s /tmp/rootpriv;’ > /usr/local/sbin/cron-logrotate.sh

Using the cat command, I validated the newly created contents within the cron-logratoate.sh script.

Flag:

Having obtained root privileges (from Method 1), I issued the command sudo ls -al /root to view the contents of the root directory.

--

--

Cyber Security Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store