VulnHub — Stapler: 1

Nmap

PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can’t get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
| STAT: 
| FTP server status:
| Connected to 10.0.0.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 — secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open domain dnsmasq 2.75
| dns-nsid: 
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: 404 Not Found
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings: 
| NULL: 
| message2.jpgUT 
| QWux
| “DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12–0ubuntu1
| mysql-info: 
| Protocol: 10
| Version: 5.7.12–0ubuntu1
| Thread ID: 7
| Capabilities flags: 63487
| Some Capabilities: SupportsCompression, DontAllowDatabaseTableColumn, Support41Auth, SupportsTransactions, LongColumnFlag, ConnectWithDatabase, Speaks41ProtocolOld, ODBCClient, InteractiveClient, FoundRows, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, IgnoreSigpipes, LongPassword, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: aR9B\x1B&U=)5 \x0E\x08i\x18sKka 
|_ Auth Plugin Name: mysql_native_password
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))

So lets start enumerating the machine

Found nothing at port 80 , but on doing directory brute forcing we found some files

[08:36:38] 200–220B — /.bash_logout
[08:36:38] 200–4KB — /.bashrc/
[08:36:38] 200–4KB — /.bashrc
[08:36:39] 200–675B — /.profile

But didn’t get more information move in , then started enumerating port 12380 after trying http i tried https with directory bruteforcing and found some useful directory and then when we look for nikto it also gives us useful information at “robots.txt” when we visit /blogblog and found wordpress at login and now let’s start wpscan and let’s see what we can gather from it

At “https://10.0.0.15:12380/blogblog/wp-content/plugins/” i found all the plugins at started to search exploit manually and found a LFI at https://www.exploit-db.com/exploits/39646 , here we called wp-config.php and got the wp-config.php file at uploads directory https://10.0.0.15:12380/blogblog/wp-content/uploads when we download the file and see it with srtings command

Here we found our root password for mysql with wordpress database , then i connected mysql remotely and found creds [mysql -h 10.0.0.15 -u root -p} after getting the access i found users hashes and when we decrypt john hash we found password to be “incorrect” logged in to wordpressw with john:incorrect and got access to wordpress

use wordpress;
show tables;
select * from wp_users;

And here we got our all users hashes , after getting logged in to wordpress i uploaded a php reverse shell at plugin option and when it asked for password of FTP , i had given it anonymous:anonymous and when i move to uploads and refresh the directory /uploads found my php-reverse-shell.php then i started my nc at given port and got the reverse shell

And then enumerated the /home directory found ssh creds for JKanode , peter in /home/JKanode/.bash_history

And at sudo -l i got to see that peter is sudo user , then logged in to peter

JKanode cat .bash_history 
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit

SSH to peter with the password and then i used sudo su root, and got root shell

………………………………………………………………………………………