Wednesday, 15 June 2016

Stapler 1 challenge

Hello all,
Today I would like to present the Stampler 1 challnege write-up.

Scanning phase




































There are a lot of open ports. We can see that the FTP handle anonymous user, so let's try login anonymously.






















Good, I have gained the note file and





Great, we know two usernames: Elly and Harry (maybe not useful, who know?). I was trying log in as Harry using brute force technique but without success. So, let's try do that as elly.











Yeah! Wonderful! So, let's log in as elly to FTP using these credentials
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    5 0        0            4096 Jun 03 13:51 X11
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 acpi
-rw-r--r--    1 0        0            3028 Apr 20 23:09 adduser.conf
-rw-r--r--    1 0        0              51 Jun 03 19:20 aliases
-rw-r--r--    1 0        0           12288 Jun 03 19:20 aliases.db
drwxr-xr-x    2 0        0            4096 Jun 07 01:57 alternatives
drwxr-xr-x    8 0        0            4096 Jun 03 17:46 apache2
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 apparmor
drwxr-xr-x    9 0        0            4096 Jun 06 23:17 apparmor.d
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 apport
drwxr-xr-x    6 0        0            4096 Jun 03 14:05 apt
-rw-r-----    1 0        1             144 Jan 14 23:35 at.deny
drwxr-xr-x    5 0        0            4096 Jun 03 14:47 authbind
-rw-r--r--    1 0        0            2188 Sep 01  2015 bash.bashrc
drwxr-xr-x    2 0        0            4096 Jun 03 13:52 bash_completion.d
-rw-r--r--    1 0        0             367 Jan 27 15:17 bindresvport.blacklist
drwxr-xr-x    2 0        0            4096 Apr 12 11:30 binfmt.d
drwxr-xr-x    2 0        0            4096 Jun 03 13:51 byobu
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 ca-certificates
-rw-r--r--    1 0        0            7788 Jun 03 13:51 ca-certificates.conf
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 console-setup
drwxr-xr-x    2 0        0            4096 Jun 03 19:13 cron.d
drwxr-xr-x    2 0        0            4096 Jun 03 17:07 cron.daily
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 cron.hourly
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 cron.monthly
drwxr-xr-x    2 0        0            4096 Jun 03 13:51 cron.weekly
-rw-r--r--    1 0        0             722 Apr 05 22:59 crontab
-rw-r--r--    1 0        0              54 Jun 03 13:51 crypttab
drwxr-xr-x    2 0        0            4096 Jun 04 00:02 dbconfig-common
drwxr-xr-x    4 0        0            4096 Jun 03 13:51 dbus-1
-rw-r--r--    1 0        0            2969 Nov 10  2015 debconf.conf
-rw-r--r--    1 0        0              12 Apr 30  2015 debian_version
drwxr-xr-x    3 0        0            4096 Jun 05 23:04 default
-rw-r--r--    1 0        0             604 Jul 02  2015 deluser.conf
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 depmod.d
drwxr-xr-x    4 0        0            4096 Jun 03 13:49 dhcp
-rw-r--r--    1 0        0           26716 Jul 30  2015 dnsmasq.conf
drwxr-xr-x    2 0        0            4096 Jun 03 14:19 dnsmasq.d
drwxr-xr-x    4 0        0            4096 Jun 07 01:57 dpkg
-rw-r--r--    1 0        0              96 Apr 20 23:09 environment
drwxr-xr-x    4 0        0            4096 Jun 03 14:18 fonts
-rw-r--r--    1 0        0             594 Jun 03 13:49 fstab
-rw-r--r--    1 0        0             132 Feb 11 00:47 ftpusers
-rw-r--r--    1 0        0             280 Jun 20  2014 fuse.conf
-rw-r--r--    1 0        0            2584 Feb 18 18:54 gai.conf
-rw-rw-r--    1 0        0            1253 Jun 04 20:13 group
-rw-------    1 0        0            1240 Jun 03 21:49 group-
drwxr-xr-x    2 0        0            4096 Jun 03 14:07 grub.d
-rw-r-----    1 0        42           1004 Jun 04 20:13 gshadow
-rw-------    1 0        0             995 Jun 03 21:49 gshadow-
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 gss
-rw-r--r--    1 0        0              92 Oct 22  2015 host.conf
-rw-r--r--    1 0        0              12 Jun 03 13:57 hostname
-rw-r--r--    1 0        0             469 Jun 05 16:38 hosts
-rw-r--r--    1 0        0             411 Jun 03 13:51 hosts.allow
-rw-r--r--    1 0        0             711 Jun 03 13:51 hosts.deny
-rw-r--r--    1 0        0            1257 Jun 03 18:01 inetd.conf
drwxr-xr-x    2 0        0            4096 Feb 06 22:02 inetd.d
drwxr-xr-x    2 0        0            4096 Jun 06 21:40 init
drwxr-xr-x    2 0        0            4096 Jun 06 21:40 init.d
drwxr-xr-x    5 0        0            4096 Jun 03 13:49 initramfs-tools
-rw-r--r--    1 0        0            1748 Feb 04 18:17 inputrc
drwxr-xr-x    3 0        0            4096 Jun 03 13:49 insserv
-rw-r--r--    1 0        0             771 Mar 06  2015 insserv.conf
drwxr-xr-x    2 0        0            4096 Jun 03 19:20 insserv.conf.d
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 iproute2
drwxr-xr-x    2 0        0            4096 Jun 03 14:05 iptables
drwxr-xr-x    2 0        0            4096 Jun 03 14:48 iscsi
-rw-r--r--    1 0        0             345 Jun 15 06:12 issue
-rw-r--r--    1 0        0             197 Jun 03 23:26 issue.net
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 kbd
drwxr-xr-x    5 0        0            4096 Jun 03 13:51 kernel
-rw-r--r--    1 0        0             144 Jun 03 13:53 kernel-img.conf
-rw-r--r--    1 0        0           26754 Jun 07 01:56 ld.so.cache
-rw-r--r--    1 0        0              34 Jan 27 15:17 ld.so.conf
drwxr-xr-x    2 0        0            4096 Jun 07 01:57 ld.so.conf.d
drwxr-xr-x    2 0        0            4096 Jun 03 13:51 ldap
-rw-r--r--    1 0        0             267 Oct 22  2015 legal
-rw-r--r--    1 0        0             191 Jan 19 00:16 libaudit.conf
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 libnl-3
drwxr-xr-x    4 0        0            4096 Jun 06 23:17 lighttpd
-rw-r--r--    1 0        0            2995 Apr 14 23:09 locale.alias
-rw-r--r--    1 0        0            9149 Jun 03 13:49 locale.gen
-rw-r--r--    1 0        0            3687 Jun 03 13:49 localtime
drwxr-xr-x    6 0        0            4096 Jun 03 14:17 logcheck
-rw-r--r--    1 0        0           10551 Mar 29 10:25 login.defs
-rw-r--r--    1 0        0             703 May 06  2015 logrotate.conf
drwxr-xr-x    2 0        0            4096 Jun 04 00:01 logrotate.d
-rw-r--r--    1 0        0             103 Apr 12 21:12 lsb-release
drwxr-xr-x    2 0        0            4096 Jun 03 13:51 lvm
-r--r--r--    1 0        0              33 Jun 03 13:54 machine-id
-rw-r--r--    1 0        0             111 Nov 20  2015 magic
-rw-r--r--    1 0        0             111 Nov 20  2015 magic.mime
-rw-r--r--    1 0        0            2579 Jun 04 00:29 mailcap
-rw-r--r--    1 0        0             449 Oct 30  2015 mailcap.order
drwxr-xr-x    2 0        0            4096 Jun 03 13:51 mdadm
-rw-r--r--    1 0        0           24241 Oct 30  2015 mime.types
-rw-r--r--    1 0        0             967 Oct 30  2015 mke2fs.conf
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 modprobe.d
-rw-r--r--    1 0        0             195 Apr 20 23:09 modules
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 modules-load.d
lrwxrwxrwx    1 0        0              19 Jun 03 13:54 mtab -> ../proc/self/mounts
drwxr-xr-x    4 0        0            4096 Jun 06 22:16 mysql
drwxr-xr-x    7 0        0            4096 Jun 03 13:49 network
-rw-r--r--    1 0        0              91 Oct 22  2015 networks
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 newt
-rw-r--r--    1 0        0             497 May 04  2014 nsswitch.conf
drwxr-xr-x    2 0        0            4096 Apr 20 23:08 opt
lrwxrwxrwx    1 0        0              21 Jun 03 13:49 os-release -> ../usr/lib/os-release
-rw-r--r--    1 0        0            6595 Jun 23  2015 overlayroot.conf
-rw-r--r--    1 0        0             552 Mar 16 19:09 pam.conf
drwxr-xr-x    2 0        0            4096 Jun 03 21:49 pam.d
-rw-r--r--    1 0        0            2908 Jun 04 20:14 passwd
-rw-------    1 0        0            2869 Jun 03 23:10 passwd-
drwxr-xr-x    4 0        0            4096 Jun 03 13:51 perl
drwxr-xr-x    3 0        0            4096 Jun 03 14:17 php
drwxr-xr-x    3 0        0            4096 Jun 06 23:17 phpmyadmin
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 pm
drwxr-xr-x    5 0        0            4096 Jun 03 13:51 polkit-1
drwxr-xr-x    3 0        0            4096 Jun 03 19:20 postfix
drwxr-xr-x    4 0        0            4096 Jun 03 13:49 ppp
-rw-r--r--    1 0        0             575 Oct 22  2015 profile
drwxr-xr-x    2 0        0            4096 Jun 03 13:51 profile.d
-rw-r--r--    1 0        0            2932 Oct 25  2014 protocols
drwxr-xr-x    2 0        0            4096 Jun 03 14:38 python
drwxr-xr-x    2 0        0            4096 Jun 03 14:38 python2.7
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 python3
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 python3.5
-rwxr-xr-x    1 0        0             472 Jun 06 17:32 rc.local
drwxr-xr-x    2 0        0            4096 Jun 06 21:40 rc0.d
drwxr-xr-x    2 0        0            4096 Jun 06 21:40 rc1.d
drwxr-xr-x    2 0        0            4096 Jun 06 21:40 rc2.d
drwxr-xr-x    2 0        0            4096 Jun 06 21:40 rc3.d
drwxr-xr-x    2 0        0            4096 Jun 06 21:40 rc4.d
drwxr-xr-x    2 0        0            4096 Jun 06 21:40 rc5.d
drwxr-xr-x    2 0        0            4096 Jun 06 21:40 rc6.d
drwxr-xr-x    2 0        0            4096 Jun 06 22:41 rcS.d
-rw-r--r--    1 0        0              62 Jun 07 11:58 resolv.conf
drwxr-xr-x    5 0        0            4096 Jun 06 23:17 resolvconf
-rwxr-xr-x    1 0        0             268 Nov 10  2015 rmt
-rw-r--r--    1 0        0             887 Oct 25  2014 rpc
-rw-r--r--    1 0        0            1371 Jan 27 23:42 rsyslog.conf
drwxr-xr-x    2 0        0            4096 Jun 03 19:20 rsyslog.d
drwxr-xr-x    3 0        0            4096 Jun 15 08:52 samba
-rw-r--r--    1 0        0            3663 Jun 09  2015 screenrc
-rw-r--r--    1 0        0            4038 Mar 29 10:25 securetty
drwxr-xr-x    4 0        0            4096 Jun 03 13:49 security
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 selinux
-rw-r--r--    1 0        0           19605 Oct 25  2014 services
drwxr-xr-x    2 0        0            4096 Jun 03 13:51 sgml
-rw-r-----    1 0        42           4518 Jun 05 17:59 shadow
-rw-------    1 0        0            1873 Jun 03 23:10 shadow-
-rw-r--r--    1 0        0             125 Jun 03 15:20 shells
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 skel
-rw-r--r--    1 0        0             100 Nov 25  2015 sos.conf
drwxr-xr-x    2 0        0            4096 Jun 04 20:15 ssh
drwxr-xr-x    4 0        0            4096 Jun 03 20:17 ssl
-rw-r--r--    1 0        0             644 Jun 04 20:13 subgid
-rw-------    1 0        0             625 Jun 03 14:46 subgid-
-rw-r--r--    1 0        0             644 Jun 04 20:13 subuid
-rw-------    1 0        0             625 Jun 03 14:46 subuid-
-r--r-----    1 0        0             769 Jun 05 18:01 sudoers
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 sudoers.d
-rw-r--r--    1 0        0            2227 Jun 03 15:22 sysctl.conf
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 sysctl.d
drwxr-xr-x    5 0        0            4096 Jun 03 13:49 systemd
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 terminfo
-rw-r--r--    1 0        0              14 Jun 03 13:49 timezone
drwxr-xr-x    2 0        0            4096 Apr 12 11:30 tmpfiles.d
-rw-r--r--    1 0        0            1260 Mar 16 21:58 ucf.conf
drwxr-xr-x    4 0        0            4096 Jun 03 13:49 udev
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 ufw
drwxr-xr-x    2 0        0            4096 Jun 03 23:15 update-motd.d
drwxr-xr-x    2 0        0            4096 Jun 03 13:52 update-notifier
drwxr-xr-x    2 0        0            4096 Jun 03 13:49 vim
drwxr-xr-x    3 0        0            4096 Jun 03 13:54 vmware-tools
-rw-r--r--    1 0        0             278 Jun 03 23:48 vsftpd.banner
-rw-r--r--    1 0        0               0 Jun 03 23:22 vsftpd.chroot_list
-rw-r--r--    1 0        0            5961 Jun 04 20:15 vsftpd.conf
-rw-r--r--    1 0        0               0 Jun 03 23:21 vsftpd.user_list
lrwxrwxrwx    1 0        0              23 Jun 03 13:49 vtrgb -> /etc/alternatives/vtrgb
-rw-r--r--    1 0        0            4942 Jan 08 14:18 wgetrc
drwxr-xr-x    3 0        0            4096 Jun 03 13:51 xdg
drwxr-xr-x    2 0        0            4096 Jun 03 13:51 xml
drwxr-xr-x    2 0        0            4096 Jun 03 15:20 zsh
226 Directory send OK.
ftp>
Wow, we have a lot of files :-) I had downloaded the ssh_host_rsa_key.pub and I tried use this file to connect to the target via ssh - no success.
Hmm, maybe again brute-force? But we don't know each users... Wait a minute! We can download passwd file. So, let's do that!
root@kali:~# cat passwd
root:x:0:0:root:/root:/bin/zsh
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:x:108:111::/var/run/dbus:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
peter:x:1000:1000:Peter,,,:/home/peter:/bin/zsh
mysql:x:111:117:MySQL Server,,,:/nonexistent:/bin/false
RNunemaker:x:1001:1001::/home/RNunemaker:/bin/bash
ETollefson:x:1002:1002::/home/ETollefson:/bin/bash
DSwanger:x:1003:1003::/home/DSwanger:/bin/bash
AParnell:x:1004:1004::/home/AParnell:/bin/bash
SHayslett:x:1005:1005::/home/SHayslett:/bin/bash
MBassin:x:1006:1006::/home/MBassin:/bin/bash
JBare:x:1007:1007::/home/JBare:/bin/bash
LSolum:x:1008:1008::/home/LSolum:/bin/bash
IChadwick:x:1009:1009::/home/IChadwick:/bin/false
MFrei:x:1010:1010::/home/MFrei:/bin/bash
SStroud:x:1011:1011::/home/SStroud:/bin/bash
CCeaser:x:1012:1012::/home/CCeaser:/bin/dash
JKanode:x:1013:1013::/home/JKanode:/bin/bash
CJoo:x:1014:1014::/home/CJoo:/bin/bash
Eeth:x:1015:1015::/home/Eeth:/usr/sbin/nologin
LSolum2:x:1016:1016::/home/LSolum2:/usr/sbin/nologin
JLipps:x:1017:1017::/home/JLipps:/bin/sh
jamie:x:1018:1018::/home/jamie:/bin/sh
Sam:x:1019:1019::/home/Sam:/bin/zsh
Drew:x:1020:1020::/home/Drew:/bin/bash
jess:x:1021:1021::/home/jess:/bin/bash
SHAY:x:1022:1022::/home/SHAY:/bin/bash
Taylor:x:1023:1023::/home/Taylor:/bin/sh
mel:x:1024:1024::/home/mel:/bin/bash
kai:x:1025:1025::/home/kai:/bin/sh
zoe:x:1026:1026::/home/zoe:/bin/bash
NATHAN:x:1027:1027::/home/NATHAN:/bin/bash
www:x:1028:1028::/home/www:
postfix:x:112:118::/var/spool/postfix:/bin/false
ftp:x:110:116:ftp daemon,,,:/var/ftp:/bin/false
elly:x:1029:1029::/home/elly:/bin/bash
My idea is to create list of users.
root@kali:~# cat passwd | cut -d ":" -f1 > usernames.txt
I have run hydra to conduct brute force attack














Excellent! So now we are able to log in via ssh to te Shayslett user.














So, let's examine what is in the /vat/www/html directory, but there is nothing interesting. I check the OS version of our target and it is Ubuntu 16.04 LTS. So, a little bit research and
https://www.exploit-db.com/exploits/39773/
I have downloaded the *.tar file and execute it.




















Game over!

The second way to escalate our privilege from SHayslett to root
In the /var/www/https/blogblog, we can see wp-config.php file.



















OK, good, but let's continue.




























Great! Small proof :)





















OK, let's penetrate deeper.




































Excellent! So, we can create our passwords file and try crack it using john the ripper.