Stapler

Source: Proving Grounds OS: Linux Community Rating: Hard

Enumeration & Reconnaissance

  • To get comfortable with autorecon, I began my scanning with this tool rather than the traditional nmap:

autorecon <Target-IP>
  • The scan revealed the following open ports:

    • FTP (21)

    • SSH (22)

    • DNS (53)

    • HTTP (80)

    • SMB (139)

    • Port 666

    • MySQL (3306)

    • HTTP (12380)

Service Analysis

FTP Service

  • Anonymous Login: The FTP service allowed anonymous login.

  • Banner Clue: Upon logging in, the FTP banner contained a note:

    “Harry, make sure to update the banner when you get a chance to show who has access here"

    This note hinted at our first possible user:

    • Harry

FTP Banner & Note
  • There was also a file which after checking gave us the hint to our second possible user, Elly.

FTP Note
  • I then ran Hydra with the -e nsr flag against both users. Which lead to a successful hit with user Elly whose password turned out to be ylle.

  • With FTP access as Elly, I discovered several directories and files, including a passwd file.

FTP Files
  • I extracted additional usernames using:

    cat passwd | awk -F: '{print $1}' > usernames.txt

    I then ran Hydra again with the same flags on the new set of usernames.

HTTP & Port 666

  • HTTP Servers: I fuzzed both HTTP servers in the background while also manually inspecting them. Unfortunately, no significant information surfaced during this phase.

  • Port 666 Investigation:

    • On port 666, I found an index.html file. After checking its file type, I realized it was actually a zip archive.

    • Renaming and unzipping it revealed an image file. Running exiftool on the image produced a message:

    “If you are reading this, you should get a cookie!”

    I am not sure if this is just a rabbit hole or a further hint.

Service 666 Message
The Cookie

SMB

  • I also checked the SMB shares and uncovered:

    • WordPress files, kind of a backup.

    • A to-do list note

    But these did not yield any additional information.

Gaining Initial Access

  • During the Hydra brute force, another valid credential was discovered for user SHayslett. Using these credentials, I successfully SSH’d into the target, securing the local flag.

SHayslett Creds
  • After gaining user access, Because there was the WordPress backup in the SMB and the MySQL database, I checked the wp-config file. Which as I thought, provided access to the database, though my interaction with it didn’t lead to additional exploitable vectors.

Privilege Escalation

  • With user access in hand, I ran Linpeas.sh. Which revealed multiple hints, the most important one is that the kernel version, 4.4.0-21-generic which is vulnerable to multiple exploits.

  • After testing several proof-of-concept exploits, the only one that worked was the exploit code from 39772.txt available on Exploit-db. Which granted root access.

Lessons Learned

  • Weak Credentials: The target was initially compromised due to weak, easily guessable credentials.

  • Unpatched Kernel: The outdated kernel version was a gateway for privilege escalation.

Last updated