Stapler OffSec Walkthrough

2 Min Read

Stapler OffSec Walkthrough: This is a walkthrough of Stapler from the offensive security playground and its also Available in vulnhub. Let us see how we can compromise this machine.

Beginning the initial nmap enumeration. We see the host is down with the use of sudo nmap, however, the scan runs fine with regular nmap.

nmap scan

The ftp service has anonymous ftp login as allowed. We begin the enumeration with that. We find a note in there.

note

There must be useful information in elly’s ftp account possibly. We try bruteforcing elly’s ftp credentials.

ftp brute force

We login as elly and see lots of files in the directory. One of the interesting files is the /etc/passwd file. We get the file onto our local system and can possibly bruteforce any user’s credentials via SSH. We sort the usernames into one file.

cat passwd | awk -F: ‘{print $1}’ > usernames.txt

We can do a quick hydra scan with the same nsr.

ssh brute force

We use these credentials to login using SSH.

Privilege escalation:

We run linpeas and see there are many exploits for the specific kernel version.

linux version
exploit

We download the corresponding exploit from 39772.txt and get root access.

root flag

With root access we can get both flags. Another interesting thing is a wordpress.sql file in the root directory. We can read it to find hashes of all users.

Finally this lab solve see you on next lab 😉

Also Read | Election1 OffSec Walkthrough

Share This Article