# VulnHub-Stapler This a beginner level linux box which was on TJnull's OSCP prep list. This box has many rabbit holes in it also I faced some issues running wpscan because this box is very old and has an older version of wordpress so you may need some patience in doing this box so let's just dig in. ## Netdiscover

## NMAP ``` Nmap scan report for 192.168.1.8 Host is up (0.00044s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 550 Permission denied. | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.1.6 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) | 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) |_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519) 53/tcp open domain dnsmasq 2.75 | dns-nsid: |_ bind.version: dnsmasq-2.75 80/tcp open http PHP cli server 5.5 or later |_http-title: 404 Not Found 139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) 666/tcp open doom? | fingerprint-strings: | NULL: | message2.jpgUT | QWux | "DL[E | #;3[ | \xf6 | u([r | qYQq | Y_?n2 | 3&M~{ | 9-a)T | L}AJ |_ .npy.9 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 10 | Version: 5.7.12-0ubuntu1 | Thread ID: 9 | Capabilities flags: 63487 | Some Capabilities: Speaks41ProtocolOld, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsTransactions, LongColumnFlag, SupportsLoadDataLocal, IgnoreSigpipes, InteractiveClient, FoundRows, LongPassword, Speaks41ProtocolNew, ODBCClient, DontAllowDatabaseTableColumn, SupportsCompression, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: }\x13V\x10\x06 *<,`\x0D\x0C\x0E88 ]7JV |_ Auth Plugin Name: mysql_native_password 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port666-TCP:V=7.80%I=7%D=12/25%Time=5FE52027%P=x86_64-pc-linux-gnu%r(NU SF:LL,2D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x SF:152\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x SF:04\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\x SF:a2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2 SF:\x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\ SF:xb2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xae SF:u\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\x SF:d3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\x SF:a0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\ SF:x87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\ SF:xf4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\ SF:xdc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\x SF:d5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\x SF:af\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2 SF::\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk SF:\x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc SF:\xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xf SF:d\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc SF:\x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0 SF:\xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u$\[r SF:\xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaa SF:k\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy SF:\xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7 SF:f\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb SF:\[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\ SF:xcc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\x SF:a7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81 SF:\xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x SF:96\x1e\xcb\x879-a$T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb, NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED\x00 | Domain name: \x00 | FQDN: red |_ System time: 2020-12-25T04:11:44+00:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-25T04:11:45 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 46.74 seconds ``` ``` nmap --script dns-nsid 192.168.1.8 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-25 04:41 PKT Nmap scan report for 192.168.1.8 Host is up (0.0010s latency). Not shown: 992 filtered ports PORT STATE SERVICE 20/tcp closed ftp-data 21/tcp open ftp 22/tcp open ssh 53/tcp open domain | dns-nsid: |_ bind.version: dnsmasq-2.75 80/tcp open http 139/tcp open netbios-ssn 666/tcp open doom 3306/tcp open mysql MAC Address: 08:00:27:E1:68:35 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds ``` ## FTP (PORT 21)

The banner gives us a name "harry" so it can be a username

``` Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John. ``` Again this note has some usernames ## SMB (PORT 139) To enumarate smb we run `enum4linux` . I am using an updated version of it which is called enum4linux-ng.

Here it did found some user names ### Hydra Now using hydra we will try to crack the credentials for ftp by using the same wordlist of user we found for passwords and users

Again if we use this wordlist for ssh we will get the same result and will be able to login into the box

On running ss -tupln to see which ports are open on the box we see port `12380` Also there are some directories on webserver

But going on to port 80 we don't find any directories and ruuning gobuster is useless because it doesn't show anything interesting ## PORT 80

## PORT 12380

Running nikto on this port it returned as that these directories do exists the ones we found in `/var/www/https`

## Wpscan On running `wpscan` along with port 12380 on directory `blogblog` which is a wordpress site it gave me erros

So added a parameter `--disable-tls-checks` and it worked fine

Now we know the registered users on wordpress , let's enumerate more to get plugins

It didn't returned me any plugins so now add a paramter `--plugins-detection aggressive` there are only three modes for detecting plugins passive,mixed and agressive

Using this technique I was able to identify 4 plugins ``` two-factor shortcode-ui akismet advanced-video-embed-embed-videos-or-playlists ``` Searching for an exploit for one these plugins I found something on exploit-db

So here only LFI can be useful.

Edit the exploit by putting the proper url where `blogblog` is

And it will throw this error

To resolve this import ssl and a line `ssl._create_default_https_context = ssl._create_unverified_context`

On running this exploit it will create a jpeg file with random string

When we'll download this it will be php script in which the contents of `wp-config.php` are stored but we don't need to do this as we have our foothold on to the box and we can just search for that file

And we will find the credentials for mysql database since port 3306 is running we can connect to it

We get a bunch of usernames and passwords but we need to crack these hashes so lets store them in a file and to crack them I will be using johntheripper but you can do it with hashcat for that you need to specify with what kind of hash are we dealing with so I went up to hashcat examples and found this is a wordpress MD5 hash

On cracking those hashes ``` john:$P$B7889EMq/erHIuZapMB8GEizebcIy9. :incorrect elly:$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 :ylee peter:$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 :washere barry:$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 :passphrase heather:$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 :football garry:$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 :monkey harry:$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 :cookie scott:$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 :coolgirl kathy:$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 :thumb tim:$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 :damachine zoe:$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 :0520 dave:$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. : - simon:$P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 : - abby:$P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. : - vicki:$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 : - pam:$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 : - ```

On logging in with username `john` we can see that we are administrator. Now we cannot upload a php file directly but we can upload it through a plugin upload

But we are in the same situation and this was again a rabbit hold that we got into so only thing now we can do is look for general information about the linux os

So, the os is ubuntu 16.04 and kernel version is 4.4.0-21

But by the result `i686 i686 i686` it says that it is 32 bit architecture.

So this may be the exploit that will work On reading the text file that is found with searchsploit it would tell to go to site where zip file is uploaded for the exploit.

And according to the read we have to run `compile.sh` and `doubleput`.

Transfer exploit.tar to the target box and extract .tar

Now compile the doubleput.c and ran compile.sh and doubleput