Stapler
Source: Proving Grounds OS: Linux Community Rating: Hard
Enumeration & Reconnaissance
To get comfortable with autorecon, I began my scanning with this tool rather than the traditional nmap:
The scan revealed the following open ports:
FTP (21)
SSH (22)
DNS (53)
HTTP (80)
SMB (139)
Port 666
MySQL (3306)
HTTP (12380)
Service Analysis
FTP Service
Anonymous Login: The FTP service allowed anonymous login.
Banner Clue: Upon logging in, the FTP banner contained a note:
“Harry, make sure to update the banner when you get a chance to show who has access here"
This note hinted at our first possible user:
Harry
There was also a file which after checking gave us the hint to our second possible user, Elly.
I then ran Hydra with the
-e nsr
flag against both users. Which lead to a successful hit with user Elly whose password turned out to beylle
.With FTP access as Elly, I discovered several directories and files, including a passwd file.
I extracted additional usernames using:
I then ran Hydra again with the same flags on the new set of usernames.
HTTP & Port 666
HTTP Servers: I fuzzed both HTTP servers in the background while also manually inspecting them. Unfortunately, no significant information surfaced during this phase.
Port 666 Investigation:
On port 666, I found an
index.html
file. After checking its file type, I realized it was actually a zip archive.Renaming and unzipping it revealed an image file. Running exiftool on the image produced a message:
“If you are reading this, you should get a cookie!”
I am not sure if this is just a rabbit hole or a further hint.
SMB
I also checked the SMB shares and uncovered:
WordPress files, kind of a backup.
A to-do list note
But these did not yield any additional information.
Gaining Initial Access
During the Hydra brute force, another valid credential was discovered for user SHayslett. Using these credentials, I successfully SSH’d into the target, securing the local flag.
After gaining user access, Because there was the WordPress backup in the SMB and the MySQL database, I checked the wp-config file. Which as I thought, provided access to the database, though my interaction with it didn’t lead to additional exploitable vectors.
Privilege Escalation
With user access in hand, I ran Linpeas.sh. Which revealed multiple hints, the most important one is that the kernel version,
4.4.0-21-generic
which is vulnerable to multiple exploits.After testing several proof-of-concept exploits, the only one that worked was the exploit code from
39772.txt
available on Exploit-db. Which granted root access.
Lessons Learned
Weak Credentials: The target was initially compromised due to weak, easily guessable credentials.
Unpatched Kernel: The outdated kernel version was a gateway for privilege escalation.
Last updated