Vulnhub Stapler – Walkthrough

In this write-up, will be showing the steps to take root access on Stapler machine created by g0tmi1k. All the VM related details can be checked
on here.

First I tried checking the IP address using netdiscover. The victim appears to be sitting at 10.0.2.9.
The attacker machine is at 10.0.2.11

Next nmap helped us in checking the open ports and the respective services running.

The very first port 21 seems to be hosting a ftp server. I tried checking anonymous login and could get through without a password. The welcome banner revealed a random user’s name harry.

On checking the current directory, I found a file ‘note’ which contained 2 names Elly and John.

Further quickly created a user file with the collected names and employed hydra to brute-force the ftp service for guessing correct credentials. Got lucky and found a valid user/password combination.

Then tried my luck with brute-forcing the ssh service using the same users.txt file but didn’t succeed.
However when trying sshing to the remote server, another username was revealed from the login banner.

Directly moved onto the last port 12380 and found ssl enabled web server running. Tried to query the robots.txt file and found 2 urls. Out of the 2, only /blogblog had something juicy.

Took the help of nikto and started scanning the web server for any potential vulnerabilities. Apart from the robots.txt and the 2 urls we discovered manually, nikto revealed /phymyadmin/ directory as well.

While manually browsing through the website, I got redirected to a wordpress login which forced me to use wpscan tool on this url. It revealed a bunch of valid usernames and mostly client side vulnerabilities which won’t help much.
wpscan also revealed few urls wp-includes/, wp-content/uploads/ that had directory listing enabled.

Again traversed through the directories for information and after a few minutes, found a /wp-content/plugins directory that listed available plugins being used by the application.

11. Advanced Video plugin seems interesting to me and quickly searched if it had something to offer. And yes it does.

After a thorough reading I found that this python exploit can be used for arbitrary file download. The url
http://127.0.0.1/wordpress/wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=%5BFILEPATH%5D was the culprit.
Lets try to read our favourite /etc/passwd file using the above vulnerable url. Once the request is made, the desired file gets saved under the wp-content/uploads/ directory. And of course directory listing is enabled on the same url.

Lets try reading the file using curl and quickly create a users list using cut.

I can’t wait to use this list for brute-forcing the ssh service. Lets take help of hydra. Wait, we got a valid credential combination. Thanks to hydra once again.

Manually trying to login with SHayslett user.

Lets check the Linux kernel and exact operating system. Its a 4.4.0-21-generic linux kernel and Ubuntu 16.04 is being used. Lets go ahead and try becoming root.

After a quick google search, found an exploit here. Followed the steps, compiled the program and on execution the privilege escalation failed.

Again searched for exploits and finally found something useful here.
To make things easier, transferred the files on the victim machine and went ahead with the compilation process. On final exection, became the Root. Voot !!!