g0tmi1k: Stapler – Vulnhub Writeup

Source: https://www.vulnhub.com/entry/stapler-1,150/

I came across this VM through a list of OSCP-like VMs on abatchy’s blog and decided to give it a try.  Other than that and the readme stating this is a “beginner/intermediate’-level VM, I don’t know much else about it so let’s get to it!

A quick host discovery scan to detect the victim’s IP:

nmap -sP

Now a scan to detect OS and available services on the machine.

nmap -O -sV

Normal so far, but then I start scrolling down more and see this fingerprint associated with the “doom?” service.

We’ll have to do more investigating to figure out what is running on the 666 port.  I attempted to get an easy banner grab by connecting to it with telnet and netcat but just got a return of seemingly garbled text.

There are several service options to take a look at at this point but let’s start with the FTP server.

At first I tried “Harry” and password [blank], “Harry”, “password” and a few others without any success.  Trying anonymous/anonymous got me a successful logon, though.  I couldn’t move around to any other directories and there was only the one file called “note”.  Let’s download and see what it is.

This could be interesting for later.   We now have 3 possible login IDs of “Harry”, “Elly”, and “John”.  If we need to we can probably brute-force passwords for any of the three but let’s keep looking through the available services.

I did a quick banner grab of SSH with telnet:

And then tried connecting via SSH:

+1 possible login ID of “Barry”.

Maybe the FTP brute-force is the easiest route after all.  Let’s try it out with Hydra using the login IDs we know of thus far: barry, harry, elly, john.  Adding them to a txt doc I tried with Hydra along with using a top 100,000 password list:

hydra -L ftpusers.txt -P top100k.txt -e nsr ftp

Didn’t even need a password list.  The “null/same/reverse” option did all the work for me.  Let’s go ahead and log in.

After this a couple more pages of directory listings.  Some of the more interesting items that I pull down are:

passwd, ftpusers, apache2/apache2.conf, apache2/ports.conf, crontab

  • I didn’t notice any Apache service running in my initial nmap scan which is why I pulled down the ports.conf.  Now I realize why…it was on 12380 and I didn’t do a full range scan.
  • /etc/passwd contains a pretty lengthy list and a good chunk of them are interactive shell users.
  • “ftpusers” is a list of users disallowed FTP access – mainly root and system accounts
  • crontab doesn’t show anything super interesting

Well, let’s travel further down the hydra rabbit hole and try “-e nsr” with the long list of users we have now from /etc/password/

With a simple cut we can extract the entire user list from passwd:

cat passwd | cut -d ‘:’ -f1 > etcpwdusers.txt

hydra -L etcpwdusers.txt -e nsr ssh

It only takes a minute to find out it worked!  But will this user have any additional system rights?

Shhhhhh.  Well, now we need to find a way to either escalate privileges or hijack a service to locate the flag on the machine.

I hope looking at the VM author’s own guide doesn’t count as cheating: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Looking through services run by root:

ps aux | grep root

I run across something interesting.

Netcat is running on port 666.  I connect to it again and pay a little closer attention this time.

“message2.jpg” stands out.  Possibly other text content in here as well.  Maybe it’s a file or merged files?  I’ll pipe the connection to a file to see if I can use binwalk or another tool to make sense of it.

It’s definitely a file.  Let’s unzip it.

One file is extracted called “message2.jpg”.  I’m guessing this is a hint but at least for right now may be a dead end.

A lot of poking around the file system later…I start going through the /home/ directories of other users (I seem to have access to them all), specifically looking at bash command history:

We have another SSH ID and password!  Let’s try it out.  Also, yes, I realize now that I should have just created a quick bash script to loop through all of the user home directories quickly.  =P

Not only that, but peter has sudo rights!

A quick sudo away, and we have our flag!

This vulnhub VM was really well done.  I feel like there were probably other avenues of attack that I didn’t even touch on here (like the Apache server which I hadn’t even looked at yet).  Also probably more Easter eggs that I missed!