STAPLER: 1 Walkthrough

+ Average beginner/intermediate VM, only a few twists   |
| + May find it easy/hard (depends on YOUR background) |
| + ...also which way you attack the box

https://www.vulnhub.com/entry/stapler-1,150/

“know yourself and you will win all battles”
Sun Tzu

Enumeration

Let’s use NMAP to enumerate.

Brooding:🤔

This machine has many services running. First thing is to rule out the unnecessary services.

Ruling out ports

  1. Port 666 sent out a zip file having an image.

📌 username: scott

2. Port 20 — Nothing here.

3. Port 22 — No available exploits.

4. Port 53 — Found nothing on DNS — all the available exploits are DOS.

5. Port 3306 — There is not remote exploit and no default pwd.

More Enumeration 🤓…

  1. port 21

📌 username:harry

Found a note on this FTP.

📌username:elly

📌username:john

2. port 80

  • There is no trial on manual walk + source code view + robots.txt
  • Nikto scan
.bashrc & .profile

Nothing on .bashrc and .profile

🔑 It says that it web server might be mounting a user directory. 🤔

  • Gobuster — Nothing here.

3. port 12380

  • manual walk + source code view + robots.txt

📌 username:zoe

User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/

  • Nikto scan
  • Gobuster

Found a blog:

https://192.168.103.171:12380/blogblog/

whatweb https://192.168.103.171:12380/blogblog/

Apache[2.4.18], Bootstrap[20120205,4.2.1], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[192.168.103.171], JQuery, MetaGenerator[WordPress 4.2.1], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[Initech | Office Life], UncommonHeaders[dave], WordPress[4.2.1], x-pingback[https://192.168.103.171:12380/blogblog/xmlrpc.php]

Nothing vulnerable on wordpress.

4. port 139

Found few shared folders.

  • Got a wordpress backup — kathy
  • Got todo file — kathy

📌 username:kathy

Got users through Enum4Lin script.

Let’s try these users on the services…

  1. ftp
  2. ssh
  3. wordpress

Finding POI(Point Of Intrusion)

Use the usernames to brute-force since we have no other way to get in for now.

ftp — Hydra

No luck on other services.

Exploitation

Got a low privilege User.

Privilege Escalation

After looking into the .bash_history file🤓, got the credentials for other 2 accounts. one of the account has all the priv.

peter has all the root priv.
ssh into peter.
Photo by bruce mars on Unsplash

What could be more fun than breaking stuffs!!!