STAPLER
- Layout for this exercise:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhduXVbdHpuQrNCeuO5GSVKt6MBi63Ek-kkmiovp8BUZ-L9gJ-mjeTvUFEwe-VlvYjmsab33n1UKNQDI4cdyhM-p8sszzcIAHzJs-Yr5DLIYFKKJ-YVl0yXOTxDNgwbX4K3qZkyLgQZIAzl/s640/screenshot.181.jpg)
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Stapler.
- According to Stapler's author there are multiple methods to hack this vulnerable machine, let's try some of them.
- Stapler can be downloaded from here:
https://www.vulnhub.com/entry/stapler-1,150/
- Once downloaded and extracted with VMware:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh7sn4vdpBvUnMpxTUIzZS-20v1tPNguRx60M156WM7lk6Gn89Cv96kapRCJOSGBuUmxEileDfE0NJfmZ0KVBgtXTVoni2u3PPLPblsLjBRzPUInvE26o40h2o7WFIgi2hv5OyGHC7DBRL/s1600/screenshot.1.jpg)
2 - ENUMERATION
- Scanning all the ports with Nmap:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0QXgIqFag0y7BrykHpJc-tSkjcbBT5MUBTjoMyfLv4xbgVWBYpadlU2CPhjhvg14HOpE-LO8-C5sUFMjcpEuIT9OFmzUFLIhEhp0BQ-z7qz0Ovla0R19D9pmM2H0wlURgidAHo1ciJCmI/s1600/screenshot.80.jpg)
- Scanning thoroughly just the open ports:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl1YfRaD3eHjhQq5wdDBH5nxeZL4Oo0JcI0d84jsCG5-tLAVPUcpY5TYjDma1gRS9JXuZPyNyEJpypbG_Cf9TSpvo2yrP3rD6KAltqDjmGXe0p2q3zwPEV-BOtF2_z9Prxdj9qv4DGDtAH/s1600/screenshot.84.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd0qP2_e0gbK3DVkpzjmjdqVql3RdHgMLnx44dxFROQXcTVhN2Seq6LKHgx8TXKjTAuJd8dnuPTrULzUdkCP3Tbuo3fdqxnIGIidZEidMSE5AKctvKOHB5HB4PBBplwInHugHx92WH4bv2/s1600/screenshot.85.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvrwmr0EgBwIbB8F-bi6PcF0E0lN-P4szLyfC7II_aES4pJ97cNFWDzA7b-CAW2ky1fj-n1sw_o0O8gZsWJFXtl1CYEOY9uQSN9NYTzFKH50BfKXvB-S5rB88J-rSnt19uDcMWexmC-n34/s1600/screenshot.86.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKLN-5i1EA-IRHSD9o22MNmAxDgxEgyTcr_eJaLjrVLjLydPP9J_LLXEMDZQVSeYOiIislvby2PzeDX8j9io_IThYB87UWNMHRHCVdFuno0YBhRQxmKX0ZDza6maK-JUgpTUd1eD2UUI8l/s1600/screenshot.87.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuoJgF3nFBGIlQKrV7RF_XgyEox_03PIWl_ojzgbTlbv8hpYhwglNrE9yflLUPJnEKkjifTSqj8r-ODy1VQ-IY1X-kAsqudwBLDC1E33OEB8pd_vaQ_PYdiGbyuAJ1lGqP65ef49tvjZ8D/s1600/screenshot.88.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdMUxeoIP0oWr87mWEinpsLF9gzytRdorrdZfUQUFM18503byAhOEYSEsWzX9uejrlj870sfx_r61Fe03P4m13P1ah1kJnSj5K7xRyJlaKANfrpNt8y1LAl1eAuTF3wa0mEjC7u-m2ydvL/s1600/screenshot.89.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMWjm8DpQNTe8T-fueGaZb09SXK2qBz4dZWuZtA_0JKbyKah8fWVEQthvtZE2_DmAbMeOehgJbTP53lhMscneXNXkAVUa-Q37SDkvB7RDSPoNTEAEjI1LfZrkGfuav_zjBF9u6HC4-q_aC/s1600/screenshot.90.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTalSFhEmAw0iDO85H4W-wYRBcv_XgwylAn9wnsWiS4W4_E8Yimz-GhYsoSrCATVfu7rDyYbndu9QCn-ZitU4uHFRnbPV9YOhTczEI59tntJPC6z1LVH3Na1mYMG4q6MWLlxxJm83asEgX/s1600/screenshot.91.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5GnYJ0B7Z5fCLHSgk03RORGX1TtoYigLGY4lLe7hHL_qwxY0G-rlkKAyCGT85b6pvdFGlOTJ4_hAhf_3pr3vzagg8MkRZITCgwsqxxOlOqeNzZTi7ZO3H5-4ZtRaTzkLuuPvLY9rfdPGr/s1600/screenshot.92.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCABSiO7t19ZVRskJDmx4-NX9GYSB9-Pl9AUeOWOUDfzgOzndUOCUC2_dZmlTEJz40yxVIVTqupDq-2fLtilpoaXwjLMfr92E3ZmxzMzo-Lr5aUPk8Tpsvpta1GboFG2x7U7e9cgp7UIpG/s1600/screenshot.93.jpg)
2.1 - Enumeration for FTP
- Login FTP with anonymous credentials:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHxYt53vYMfHPJGvwiH8t2SRLIhXRq-6-i_2WNoMizBM-UXQzN8Mm6kVlQHMBn5iRSfPfT3JjAUpdfDW6tJgXbmP6Z2PNirTv2k_a0frX57DvSXHLzhgRbI8wWIHtTi6oVlIvN-1uB3ffF/s1600/screenshot.81.jpg)
- There is a file called note:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLPoD9KvhZQU-E8Ok3nKat80I3UDyP5Pmto75YRK1LjmsXZgv0XIb7hVRuFUvtPHU6acv4wApv7BKoC8hdopTiKK8La0sg2t8aszGKitxTbNqmxN3pmyZFPob_NZ0nKfON8m8bLWXNL2RN/s1600/screenshot.82.jpg)
- Getting note:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHsHZC0KbZ0VwSHilyHSuI8sEIXe928YUgLWarKVvdeRH8sFyp8U90uNKxyo7NxXE1rzbIzP7jA4zGONDQ7BLiqtDdZEURky919Sfza3zMLiRHPJWXBLmHe0pejyozpZGeATUpCVlImlwH/s1600/screenshot.83.jpg)
- It is an ASCII text:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEivh2dNuaVOb55dcm5YfwPZvGb_irsedDnHSdQ6oBRq4e8vO30lvpihH1ICnMU4HiDfQCpRXcI_-DbqLnkaHTNBeG8wHMDILubDXj5g-0FaMucGs7EmbVTVP_dc4eKovdAMfJWCkKR697/s400/screenshot.95.jpg)
- Opening the file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ5g8yUT6wc4mgYeCbicl0CaEgGd1YFiV6ig4GVMAuF3kk-GdXsnV2reuMBMWg82y74mp4oW2-9_HR5pOyhTGI0mwRfsPetf828YJ8zmokjzBEkwOlSHif_-8FGz6wo3RxUqieqLuPhNWt/s1600/screenshot.96.jpg)
2.2 - Trying SSH
- SSH-rooting is not allowed:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfUlTmiFuojrCJH0EPL64q1hNdBDY4Ve8JgIFa40uujzo_tmNOLfUzQ5G2Uv9HL7_WyLc_LrznErzn_NXUswbHj27j0VQGznKxTve-CWVBl16wzuS4k-InNhF87DzG2tG6FkeHa2BgZNX_/s1600/screenshot.97.jpg)
2.3 - Enumerating SMB
- enum4linux gives us interesting information about SMB shares: /kathy and /tmp:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOutJPdCTdglsTXm8YZSF_ismbPdQ2yo-YLMw3w_BNSh8vP231_pkoVDLdaLPLID20cwBgdN-y3qAnlrf2GWnCyTW4137YyxunoyGfCR6_I11P1a7I7goLq4vowHUrF7F0box9LWc1_Igi/s1600/screenshot.182.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-7UMC5zZLLLxnY8aPchwFVmuXx46jJAEFjdc2bsKqSVZmc6LK4URUfHQvk2IWqklDFrlzu4AF-sgUdMdNm5EjbP8bYSqbm4jFH_GxUVn5LmgI1tAOK-ifPBuO2POJi-_dLOapfUJMoq6U/s1600/screenshot.183.jpg)
- Accessing SMB resources with smbclient:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUaZ9xOw6P-mo0NjWRs8IiqlCTo4sO1CyE5g54DZ8yUblDdStV63OdMvx600mSg304cFnNW9OxYcdSYZCcFv1a2KL3pV_r55T_lX34-GXzctfCzDJWrmi72MgC94-71oaG31LL4p2VsxvB/s1600/screenshot.98.jpg)
- Because Fred and Kathy seem to be related, let's try this share:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnECJ-1G-7WDd0EUC9NF7ZA4LQPKheGIRTnFSVZvvvas8CHToDfoupcYtEpB6OO6FURCD09nrI92Xwn2IdsOP4EDEipBRuNDYU4GYIO9Gw-hpery2L1ECWyaG5UWpj4_kTndmZaQvdZLhy/s1600/screenshot.99.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfoAAn7lLABfTOFlIMnxpvEczl4AmfJxAKU5yzqgSLI0A_fkcHSOa324wc55dUpasm8ZjGLJOiIDd626dBuuGT1M6qdRbG6pmJtVmUB6YcSmOpE_UCuIuh08FuyNGy53bD7JU_m7FYyBGl/s1600/screenshot.100.jpg)
- Listing, getting and opening content:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8nNgIqJ7oxw70Lp8NOwrNm9e-DtSXVa0rePNFZpPZVkrd-uBVNGBsu7ziGs2QbmSQgL9QbFTrmA0eg0XfZxKzs6_ti93t6-imGMAFvs3qONC8IVw0mPEO0jCKRVjo1G8mw_buvhjQwfgh/s1600/screenshot.101.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZhetVEmm0hHRkuu9al88-DVL1jZ2ZXm4Uuy0cUl_gn9L9OP-EdPGhB8Uq3_IMmNDfSCm1H-B4EKDxoNCvjV4DYD0y-0gxgP1CpdNMsm2mSq2rHtJFAw-RxbCXNHr9aRpVM6u1rXiKz4I_/s1600/screenshot.102.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF_8SRz9bKiimo9bw1yVsdCp65E44QS7ByGi-1onHwBgJHqFRQklvS9sHXudm42y9hSaskeCVb7g1qJTZmREvBZxXPl7hSyN6XvFr839W7cdIahAt4my5Zywp9c-jX-tdG8fPE8kBheLSJ/s1600/screenshot.103.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1bV0GyyQYgENg03tEziJtrc58DC3rCYbXdEVLttvcF4kPDGDBGdNG-OSmmLFpy2tKl8Wm3sNfpOMkgD2XBWYwe2mXychX_NpOyy4AxERNHAq9kmQ72dDHbZW2eBAXbhI8XtmvVHzPPy60/s1600/screenshot.104.jpg)
2.4 - Enumerating the Web Servers
- Now let's go to the two web servers working at Stapler, one at port 80 and the other at port 12380:
- port 80:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSn31P9G92syXB1oROx5O16jYoFvHIw2ndvUCyMToWDoy95vksUkCiI55bVeDqd5wr35uF7jSoIGvJuFX0nJQTXbv_P0nQOOsFx07ZK4FakGMUcJd9-jXekre5P0nz6E5yqtJl6fCEWzrZ/s1600/screenshot.105.jpg)
- port 12380:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfsERHDPTa9uIDZU0deFhDnVSFg5OD4ocMAFycQrPsRRQHg9oU3WTqsfxkbQ1rBzaz3S9ddQvxKsmgi5DAG1A57eotsAFECcuP2CRKJGqqWpbJY561E6YbqY5g_3NFCDNKFYgEFsX10pjA/s1600/screenshot.106.jpg)
- nikto helps us to discover folders /admin112233, /blogblog, /phpmyadmin, also the robots.txt and the fact that HTTPS is used:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQW4MJuCxfrSOxudMJO5VBVslRpF7hIX9U8Z38GjqTbJCpDabvDy5rrxsc8hgY2xB_d0STbpaSQUvT27W-wXsEZPVlWAg6zewQXGzeo3OP7bqI_7Hcd3al8GkrR8cYEd2IPZLMP1zH1_JH/s1600/screenshot.107.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7bwUvQfJt13sHIgpmprcbw3iTgySAk6D0DbMf89nlhV4_Km4f1-h0uDY2jhEPUVZwQdVTunCNp1KXcqWbwbI_ED8X4vjI5R0eIr2D4NPovdGhANKXoSfG6OCBmrppzri79hIHWz5n3qAU/s320/screenshot.110.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYL8WF9O2P1pX0UOTmrrw14SaB_Ton5ggoVVqfwKbYvFoN2fBxSSaPu8zJP8iONQ4iQb-iJLQs8PmQ5cOKO7IIy-CG0nyes46eQPrV6BIJSRVUtrP-wCsoYLQUu-5L7HpDeuYwTgtDaz8v/s1600/screenshot.108.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv7egThWMq75i4wJXsM2L62wxUpdpg1i1dv8KYA7jAp8mknlnWH56MUNqmUpiabTYn_RmHeLDhjH80zMiYkPi6tTJuFnov7iOCbRkobCiMicnbGeEv8mIGfmiCXGpmlHg-daVGIJ5BJ2PA/s1600/screenshot.109.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpS-q1NImubjbD43kB0d9MyDC22UXlf9nXmwSjGC3fmIhsWYy9QXE54n44w7J4OXjcMKj_SXfTnrUEOMcagEM8DUjqV2eJDIXGAGHtPa0imD6ocRDAIHQ5zkA7BLOYQafd7jssI7hk8Yxv/s1600/screenshot.111.jpg)
- Connecting againg to port 80, now with HTTPS instead of HTTP:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnC_qknpp3SV7VrCypIEeGSoj6z_a3o6HK_38QXem8CU8X06-ExRNZfQoiliH6z607DClcOi8p2AqXKP1IOsbHON9EgO62Qa798flR-jr19YVz5oDzuJe04_w3GK2ZqZUv6lnaxnYF-6XT/s1600/screenshot.113.jpg)
- Connecting to robots.txt at port 12380 via HTTPS:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8mTJGd5Rrjxpqky7-OQz-9f4MKcQEzaR6yuzk8H_yggKZ-YULDRYTbV4H-XaaXIqUgjXe4kHlPNq946Wjl3g5h-KjXtXOMVMLgvW20pZpKP97SnmTmOfDEix78ghXDKwyAI6VHDQbWHcM/s1600/screenshot.112.jpg)
- Going to /blogblog we discover that wordpress is used:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhYCDFlG5ufeW3meJDNk_C4tHOuMVbSC80IVG-lRUH8h025bCKaMBB2XJsyba9_iml97PHlr1bG_fBhq7ZSvQlX_j2qNenkkGXhBGKj6Q_iKg3ThUeLaDotYRkap5ZIYGKctyCNBxmzl8zv/s1600/screenshot.114.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqDuy2uP05Ghq13RPbBXDZev_EeyiRZAOTCBT3w6hnnvTPDb4ZPiigalgl2OCHqCmct6kHhMr4i2xpFpcFq10eJ4hHQ3F1pv6F8gfQMzk_3oSKB0NfOC4rikdjl7KCQNzvOGnjLdQp4cIP/s1600/screenshot.115.jpg)
- Going to /phpmyadmin:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAwRfWyvEYZrSih_bDRkPdr3QJ9kJdjAfu4U-1Uwyfh03BViHyz3trwDvaTCvR9ajH3lwo7Xt83LULMriK9rEHILn0bVqVbr1xA1m-o5N_8tFCT6ugIiAtqSPBZx1B71lkv0_9eBtd6A1t/s640/screenshot.116.jpg)
- dirb discovers another directory:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXUjrp7oWCxLlZ-QoKeKjzHbsZ_sLlGL5ffOqHRLn5dVUN0jym7Gd-v-P29FbU4pI9VT-IAxn585p6t2GEKuyXqvR77VOYVJc0-8ztbUy6BN-d7CdVI5QeeM-VNgHaB0LOkz0wvdBie5CY/s1600/screenshot.218.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHx-L6Z6okBVf3tlqrxjV-No7FcFIdsBby5jXN3bln8-MaNRDnPvOA34BbqS-gruC2pm1Dw1-Jwyd3DniCN5aPbIQkgTPR7sMiKJQ-VtcQb5hnbHrYeFGqpBcOGPvvi8scTWTFvuy1EwAZ/s1600/screenshot.216.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4dIaE9hjxLx7dMuLE3mf8AYO2Ev1VIJ0Ur7UxK9C1Vn7cNd-knnWtw9c9GGsaiCLPwxsQ8i7B4MHdz4XnVSPBawL5tTJGos2VksfjrVGKhlsKkpAghSJlxuei7EK2kH3sinBRUCM0O3w2/s1600/screenshot.217.jpg)
- Browsing announcements:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5wPEjaOP4xcfsAsmuzYb1BfUSrm56TczuGWSHbaIdAKqZNs0loLHpIz5V-Go508PLAPqv_zjLYS4dVBZrVJIkMQinYp8uy2X4YtPb5RD89mqZOoZSIxf2zb1WfS8i55F6BYcoZzZXaLCt/s1600/screenshot.219.jpg)
- Reading the message.txt, nothing special:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV3qNSOdU-1EIL_N18GXyga9G-s5lz3h1BdjQrlvWDwrjhDB_-iJOWsmoG53tNk6gj04O7oQAfQysRG-R7FQ18kW7yu6qUKZEhMELfANJnEDRdYtI6q-Ie_7qDZaMT3aa-pttW35Chi6rK/s1600/screenshot.220.jpg)
2.5 - Enumerating Wordpress
- wpscan enumerates Wordpress vulnerabilities.
- First try is unsuccessful because there is an ssl_cacert error at checking the cerficate used with HTTPS:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhm29FvSocWweDIZSy1zlFg9yyYJNhE7exRuPqwA_LXLhlVd9QeYRZukcLy09OF6kGUU83HVIsrEMr1meiznjnNmv9HC2S7-oU0pK6-DDRu0Oh8WSulj0Zo5yky51ttChPq45bHlPhimLKn/s1600/screenshot.117.jpg)
- Disabling the certificate check with option --disable-tls-checks:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSdavjyEPxPs1gCCYbQZn5vTm4ypOOFCuB2e347svSL0_clg2Fk3OIgC9ZlAWZHUvzaJ7kkdTzk-pzrpD9ZtP_KC09HN8LTaHPnJmekYxT9QnNHXndzk0ld3OUKqggKsoQxdVBD-6xnCzL/s1600/screenshot.118.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP4IQy5VITR92YS1DQQc6mf83CdYfWUuJWkHoIVaNu-R401KxoZc0yXeWRI6bsmHiisOh5P5EsjfJE-bmBkPnUMMuLMQeqm1V_Sj0-J_PiNOqSDZyAhzVfxjXiCl68azxcyHTcfzeA3A7i/s1600/screenshot.119.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxe5a9Tq1eK_lpRdYJj9WrjMqUiWXYGJieM9boiCSWOKnEvQi7udmBOdRGgZFMzYyVP9y0426BR1fqTX9aqOjffPPYnlqdxSs7Uf-fC00fDf3Qkc6wcp9vSsZN7hTSzBi4FIbUdIsdJbbF/s1600/screenshot.120.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiz8ul4B2DwdS63SOZZfcTM9unuiydKhQkooMgNdQV8S7cG-raPdLXulf5lbM3RpTNsfCmVwCipBvhDUBuFzNt0cyrmnvyIP2_fW_m9IE5xuQqZ5WNgIWXNaY7PO-OCp_DuBP_GsOJwU7IZ/s1600/screenshot.121.jpg)
- wpscan yields important information like a lot of login, usernames, vulnerabilities, and the existence of two folders: /wp-content/uploads and /wp-includes.
3 - EXPLOITATION
- There are different approaches for exploiting Stapler.
3.1 - Advanced Video Embed exploitation
- Going to wp-content there are 3 folders: plugins, themes and uploads:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPCFin6BfvaFrdalV5n_KHzP2-KA5EL5AlTUT44XSYvhjJEKl16e7FnC6F6aUPdZX0TWZBka47skmE0QORqfq3tyobpprc6YapaN2UTixiuNQ3h67JeF-1tdTKBukfUrtHJK1b6eW1l-oU/s1600/screenshot.122.jpg)
- Going to uploads it is empty:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-ubrYLhv7hfYqQ10gnswcIYItFgxpLNBFRvJ75tpMYDydI1ZdhGsI4W68f_x7XnAns7lVV6VdfPHKUqbd5ifD0H13GGg89yLf2H6djHEpdRiFG9JWAXrH0PlMpSidftz8935c8YHjEWWj/s640/screenshot.165.jpg)
- Goint to plugins, let's notice the first one:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimkKJzdjzSnNRFnxL4nDkTFYzZOuEHkhbID3wn4g07wyvYzyhrBOvefXtPZU3KtekRthGByJhYzk1PcHC2n5CgV4DsANmGaTRSk7gtAevuh4Iq02Px3Pzf6RaBZ-2gYvc41t3wHQAdPLOR/s640/screenshot.123.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEij7KekNsPaIIrFDMxQE6oGGoaCOvoCOYaz4w2R5D-1YCCh8RO6POEh-B_4VgcCL5hgB46OFkzKUU-8AdepHYrmR2awcWKg5RddI-Cs2xYF4FYZKT3HRrN35DXGaP0cBAbBM6ihsqWVLRT6/s640/screenshot.124.jpg)
- There is an exploit for the Wordpress plugin Advancedd Video Embed 1.0, it can be found here:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjR8m7oAXncVDI0LpDNnFpcM18jpm07E4odmbT5JeX5HtwfJxWCjSVJE9ZphY1d5i-z6oBlm5Z0BnzDAuGnUf5SiHZA-V68T_O6h6mbaNPnfHypbWen-5fzbSN4sv5i3DYg3YmhWmr9DzRm/s1600/screenshot.125.jpg)
- Using searchsploit we find the Python script 39646.py:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfThLjF4PwaSoP0Xtg7pclp7MxXg3VK4na4SFMKTgKlRtR6hmI3fqCeHchvQzyoiuVP5UTWpmQXiBTe9XNmI21Wj0ELReOs1oWGcxvCsNVbPkagLtkQ1ARwTJR0kn8MICj8wynNsK3theb/s1600/screenshot.166.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLZLHaSubJW0O5jOiiQvDzyDHoJGMIvYlAdrNVY70JPqzlMs5gL2TFyT4I3O9sB1IHk11GqpjuSo78b0IdF8bXE4WvhfnhrqN9ImDjvSA_rW4VsO_DnOeBRQ_GoxOAfxKPLkJecI29Z2wf/s1600/screenshot.167.jpg)
- Reading the exploit we find the Proof of Concept:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicuB_4qFgnXRRwTHj2mGTL6GLbClpNiXrwNcpgd-4ZRTqsLx_mVYSAJ5TTJyvUMAG8Nk8Xswpl8L-A52R9S4gJZPxDs_5GxO-CAAQQ3PPTZvQnYl5HYeLz7eJJi3xvu8cea2NAtOs8Wiu_/s1600/screenshot.169.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXJwXTEwUPyelI4FT9jXe6DfmfTg35alDK5xsJfkfI9jldLYme_IGFSHRnWC5777EVKq954GQx2rHel-FgHmb6UeHPm5HR4vHY4fGut0NrKnZ-j04-af03znnv0vAlqjuAtWsXCF-UShuP/s1600/screenshot.168.jpg)
- Copying 39646.py, renaming to advanced_video_LFI.py and editing in two ways:
- adadpting to HTTPS
- adapting to IP, port and web page
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEit1YnLM4KqhrN9HahNxtH6PVvwBjYfxQ-3mVS7TpyOZIE0kGOm1hO1WxPa4mucTgPXqO4Dpulj2-XUwb4ZTBNXdmUrKzAc69azh4zAx3LbQE5yq28iI0Rn7t-J-X9v3gNZWwqv9m0Var15/s1600/screenshot.170.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZYlQULIv5D07DlFbe6mKjQiatOwiLsvAckQYf4ltLIPEJFj-Kn9Bbz_d6Id__0osI0KPtK72t4bgLSQoKjgeD_-mOw7O8f9QEdzAe9vUTPALefAe9k7psdfn8wovvTamU60BA8L-N225s/s1600/screenshot.171.jpg)
- Giving execution permissions:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK1bWywNR9_KiqS8Ux_Q7f0FiKYMxQP2zf8HoPwWT27zTnMkqCpWwkyis9gJpnVd5XeoBDGU18RoFTtE-VEdq-rdfBetuGQ6Pojwt8BluyQYggf5TkFpB0h29PRk56HZrATjT5rW8VRuSh/s1600/screenshot.177.jpg)
- Executing the Python script:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_nVQtIwPGtOnQV7RxmFdB-CcGi38esNKwQdLsGSFdKETmbvylE-L9agPgURMF-GHt4iEH-AGcO5TPHQo9zlgjJmHS6JL_BosEytDHatydVB-IkUegIY0AwdQnvfSTAPjuhhnTPLBuvOvT/s1600/screenshot.172.jpg)
- As a result of the execution a file with .jpeg extension is created at the uploads folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEheS2_xnKunTTSP8tiZ9ryL-pJQIFHLsMTA1BQDGorKW6NagtuaW23HV6JEkRUsdI9QbKkoJSnYQ15zigF7HO3Fg3TPiog4XOTHGLJ4EjEKoFG9NWuKuEVUyGJ0qPNfSCV7TRMQwrHP75KT/s1600/screenshot.173.jpg)
- It seems that the .jpeg file is like an uploaded comment or blog entry at /blogblob:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwV1Qiy8Xb-ae3rYWDdYOHW1y-otwp6cDIyh15traYM1IJJe5S8isYvztmbWNeyPqXMg9ORnCiiZVpCT67Q5JNIjSd-iGkRJimciNlJQS1mWTvqD3iIxhmNuDWOurgF5I0GJmF7vf6WtCJ/s1600/screenshot.178.jpg)
- Downloading to Kali the .jpeg file:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMbO9yQOIi32RWwIw9fE5SlnTdtnICrQUT49-Jfql-ez3MDQ8IKFZdQmIlzw5CMtdYILyYh_pnN5hUm2pA28ZYoM0-cqkI0-RtFwAbTah-ylLwHlSIGM3oyZKmkjDB22OaKS5ETzngFp2G/s1600/screenshot.174.jpg)
- Actually it is a PHP script:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR5dGFpCRM52Hv12-0h-r8RfMvdUab6-c8Se4ViWog3hCzno6tN2Tw4AmEpcG6ZqCrXz_rtikBuoWFA3ipk2tP2xrKILDn6mR6G3rrfr8ftCX11cczFZJJJEA1C7s-fmkDk_pkrNpPdonP/s1600/screenshot.175.jpg)
- Reading the content we find unvaluable information. Actually it returns the file wp-config.php containing credentials of the Wordpress MySQL database: :
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgreNsSO9JkKAdMe5Xg4Opm5okft0AO61OJIX3aPaGfcJPOTdCfMtcaR4tGgn9ASZSwBgznzic_0rHI9yIK7_kozkNvMrxPzERASa8GvXuy1iC5rXrAze_yBznL19p6lxpQRVWMjR7KqGte/s1600/screenshot.176.jpg)
- We have the password plbkac what will be of great interest later.
3.2 - MYSQL exploitation
- Taking advantage of the information obtained at previous point, let's dig into the database:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAUJ216Ci6hsuPrbx1ZXJ5vZnP_n9TZ135QKXUfEsT1RCekeF8aNqOZhownc8-yZlNuFAFr2RiTj6M8BEXAVM71opzMkcbOcONFR4S9z9zZalrM3VpJ3alxzFTq0AyolLEN3fte7fFJcs5/s1600/screenshot.132.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaC8DN8VXGUPLzBpQEH3Onil97rV1Oacm38yuhIHprr7UbHr8JlINEA_cOH4senLANejT9KYUTHbTh2n8T-nKKgXDmmqRejZaLOMp_D_BLejAOPtYjie8-DQSkf9iucnAA_AClI6brNKr4/s400/screenshot.133.jpg)
- Using wordpress:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs-9V3AjE89fpiZ80CrrWsBQI1ApGi9sb8OAdykI08XEh7zbcw0k9DO9KQUZQZr5Li_PXo-_e8NHzs1ogrRNnll5eUhUdOFkg-UhqGDE_ABysN4caAqQx0O77njlEXAE21IkDOnMb8OTYI/s1600/screenshot.134.jpg)
- Describing wp_users:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfjwivCVXp35VJ-HF-Ao88yjytfrzwuGRGOSeBLtqv7hD8HZwQgLiE3ZTiVSbJg7Bmpy8bTEzVsiICvYaQEREwwPi3Uc6fjWxujkSKYQCL3q0JaJ4QLwzDlPnP9bNOkqdhxtGj8titgRBB/s1600/screenshot.135.jpg)
- Selecting login and passwords:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_tu7kjnXKVbYRoyUX7PU_bnGTrAtCcHO-KAFZUcG1NeVRoCaf0xtxeSjVWxZW8bMiOeUzXX4A-fPV80wPHOgYcjGWMPvZUZ-ObnMShlOw68ihnUGrxPCIx-h4xt3MnlouzV0UxsMWP0VP/s1600/screenshot.136.jpg)
- No we have a list of usernames with their corresponding hashes, what could be decrypted later.
- However, for now I am just going to insert a cmd file to the web server via an MySQL command:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9TlSBKLa8dKAUcBihGEdqVPSEPeKiuEkoqoiUlfE7b5V6qIITX1PbZt-VuZ0TIBjdkxtKVFpHcQy-2XDhMgLsEhyphenhyphenViK7xMY-CbYEG_J_d_Px1Q1xtdQ0LY-7PNle153q4su9XO4F0c1Jt/s1600/screenshot.137.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE72H4zOuNHk1D3jGsXlp7MB65FhTSNY3cquc3rvzFwd6DpZ_Zrd0Pd3VKQLMhX-oosB35IYN4fDr0W9YbgXHHv8xFom0cKoXZdd5LsMBT2ceIx80Q-S4SEA7EpCzlPKDCnoGai2cqgOUw/s1600/screenshot.179.jpg)
- It works, for instance executing pwd:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXeugCXhKF9eHOSf9MdKjBGVw70t-f9tw87L40rwI_SLdBOXAJuvXo3HQlgDQhNHMWIgr3NHl-Or1Ga54D7_Vfmk_Te6xOnWk4hz3E4rQecoJB2mxpGFk87M-YqSRJYE0TGvNPkHrn4gRh/s1600/screenshot.139.jpg)
3.3 - Decrypting the hashes with John The Ripper
- Launching John The Ripper against the hashes:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgArybMyoA7YyftiNo75Vo_yOoZ7ri7Q0uSin1606lRzNAwMF2Gja4cvWeEYEcXgRwdcN1ehhnBLozy-69D96b0iD98-CD7qrUT_hziwlUYnb6RHAK71F5cERFACe0vIUccAOnhzhTNfRRl/s1600/screenshot.215.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgv9qIE08hoj37KzsVJn26xfQWD6oEwLWrTpg5ppKmgRr_Up5PsvCdiaN_osspbR-VY3q19kwmCQEUzPj_SHf1nIUcKX8O_w9Vr5GiDa5QMQ5yMbG0t_v0Brf16RKNnf9NJt4ro4uI2oyt0/s1600/screenshot.212.jpg)
- After a while we find most of the passwords:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglGfrzgxaJ_fKmKJGwi1Jma3hQJdnN5KnvmNY7FN1V-JDt-T6m-cdMB5oE8TSpaiTQ3NSNezjO1D2GZsxysHdGGR0pDu9IQ5jY81vJ3jqLWlRczFfp4F54bjEGxiZo0-HKc5bMj1uVkvdB/s400/screenshot.214.jpg)
3.4 - Accesing to phpmyadmin
- Also, using credentials root:plbkac we have total access to /phpmyadmin, where we can achieve same information about users and passwords than before:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6sXa8Ug5Ao5XqRb8FTfTAymx6YtrG0HPbs-D_Cqg16FCCqKkJpct5E0vEo-VI8WxDTP09Y3KgWLlUAB8DpBq3VRRmaax1QmEWIJ7RPs_-gy-nA3-agh_rvgxwpM572yLFN3P6LKBIi_YF/s1600/screenshot.208.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7IG4DC1xGoTMs11nzHhKoSKzsOECdczIEP2Igrko9olpDr8z0xnybAJQWz29f2UK96DsaJyQ9YG-jKuyiL_2H2Vk8d_OxzbFewpIfJ23PAKLNYbO5oBbLzTb_yt7N3VifpHCxzbQi6vYl/s640/screenshot.209.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0fj8AoxcCY30liD6OEhzGZptmikxTUl0pAax6aGkvhbn7lxOxoB_ZxibHv5xr4jbqkasDbNC4_EGCJMf-56JOnuJUV18yjVRVRuu8-upLahK9uYcV7qEzQmSHgB1cb2oScAI06NYs4rx7/s1600/screenshot.210.jpg)
3.5 - Getting a low privilege shell with php-reverse-shell.php
- Now, let's bring php-reverse-shell.php to our working folder and rename it to keep the original one:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO1v6gj-EslOLEZXkRcP9BQtrop4TSxGy6GUEhzB1H2mYrrFDRlFw3i6Aq_EsbpIRkbuvJbgsclAm1y-luPEzUIeDPikB67cPZi1bdqMnOZ92zimM4X9M5X1owcRN7GNZl2wEnh9bXGrZr/s1600/screenshot.253.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVzU5kJiVk82tmpvlZxp0IIJuMMUdGe6RTIf7vOtEy6cXPczrCJVmgJw_EoXpT6162zdnR435CjwsYjVFIZFZht4THkuowvBgm3SB1csgJwqOSLg8w7b1pf1tI8NRhoPA6_mc20H-8tnqg/s1600/screenshot.246.jpg)
- Adapting the script to our needs:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjajZvxgc8PWtfgLjahXnvnajB1TWyYfi1Oz0kfOvCy9XLu5Cd5gavtXeyeQxTSoVlY17CmykMuWxBjWk5UwtMCF9kb5kt52fEinGwJkCmRD59NzI2WgyvYp_d5TMusKdD6GgihAOSByUHX/s1600/screenshot.247.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhosRvWYFdwab0YIiR8zIV9GsmbU1g0EIEOsSMm2gqs8YcjSj6rV1D2GjYMJ-4TeTrGAYzfEguGwZhPqyjVNwH7fHItndjFKH2dog5FR2x97mWTeiPCguVzQuERjY7q_HjsP3yGuhnPfm_7/s1600/screenshot.248.jpg)
- Having a look at the last picture from the last point 3.4 the first listed username is john, and it often happens that the first list user is the administrator.
- Using john:incorrect as credentials let's try to login to /blogblog:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhoK5e79njCxOt_tdsG0MwA01bwPwKkAqI3UsvGlTlPe4j_zbW7FpJMJnxSs4Z-E6n8ocW15HCRjNOsB7sLHYV9twGxC-tEQX-sn-6gra-_uW-KL2rGpGooJylIzdYxV7v2I3QY7pE3p1D8/s1600/screenshot.235.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiatpdbr54bo1pfBBcX1a-pj2mrVTcYa8w5GCWIH0-wJX9uqmncUzAMUkTkl1V9CFImF3Bvr1yRmGkQoWbWN3do5btshnLuk9TqLvjiRWupQoK6cfN6iFtKONsLYRi6c9PJVtZjpW63V_Nh/s400/screenshot.236.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV-8i9HFMy6s7KNpvPbzKlst2KrS_vizDNnD1UZjxUvfyfBp83IPANICBx1_8Rm8DMMI_Mtl8C8qWyOCm5MSy86ETXx4O-6nrREjHgU6z6sEGu1WSLNAU1s6uSWsKaJLtxCSqfdmtD4J2r/s400/screenshot.237.jpg)
- Going to Plugins there is a tab Add New:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-tGEcG-wyCJNC6t7cHpn7y8XMK0-18fX8RIZOABNJUdRX_B9YVZhe4_GgCJIL8Ak9bq1U9_k2x8bmApm2P1dDiSaWLllgtyrwAK5MxcaiUN09bH98DMWaS7m-REdkWqiR-_XA7yhLx6z6/s1600/screenshot.238.jpg)
- Uploading phpscript.php trough Add Plugins / Browse:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBbxa4RiHYr-HIbr6dyPx-XuCVYr0ocsQXaWpYpETLpkq0KWQna3t0eZ53RXxUGqBHzW414EYy26Oph3zSqDSUdwfxpDmvloSRyCczKNnqYzLCV_oZATvG50MQYzjwNf3udSZrVbZcvkHR/s400/screenshot.240.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp7h6VaL2Efq3fyoEUQs6UIg4veN-_S3kAhoyIZbZeA8LNz2ntHGZmBprScJ8cvUgaJRYddViN6sRaI3SzJmPwwlctRTwQc_-TuDOhPXPbxJxcZBBy-38bwctnJURE6vAUGezN8lGV2SbT/s400/screenshot.243.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirJCedJHjDLt5IQPz86VlQfY6jMvwPsCGdM-HG3TOqM7GNSVXOEr-SJN2GYAUbORRb7hLH6K_fvS0QcTdNraEA0cFgwONMUkhOYTSEJcAPvFSrY0szphSrLZsZqcf9_qBIBPn34F7mFFzY/s1600/screenshot.244.jpg)
- The upload is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvvNlzT5wIE09j6T03s4OX0gRkv4vCSq20zTdp4kszG44DqbA191MbF-BiXjtTki-TeGftuqyTWZ-YnvNkvqlgd-ykc8gRr7gevFXgXAI19jY7P4eK3Ps1n_TtVI9BKNiCxRPjdlxTyeD2/s640/screenshot.252.jpg)
- Setting with netcat a listening session on port 3333:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEel0Zm09ek5HsZ5fdJ0__ZDBosdzkox1djccPMlJ0wY_9PcyMXUql3UKisGD8p1Fsx1J2-55Hh1yx97bJjOFquOfyEAxl6AkSQ0go_dPKkbxbUSqKXjMIaACtrCppfDtdzdtcn1HxqRSu/s1600/screenshot.231.jpg)
- Clicking phpscript.php:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM3zD8y7gbBbk4Rq7-m476-N_rzTEiJCw38FPr3GHLi1u65q8y8fq70K-9-d6_xgSvchBcMz0wYcpOq4q8xWF1x6AP7b6_HgtUWqGMZahuyndcfkVYxWy9uO1mOgQE_TuOnbHJ6B__cGp9/s1600/screenshot.232.jpg)
- A low privilege reverse shell is successfully achieved:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiovL1H6Kv0L0oxiGqgIeccA_Wb9c9TJ-JjoBF4MXSBiH3h8861VBUvL9Cb21AWC6JR2iuzKWO9c_TUs2qEbRwBn7tY0aH6WO-zRE6NCunrDFEqU5xw1wePYNzl001WLNxcmEs8sWztKz6P/s1600/screenshot.251.jpg)
3.6 - Getting a low privilege shell with Hydra and SSH
- Listing users:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAeFBUDn98aeEm86qfdcBrncPDhDExS6UBRVT5nysbWue97ti-TGO-PGuAUic7udBx4_QCq26CG06IFoPAiEslHDvmkIR62p_R2UIozVONsIoH6EXehd7RwjQoQXl-N4oW5PCJ78F6MLPP/s1600/screenshot.205.jpg)
- Let's try attacking SSH service with Hydra using password plbkac (obtained from the .jpeg file at point 3.1 of this exercise):
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4-BICdpbSVuBUudHfSf8Lu12leOTqVz4Us4yGvSf_ymcKL7xhyphenhyphenhTfYO8wTKin1ZhKdHVoYKXYjYaBR8OMc1UEp5dcqKvr9kyV1xjfM4R57SZl7_8tN_BCyiTmLsJ8f4c6wlBAKyExBNOV/s1600/screenshot.144.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYxhe2NYseXL4rwGiR6p1qkL3Zf6lcGfLSOhoYZhYGrsAW24lzJ7c4VP97-Vmz-MK3Ej3Y1LEEl0MU3A-as-H_B3xTxZgOQFor7u00uyssnQ0QruFSirL6XS9WnLZl0kVvfeB93StlmYoR/s1600/screenshot.145.jpg)
- Connecting from Kali to Stapler with SSH trying credentials zoe:plbkac:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRt7x75pNyD8V3mQAuCPpWiJyblwpSYsM1ucz1-9uG5NykRJJlrZ3ElRgEKxHigcO-2gnpPzwe4hLPGZs0z8jixqd1ePa3k0bHiR5-sA5uQ7wADJE8_CQOonSWM4tsO-BWZn1XcjHr6Rds/s1600/screenshot.146.jpg)
- We have achieved another low privilege shell.
4 - PRIVILEGE ESCALATION
- To achieve Privilege Escalation we will practice three different ways:
4.1 - Reading .bash_history
- Listing content of the /home directory we find folders for a lot of different users:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ6OKUFN_RKOyCJ6J8Qj9ygobQeWdqNVi2mHoX3w9e8xvV5IAa4vJbJEFmPzZvLCEi7U2Z16c77MxwezLE-RYn1JHtPGGohfYv_Z0jNkVMpXQ2jlUz2bPhNy-3LHOWZkfrJAp0iVwoCH4m/s1600/screenshot.147.jpg)
- Opening all the folders we find a different structure and content at peter user's home folder, in comparison with other users home folders.
- For instance the hidden file .sudo_as_admin_successful suggests the idea that user peter might be an administrator of Stapler:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsOQ7xx5qExt7oFfkjSj3KMyzSNVWz8nZcfwqZGI3MTJkIffpRVjK5Xwi0eB9Jh3-3YqABTqllZVJI980Ez7-VUr5mtcdHwbz_aqcwMEllT6YVo7FedaDc99Qec1ma4JNNa1LWUWWJcAXP/s400/screenshot.148.jpg)
.....
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJYlCVMMWhEDkmznYt7QSOnga1YduhpJ3jVVgsvs2QPaT1J5zGD-y3QSTy7TxJgqBN6dtXYbmNub2k1mdNMB-Su1vdZ0SW1pxuJq1MPX3RnrEZECE_jaG7G3WuNmzIMkWP4ZA7gzcb9duc/s1600/screenshot.149.jpg)
......
- At the same time, reading .bash_history for all users we find this self explanatory line:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjC-hqRb842e46LAj-1CzyMgHE8hINif2oN3cGzp50wEanTfrYvsPXKvJrpOHxW_9O2fVNplNlu4F57egYoHRW9Ea7GhpBN9z7Kw1Dg-Let9RtZ2-SnFDY64Q-U5yD7nPIYd6T1bS-TXZ14/s1600/screenshot.160.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibh4tqGyfCZPZ1iMbpKxaY47FsNd8v9n52kYQPnRG7_s7ApLFiUDGsWjl38eUx716S2-lkGG-cZ1OcXdbX0ZCDo0KcOdGeis0nI5xBIgferctD2vDObnZbfDpdEDKCS5CPberCtg67b-C7/s1600/screenshot.161.jpg)
- The line corresponds to user JKanode .bash_history, and tells us that user peter has got the passsword JZQuyIN5:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBWkQqkaQua6UNjaiLw0Mt8orH8moPq2hm1zN1-k5MNqWksw50ENMX9PBCB1pbqfwhEY93KZe3fd7_BQb9WWb_cVe9xlF_NRsJSkQj2UD0Q2OsG8XCIopQKbljw4egDfzfHJ8Hup4PYhfm/s1600/screenshot.150.jpg)
- Trying SSH with credentials peter:JZQuyIN5 the result is successful:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL02O25GJCW-crFcLGwqmnxvjswGpDEwOaH6cfGxRSVy9ed4O_ali6rKX_YmH0M94GemZzdqmqLX5AyPsBSx5RbJynbactJp1efGa-1UelnlSLzbqIjnIibQ9Lh-DBv1RDGAfwXhmeQg0b/s1600/screenshot.151.jpg)
- Choosing the (q) option we are given a remote shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPAFq4h9ss1M1dG-XxbBi7tpfIyWitVdutWjSpXdizJkwiT28MbScCfSEr9VRC1QU2I886iQIHjqBUlvt6T-4MBWeMM9QfqEa0zNkzscrE2yNVsOrh7HoSQgqm1q_F94WP02bi1lGLZdYn/s1600/screenshot.163.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpJ2Wkh4iFT85BdnEj9ntDZcclLIQweSfyHfGhfqjVXHrYwDf_rv4y-D5taoyIO6SQ0YYcaWe9nSUGgC2ZpeWLFf86QhON3tU01mOOSd0iZe1xpcNgXRKqtw272mOE6YpkYufcZINhjMSJ/s1600/screenshot.155.jpg)
- Checking peter's sudoer abilities it happens that he may run (ALL:ALL) ALL commands:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXbcqjIYlBFFzLUjuu2fl2Hrg5dYlx3h61bowmw_B2ovx5IlmeqsH99PMfwApvQW6Zfaj53eA4GCm5XA-DHcULm98RJQ-Y1jgyq7bkPgS5RnaR48PFq0AVs-5No7tUcaM_HoaTD4eTekgm/s1600/screenshot.156.jpg)
- Let's try changing root's password:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEfHwVDIwwS3w1iZX4A56HSNordKEShTflOENghcDqR7gQlb3ts0eKvRPyQ5MZYff1_NY8BrGY5Haq4WV9tIjrLbX4D1OqNeU-daQsmWzL8q3vU-t-lIDE7Il1rKE6dF7Dh5gX8oa3xIOJ/s1600/screenshot.157.jpg)
- Now peter can do su root and we finally have a root shell
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja01eF49SLDcVvMOAuTly1rdqUc93nULw3E2i4jB-2Tb7Wa0rXgUDzYlowVqPN6UbaHaibKq1rKUFI2elZLAWI2A7hTKMfNSzLX88MaoNOqLIlKOC-LuQnStSHNyr9UkXr52Mvma1RxHa5/s1600/screenshot.158.jpg)
4.2 - Abusing a cron job
- Listing for cron jobs:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnlgMXgCj0iLy1pq5VQUIoKYrDDNw_un_xXipPmWKqG_N0LxvJ4FsFvcB39XSUwcn23q2sSdbSfEw7Ajrm8AsLItYYZNke7SJTVZLbqlMwZPTYxe2hsYc1jiJmJlefHJJKsXI2FkSApkbR/s1600/screenshot.283.jpg)
- Checking logrotate we learn that the shell script cron-logrotate.sh is executed every 5 minutes with root privileges:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHQIk6l8q1QsUjUjCPeer6f_MCmomekJo9rUuqkWXckqK0AvRPhEtGE_mQ_EmHbcDEw9iqaKofHvqTDZzL-KYRYC_6E3k5ZKrHL3R6KMHVWr7Rvqa-NYgTvaE5LYbiCWp16SoZKk7BclbE/s1600/screenshot.285.jpg)
- Now, let's alter the content of cron-logrotate.sh so that every 5 minutes this small script is executed with the goal of launching a reverse root shell at the Kali machine.
- Echoing to cron-logrotate.sh:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQJwba44YyigpPgvd0FG5Gb9oGfFg1eqzDPp3V8O_Pg0oEA1Um2m5YVMGar-nZpRBw5zDZZypd6zTyw38LAOKTCB2tl_hwIawLMGZfffDb1RhOobSJKGPitOlJIcKA0Ncd12_V0o5ERC8x/s1600/screenshot.277.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjCmc_rcBMDVMYZUM0pqxLYOumTmoCk8Fog1Ujg9kRr8h1z2eedqvc7YHc85A4Sw5mAsubrHNc0opFtt4nuWHDQCCDyv4EYGr49oh8DOCjrQPqNphO6IRUjC7jVOLxvBJVOAE8GFZWdIjH/s1600/screenshot.278.jpg)
- Setting a Netcat listener at port 5555:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRj6YLjVFOVM9AnXRdPs4_88b3G4Ab2JsvyY0GpQzqc9BQOhir3FPRlg2wOdBMsDtVjiiKFLG73LmgRlk-CGcQHmZd4luM9MhFBLZIwrD5a3q99jdAGILjewcFdCc5A2UB9ceGxZidHpR8/s1600/screenshot.279.jpg)
- After a while a root shell is achieved at the Netcat session
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-qs4M_AnhUzbkaWKv42PWsugnRlAksK3UVz9_epNCVPUMeoX8e9s4P8edjlj7bOnlSYw2QghjplkLvzlOuRVqTtGoHo4hIdQ7Srw-y-I-SKz8AXPSkxx-m9xp9Yb_hkci-XaYpxRgrFJ7/s1600/screenshot.280.jpg)
4.3 - Exploiting the Kernel and Operating System
- We know that Stapler is running Ubuntu 16.04 with a kernel 4.4:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEii4cdTp0mrBtHIBhAvz59ibqVImVQuCQ0FPJocmsIrk9Zx1K4UyPmdKp_Dz82dF5XyeRBNKeuXYDWV6MwQunmFA69pMb4ihYGv57vIlIoejadq2XuO_fhYTj-IXUG8oG5Rgw8wnUIVgnCh/s1600/screenshot.264.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6t0I_uVzby3-byX8_ZNs5V1oVlOf47T5o4tRRyAY1z2htwgIC8Vlq6eEw11xWxRCSVhD37bfJW7-kMqiOtAvqsRLVAe8fEgcfRMLfmpACWQtBTwbjswdect0V7ZLTES0xf0S0s8Ny4Anr/s1600/screenshot.265.jpg)
- Looking for an exploit to achieve Privilege Escalation:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvD2Yjq_NRLYG4cEtxNt9cAUgrFeAIPhORfRnjF5MkVRZyJKqxkkkf97HQv8DPoa6QFU9N2gnnAGL-uqDNYQC2dR2kHtC-eFjEYrMDHISW4LWyEkk_ZYRf_hWr7A769nLF_rklYGaYc6zf/s640/screenshot.186.jpg)
- Reading information about the exploit we find the link to the downloading page:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqtOj37y_5ySDjg7lCLyMMEdi8l8nuocfg3tteF9hpxXLkFe5_zuHjEIPoA3acoU0wNzuwehG1BEdbkqQ9XgVXaWZdo4GfKabiHKwvmUIyvcq65I0TuE68rm7ayAkwntvYRf8EzmR_jjwP/s1600/screenshot.187.jpg)
- Saving to Kali:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-lI3VFxm2D_db_UNqNsvf3YiNNxgdUNYtRChmWiV7X3lc5N6opDZcqj4vuoWVioRDqIC6WMw3gjDhlL5Jik556uQ8po1zFS1YbYXEifKt9a97T98fs4yYuZ27Zo3yTMLTki2VxqLXxYAF/s640/screenshot.185.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_PMT4pGI8jMNv79X1OKaQR4DI2XWF2lWnRS1PITuwkQpHbksnq_6bMr5rSFtLuQOpUIWIIaDxmgrmgaTJvZSn2jFF2shI-mCJ1dxBqmUQSfdu5V3M6RNRjgSNp91022J2CBg8s49uNicn/s1600/screenshot.188.jpg)
- Setting a simple HTTP server on port 8000:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_-M2Y-wTxLjHV5d62XbnJz6laKPwnQhk5eMLFIJ6nfmurUevIVlTZZYLx4LM9CSDRCMOMGnTjhM8BR8KOCKY8mZqBxSSM8EQKIADCFx3Ea6SvHtY4Vngwk2qdWiOQWidNH19KjS02vek1/s1600/screenshot.189.jpg)
- Transferring the exploit to the /tmp folder at Stapler:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWCVELX0meA4Y1orv-tDxNja75WMz5NoLIOjIFq4yB69iU8tAiabrbjg_pvO-i8-yl_FcSa1jdtyRhAcTtwnSj3F6F5S0zM-Vsof7O0ckVofG6zpucM82bNKSsnHlg08PJOPs84SRWMApu/s1600/screenshot.202.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhSi3ClFnFj93kQ7fgeAH1HRfMq0pSWHDGpwA4Thx2onEpx8zAEmY1rN8T4j5jN0UuxwTKQMZkyeba-Xu_LA-xj_uWhNQIsCVoRr77s8SMIuILTV0gMoBvt5n8BWyKYEOhzQ99LpflhsEN/s400/screenshot.190.jpg)
- Unzipping:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO14KeaX8SO0QAJVJZ42BNDG_UpphSTfvlNlLR4nQqmjRxasTBRa-EvpKjao-Qg_Mb4_7EEmbFBjY7WxtFoGCgnoFIy4LfH7Lm-KioINuqhfBABFqlDSX8hv1Vs5SDhZMU29Tf-XWxH85W/s1600/screenshot.191.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1cQ1imuSblYy4U-FVqWlxRi_52U37-z0rq2t4TLCRuyxj0xBRIeJCwJqMJrb_him-t4A0ooeKsJaBoDsaB-BmfFk4MLRNhiGJUD3q8qIIAseqO14WR8EFAYghUn2k2wzFm90WCUHlzpOP/s400/screenshot.192.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0vzG425ZMv6-HME-zbB6nT1eXoTN_v4LpVfvfV8IOVwpmxDdAowaFkdsSDkYTHt14Xgt2iApGPDhIDhLB4Ni03peNFgi4_DTwVWe28bYhyKKTsLR9swXmG7riY40f0E18D2vb9B7hb2JU/s400/screenshot.193.jpg)
- Extracting the exploit:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIkr1eR05lej0YhF7GShdc632V-WtC9Js6MSNdgQ1PY7tHEqUQZhCz4tj0gPNjOWKyEIwDHHTa_sT0Ms0y5uJptYoi4W-eRudlC9nOfaM5eaV7_pYir_4c04IRjX5XkJ6iR3R4aYCqGATH/s1600/screenshot.194.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdGG26dcc7esPuFx1hMlfbMZBJPlNZ9TFY4YRMlxVHRzBTCxj93PCQi-BdDRHjScrILoerRSulm-odZOr5EGQ4Ry8Q7RRy7DkAZS5d7YuGn2OVpovO-Bq0SdTav6rFr8YLhvxWvIN2tYkE/s1600/screenshot.195.jpg)
- Going to the new folder:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTuUbCUNVeh9vkjOyfzFPAL-Fwb2U4AMRs3jQDdBe9svn9b-pDHNWr60WA8xDv44GvL43P3B3VOUgJbtn3_f4QtTlDd53GMhi3JsbTHHeFPWqr4SSa4D9HYJi-t23Bwqew2XR6DzrIbeTU/s1600/screenshot.196.jpg)
- Giving execution permissions to doubleput.c:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcjFduHWJniP5pSwdLGR_z54HuUIAFMKgKNbWF8kWhMfxnq3_igAE6QHKrXTTD9Z1l3fjf3cteUv5VM2IXv57iw7GYObFWMHdr3vqp1OJSW4Nx06e0KtBU5TsZPIF_tOhYLuAhj8g2qDKA/s1600/screenshot.197.jpg)
- Compiling:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ1Z7pA-esyo4nMsfsPtUMLXXF7ClyRV5SVkTHHCrk2LASd9asdNs5afwlLM42pey-EIdFqTvIYMCbIqHIHzKqv_yjg13bpoiDtKxO5ASdQ1HhnASp-zVkKTH1sSgBK6nARjbpCHHBEAs3/s1600/screenshot.198.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMQu51mWUnS7B4dv4_gSSnVS_OcQtd1HkZQbBxHPrPEF4Dq9SoE3F1KQXLTR2py4sT9tXesvFDeDs8ZmTM9PlDLONrTdjtmcXQSsu_XsaPvWJWQrcbzEzdrag5FgHJLKEY_zlY4-Oevr3X/s1600/screenshot.199.jpg)
- Running the executable ./doubleput:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL-nYhQRK7aGtCZKgiEjS0Ppva1AVIVuTZ09WHMjweTFSOw0v5s4ctzD06TeGmjWT-aSWRTl03PdykAA4DH07fZR0qcFS0tkYO6XF2ORcJlQWf9YGiI0XvvyM0sInx7lmPfMVeXtLxxdss/s1600/screenshot.200.jpg)
- Finally we have a root shell:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwvOCOyhKovINm02ZoRBYygMKz7hgymJAf45S5CiHKtK65QSlL5kzUimZfG3h_vd_PMDDszsHGvQDnLNTNm5lVg_y7P3uQqPr0phibWJHlop-hwrn_YgT41tVyE5LSJjCGsiE24hUmkeH4/s1600/screenshot.201.jpg)
5 - CAPTURING THE FLAG
- Capturing the flag:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTv9wIHyh4avPiNCyVAPPrt0TcYXmIf-Qh4-vwjrR7VL2pGNgrpo049cuwHUn13B8uP2PaIVwovB294_xUCQ9pdfKaQ3-eBVkgrquQGmnoI7lN8XY-1mjgGwCrJRVoNkVxnVRkeMOuLZRz/s1600/screenshot.204.jpg)