Vulnhub Stapler: 1 Walkthrough

Now this is a box to test your ability to stay focused.  There are a few things going on that can distract you which could cause you to overlook the smaller, more important, details.  I can't say this with all of the boxes but I stayed on the right path from start to finish.  

According to the notes, there are two ways to get a low privilege shell and three ways to root.  I found two ways to a low privilege shell and suspect there's actually a third.  I know of two ways to get root and I'll have to read a walkthrough to see the third avenue.  

There's so much going on with this box for post exploitation and I want to play around a bit more but I have to move on.  

If I were just starting out and I fumbled around on this box, I would go back to this box again in three to six months when I'd forgotten as much as I could and give it another go.  


Enough chattering, we start off with our Nmap scan:






Lots of ports to poke at and because I knew this box had a lot going on from the description, I wanted to go through my process to keep on track.

Checking FTP for anonymous and write access:





I can access FTP anonymously but I cannot write. 

I find a file and I download it:





Nothing as good as the root password but with this note, I start a list of names to put into a users file in case I need to brute something.

Let's poke SSH:





Another name for my users file.  

Let's check the web port:





Not helpful, let's check it with Nikto:





I grab both .bashrc and .profile, nothing useful.

Let's check Samba:





I like to redirect the output to a file -- makes it cleaner, I think.

Viewing the output:




Scrolling through to the juicy parts:





Some shares to look at in a moment.

Continuing on:





A bunch more users to add to our users file.

Another way of viewing shares:





Let's connect to the shares and see if we can find anything useful:





I thought I had something good with this wordpress-4.tar.gz file but the wp-config file wasn't in the archive.  :(

Let's check out the "todo" list:




Dear Kathy,

You should also backup the wp-config.php file in the WordPress root folder.

Thanks,
n00bh4cker

Let's see if we can hit MySQL remotely:





Testing a few weak passwords, no go.  Moving on...

Let's poke at port 12380:





Another web port.  Let's view the source:





Yet another user.

Let's hit this web port with Nikto:





A few things stand out.  The obvious, like the directories.  But also the SSL Info at the top.

Let's hit robots.txt:





We get nothing.  We also get nothing on the admin and blog page.  

Switching to HTTPS:





Nice!  I've been burned enough times to know not to rule out HTTP & HTTPS. 

Now we can hit the admin page:





Ouch!

And now we'll check out the blog page:





A likely alias.

Let's view source to see what we're dealing with:





Oooooh... WordPress... my favorite!

Firing up Wpscan:





Note that I had to disable TLS.  We see John's name again and we also see that uploads and includes are both set for directory browsing.

Wpscan still cranking:





Even more names.

Let's try to crack some accounts:





I'll assume John is the admin.  The Wpscan results didn't show anything super useful that jumped out at me.  Let's keep looking before we start chasing its list of possible vulnerable avenues.

Recalling the earlier information, browsable folders:





Wpscan didn't pickup on this plugin.  Checking exploit-db, I find an exploit:

https://www.exploit-db.com/exploits/39646/

I choose to going manually, I feed it something bogus to see what happens:




Cool, I have a path.  Now I feed it what I want, wp-config.php:

https://192.168.0.53:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=/var/www/https/blogblog/wp-config.php





Let's check out this url:






Not what I was expecting but on a hunch, I check out the /upload directory:





Cool!  Let's download it:





Assuming our wp-config file is inside this supposed .jpeg, I grep for what I want:





Excellent!  Now circling back to MySQL:





I'm in!  Let's move to WordPress and retrieve the users:





Awwwww yeah!  Copy this into a file because I'm going to clean it up in a second:





Using Awk to take out the noise:





The power of a GPU is a amazing.  Running the hashes through Hashcat:





I stop it because I have what I want, John's account.  If need be, I can go back but I'm pretty sure I can move on without cracking further.

Attempting to use my newly acquired credentials:




I'm in!  Moving straight to plugins because I want to upload my shell:





Checking uploads to confirm my shell exists:





The shell is waiting, let's setup the handler:





Hitting our shell:





I get a session!

Let's move into /tmp and see what OS we're dealing with:





A quick hunt on exploit-db yields:  https://www.exploit-db.com/exploits/39772/

I download the exploit, extract it, compile it, and now let's run it:






Boom!  #root

Checking out the flag:





Milk and cookies!

I go looking for the other root.  With all of the users on this box, I use 'find' to hunt down .bash_history files -- I'm looking for gold:





Eureka!  We have gold!  Let's check to see if we can sudo su:





Peter's our guy!

Going for root #2 : 





And we have the second root!

That was a LOT of fun!  This box ranks up there with Brainpan in my list of favorites.