Stapler

Source: Proving Grounds OS: Linux Community Rating: Hard

Enumeration & Reconnaissance

To get comfortable with autorecon, I began my scanning with this tool rather than the traditional nmap:

autorecon <Target-IP>

Anonymous Login: The FTP service allowed anonymous login.
Banner Clue: Upon logging in, the FTP banner contained a note:
“Harry, make sure to update the banner when you get a chance to show who has access here"
This note hinted at our first possible user:
- Harry

There was also a file which after checking gave us the hint to our second possible user, Elly.

I then ran Hydra with the -e nsr flag against both users. Which lead to a successful hit with user Elly whose password turned out to be ylle.
With FTP access as Elly, I discovered several directories and files, including a passwd file.

I extracted additional usernames using:
```
cat passwd | awk -F: '{print $1}' > usernames.txt
```
I then ran Hydra again with the same flags on the new set of usernames.

HTTP Servers: I fuzzed both HTTP servers in the background while also manually inspecting them. Unfortunately, no significant information surfaced during this phase.
Port 666 Investigation:
- On port 666, I found an index.html file. After checking its file type, I realized it was actually a zip archive.
- Renaming and unzipping it revealed an image file. Running exiftool on the image produced a message:
“If you are reading this, you should get a cookie!”
I am not sure if this is just a rabbit hole or a further hint.

I also checked the SMB shares and uncovered:
- WordPress files, kind of a backup.
- A to-do list note
But these did not yield any additional information.

During the Hydra brute force, another valid credential was discovered for user SHayslett. Using these credentials, I successfully SSH’d into the target, securing the local flag.

After gaining user access, Because there was the WordPress backup in the SMB and the MySQL database, I checked the wp-config file. Which as I thought, provided access to the database, though my interaction with it didn’t lead to additional exploitable vectors.

With user access in hand, I ran Linpeas.sh. Which revealed multiple hints, the most important one is that the kernel version, 4.4.0-21-generic which is vulnerable to multiple exploits.
After testing several proof-of-concept exploits, the only one that worked was the exploit code from 39772.txt available on Exploit-db. Which granted root access.

Weak Credentials: The target was initially compromised due to weak, easily guessable credentials.
Unpatched Kernel: The outdated kernel version was a gateway for privilege escalation.

Last updated 3 months ago

Source: Proving Grounds OS: Linux Community Rating: Hard

To get comfortable with autorecon, I began my scanning with this tool rather than the traditional nmap:

autorecon <Target-IP>

Anonymous Login: The FTP service allowed anonymous login.
Banner Clue: Upon logging in, the FTP banner contained a note:
“Harry, make sure to update the banner when you get a chance to show who has access here"
This note hinted at our first possible user:
- Harry

There was also a file which after checking gave us the hint to our second possible user, Elly.

I then ran Hydra with the -e nsr flag against both users. Which lead to a successful hit with user Elly whose password turned out to be ylle.
With FTP access as Elly, I discovered several directories and files, including a passwd file.

I extracted additional usernames using:
```
cat passwd | awk -F: '{print $1}' > usernames.txt
```
I then ran Hydra again with the same flags on the new set of usernames.

HTTP Servers: I fuzzed both HTTP servers in the background while also manually inspecting them. Unfortunately, no significant information surfaced during this phase.
Port 666 Investigation:
- On port 666, I found an index.html file. After checking its file type, I realized it was actually a zip archive.
- Renaming and unzipping it revealed an image file. Running exiftool on the image produced a message:
“If you are reading this, you should get a cookie!”
I am not sure if this is just a rabbit hole or a further hint.

I also checked the SMB shares and uncovered:
- WordPress files, kind of a backup.
- A to-do list note
But these did not yield any additional information.

During the Hydra brute force, another valid credential was discovered for user SHayslett. Using these credentials, I successfully SSH’d into the target, securing the local flag.

After gaining user access, Because there was the WordPress backup in the SMB and the MySQL database, I checked the wp-config file. Which as I thought, provided access to the database, though my interaction with it didn’t lead to additional exploitable vectors.

With user access in hand, I ran Linpeas.sh. Which revealed multiple hints, the most important one is that the kernel version, 4.4.0-21-generic which is vulnerable to multiple exploits.
After testing several proof-of-concept exploits, the only one that worked was the exploit code from 39772.txt available on Exploit-db. Which granted root access.

Weak Credentials: The target was initially compromised due to weak, easily guessable credentials.
Unpatched Kernel: The outdated kernel version was a gateway for privilege escalation.

Last updated 3 months ago