Stapler OffSec Walkthrough: This is a walkthrough of Stapler from the offensive security playground and its also Available in vulnhub. Let us see how we can compromise this machine.
Beginning the initial nmap enumeration. We see the host is down with the use of sudo nmap, however, the scan runs fine with regular nmap.
The ftp service has anonymous ftp login as allowed. We begin the enumeration with that. We find a note in there.
There must be useful information in elly’s ftp account possibly. We try bruteforcing elly’s ftp credentials.
We login as elly and see lots of files in the directory. One of the interesting files is the /etc/passwd file. We get the file onto our local system and can possibly bruteforce any user’s credentials via SSH. We sort the usernames into one file.
cat passwd | awk -F: ‘{print $1}’ > usernames.txt
We can do a quick hydra scan with the same nsr.
We use these credentials to login using SSH.
Privilege escalation:
We run linpeas and see there are many exploits for the specific kernel version.
We download the corresponding exploit from 39772.txt and get root access.
With root access we can get both flags. Another interesting thing is a wordpress.sql file in the root directory. We can read it to find hashes of all users.
Finally this lab solve see you on next lab 😉
Also Read | Election1 OffSec Walkthrough
