Wed 10 August 2016

This is a Stapler challenge from You can obtain the virtual machine from: here

''' The primary object is to got root. '''

Our nmap scan:

After running nmap script scan with -A switch:

nmap -A -T4 -p-
  • Ftp Anon login allowed

Base on what we found on the ftp we were able to enumerate these usernames:

  • Harry
  • Elly

port 12380 turn out to be web server:

Another username:

  • Tim

Scanning the web server:

It's look like the webserver on port 12380 serve http and https both on port 12380.From the robots.txt we found beef hook at admin112233 :D and what's look like wordpress blog.

This is the results from the scans with wpscan:

Plugins enumeration:

and usernames enumeration:

Advanced video plugin is vulnerable to LFI.

This is the link to the available exploit: exploit-db

It's look like we could read the content of wp-config. We were able to post on the blog with entering this url:   

This created new post on the blog for us:

This is where the post was created:

This image probably contain the content of wp-config.php.

So to be able to read the content lets download it with curl:

MYSQL credentials: root:plbkac

Connect to the target on port 3306 mysql:

mysql --user=root --password=plbkac -h

The databases on the target:

use wordpress;
show tables;

select * from wp_users;

Ok now we have the hashes of all users on the wordpress blog. It's time to crack them. After a while we got the admin account of john:

We can't install plugin on the wp blog because we need ftp credentials.

Despite the error and the fact we haven't the ftp credentials of john our atempt to upload b374k shell as plugin ended up uploaded in the media dir:

Now we have shell access to the target:

Start reverse shell from b374k to our attacker machine:

Catch the reverse shell and find out whoami and operation system version:

For ubuntu 16.04 there is privelege escalation exploit:


After compile and execute the exploit: