Intro

The following is a semi-spoilerish walkthrough of the Stapler VM from Vulnhub by g0tmi1k.

Write-up

An NMAP scan reveals all sorts of goodies on this little rascal, including TCP 666 (DOOM?!), FTP, Samba shares a few Web ports – and more! I cut Sparta loose on the host as well so it would automatically run Nikto, try some light brute forcing, etc.

Sparta revealed that an FTP account with default creds was discovered, so I connected to that and pulled down a file called "note" which had some information about possible users of this machine/network.

Next, I cut dirb loose on ports 80 and 12380 to see what they turned up. I also reviewed the nikto results and robots.txt for each Web service to find some more interesting files/folders to enumerate.

One such subfolder indicated a potentially vulnerable version of WordPress, so I used wpscan to enumerate everything I could – including users, themes and plugins. From that enumeration I found a WordPress user with the same name as the person mentioned in the FTP note, so I spent some time brute-forcing that user’s password.

After successfully cracking the password, I tried the user’s credentials via an FTP connection and was successful! After poking around the file structure, it appeared I was in the /etc folder, so I grabbed a copy of /etc/passwd and issued the following command to parse out just the usernames in a list:

cat passwd | grep '/bin/bash' | cut -d: -f1

Then, I set Hydra loose on brute-forcing those passwords while I explored the rest of the box:

hyrda -L my-list-of-users.txt -e nsr ip.of.target.machine ssh

I took a lunch break at this point, and was surprised to find a legit set of creds cracked when I returned! I SSH’d in as the cracked user and did some enumeration of the machine. That pointed me towards some Exploit-DB exploits, and one of them allowed for straightforward rooting of the machine.

My understanding is there are many ways to root this box, so be sure to collect ’em all!

Video Walkthrough (FULL OF SPOILERS!)

Still stuck? Check out the video walkthrough below, but be warned – it contains all the gory details and spoilers of the above walkthrough, so only watch if you dare…

7 Minute Security #206: Vulnhub Walkthrough of the Stapler VM