Stapler 1 (Brute Force)
Stapler is a boot2root with multiple paths to shell and root, written by g0tmi1k. I found the simple brute force path the most obvious on the first play through but I think I will visit this one again. Discovery & Enumeration root@kali:~# mkcd VulnHub/Stapler root@kali:~/VulnHub/Stapler# netdiscover -pr 10.1.11.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 4 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.11.137 08:00:27:f2:ed:b4 1 60 Cadmus Computer Systems root@kali:~/VulnHub/Stapler# echo 10.1.11.137 > ip root@kali:~/VulnHub/Stapler# nmap -A -p- -T5 $(cat ip) Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-29 15:36 BST Nmap scan report for red.initech.vulnlab.fbcnt.in (10.1.11.137) Host is up (0.00022s latency). Not shown: 65523 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: Can't parse PASV response: "Permission denied." 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) |_ 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) 53/tcp open domain dnsmasq 2.75 | dns-nsid: | id.server: patriot.fbcnt.in |_ bind.version: dnsmasq-2.75 80/tcp open http |_http-title: 404 Not Found 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: RED) 666/tcp open doom? 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 53 | Version: .7.12-0ubuntu1 | Thread ID: 27 | Capabilities flags: 63487 | Some Capabilities: LongPassword, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsTransactions, Support41Auth, FoundRows, Speaks41ProtocolOld, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, ODBCClient, SupportsCompression, IgnoreSigpipes, DontAllowDatabaseTableColumn, LongColumnFlag | Status: Autocommit Kv\x12\x19`"dx\s\x01ptM" 12380/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Tim, we need to-do better next year for Initech Host script results: |_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED | Domain name: | FQDN: red |_ System time: 2016-06-29T16:38:10+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.22 ms red.initech.vulnlab.fbcnt.in (10.1.11.137) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 106.26 seconds Anonymous FTP, etc A lot running on this box, working top-to-bottom anonymous ftp immediately caught my attention so I started there. ...