Stapler - OffSec Proving Grounds
Objective
Utilize enumeration, web enumeration, and WordPress enumeration techniques to identify vulnerabilities. Engage in database enumeration and implement privilege escalation strategies. Additionally, harness the abuse of sudo permissions to enhance your access. This lab is designed to capitalize on your skills in vulnerability exploitation.
Enumeration
Nmap
Initially, I conducted an Nmap scan on the target host, which revealed that several common services were accessible, including HTTP, FTP, SSH, DNS, NetBIOS, and MySQL. As there was limited information available from these services, I proceeded with a comprehensive scan using the -p- flag to examine all 65,535 TCP ports. This revealed additional open ports that were not detected during the initial scan.
FTP Anonymous
Upon further examination, I discovered that anonymous login was permitted on the FTP service. Within the accessible directory, there was a note containing usernames, which could potentially be used for further access or enumeration.
Website
The HTTP service on port 80 did not provide any useful information. However, during further enumeration, I identified an additional web service running on port 12380, which hosted a different website for further investigation.
The web service on port 12380 did not display any content when accessed via HTTP. However, upon attempting to connect using the HTTPS protocol, a new website was revealed, indicating that the service was configured to serve content securely over HTTPS.
I performed directory brute-forcing using Burp Suite, which resulted in the discovery of several directories. However, further inspection of these directories did not yield any useful information or lead to any actionable findings.
Upon reviewing the robots.txt file, I identified two disallowed entries. One of these entries pointed to a WordPress blog, which provided an additional avenue for enumeration and potential exploitation.
I conducted a scan using WPScan on the discovered WordPress site. The scan successfully enumerated one or more valid usernames, which could be leveraged for further attacks such as brute-forcing or privilege escalation.
Exploitation
Brute Forcing WordPress
Using the previously discovered username john, I performed a password brute-force attack against the WordPress login using the rockyou.txt wordlist. This resulted in the successful discovery of valid administrative credentials, granting access to the WordPress dashboard.
Uploading Reverse Shell
After gaining administrative access to the WordPress dashboard, I generated a PHP reverse shell using the PentestMonkey reverse shell script. I uploaded the shell as a custom plugin through the WordPress interface. Once the shell was placed in the wp-content/uploads directory, I initiated a listener using Netcat on my local machine and accessed the uploaded PHP file via the browser. This successfully triggered the reverse shell and provided remote command execution on the target system.
From the established remote shell access, I was able to locate and retrieve the first flag on the target system.
Privilege Escalation
First Way - Credential Hunting
The first privilege escalation method involved credential hunting. I examined the .bash_history files for all users and discovered valid SSH usernames and passwords. Notably, the user peter was permitted to execute all commands with sudo privileges. Utilizing these credentials, I established an SSH connection as peter, escalated privileges to root, and successfully retrieved the root flag.
Second Way - Linux Exploit Suggester
The second privilege escalation approach involved using the Linux Exploit Suggester tool, which identified several potential kernel-level vulnerabilities. Although the Dirty COW (CVE-2016-5195) exploit was attempted, it caused the system to crash and was therefore not viable. However, the CVE-2016-4557 exploit worked successfully, granting a root shell and full system control. As observed, the Dirty COW 2 exploit functioned initially but resulted in a system crash, rendering it unusable for privilege escalation in this case.
In contrast, the CVE-2016-4557 exploit executed successfully on the first attempt, immediately providing a root shell without causing system instability.