Vulnhub Stapler1

Vulnhub Stapler1.0 Writeup

All information can be found on www.vulnhub.com

---------summary-------

1. information gathering

2. host exploitation by reverse shell

3. escalate privilege 

---------start---------

 After boot up the download VM, the system's login page 

 Since we don't know the IP address, we use arp-scan to get IP. Here IP is 172.16.194.138(under NAT protocol)

After know the IP, next step is use NMAP to see if there's any information, here we see port 80, 666, 3306 and 12380 are interesting.

First I tried port 80, but no other information I can get, so I tried https with port 12380 

here is the port 12380, it seems have more information 

 As usual, try to see if /robots.txt is exist, and luckily it is. It comes with 2 website here.

 First is /admin112233, but only have pop-up screen and redirect to another page.

Next, I tried /blogblog and I got really interesting stuff here, is a blog.

From here, I can turn my direction on using reverse shell and get into system.

So next step I need try to login this page and upload any backdoor file. 

Now, I hit the login button and realize I need to use brute-force to get in.

Back to my Kali Linux, I use the WPScan tool.

First thing to do is enumerate username. I use this command:

wpscan --url https://<IP address>:12380/blogblog --enumerate u

This command can found the username base on its default wordlist file 

And we got the result here: 

Next step is use wpscan to brute-force the password for user 'john'

I use this command:

wpscan --url https://<IP address>:12380/blogblog --wordlist <your wordlist file> --username=john 

We got this result! username/password is john/incorrect 

With username/password, we can login to the website. And good thing is, john is administrator.

First thing I tried is upload my backdoor payload file on blog and use netcat try to connect back.

But I failed, because its file format is not .php, I need to upload file with php readable format.

(I also tried to use SQL injection on the reply section, but it seems have prevention on it)

Next, I search on other place that I can upload my file. I found plugin, I can upload my own file.

That's really sweet for attacker. 

 In the Media section, I can found my payload file here

Now, we can begin our exploitation with netcat. Open the listener in Kali Linux and open the php file in website. And we go the shell in this buggy system.

Now I am in the system, but my privilege is not root. I still need to escalate my privilege. After I digging the system and see the process that's running.

I use 

ps -aux | grep root

 I got a really cool thing is user JKanode is running some service with root privilege.  

In the JKanode folder, lookup the .bash_history.

This record all the command you gave in terminal, indicate the activities in this computer.

And we found there are two lines might be our way to got root

First I use ssh JKanode@<IP address> and try to get in super user. But I failed because this is not in sudo list

Next, I tried another user and bingo! User peter is in sudo list, so I got root really easy!