Stapler is a boot2root machine from vulnhub. It’s easy machine with littlw twist. You can download this machine from here.
Let’s start the dirty work.
I scanned the network to find the IP of the machine with the help of arp-scan.
Let’s scan our target with nmap.
nmap -sC -sV 10.0.2.9
I didn’t find anything intresting with these switches, so again I scanned the target with different switches and i found http running on port 12380.
nmap -p- -A 10.0.2.9
I scanned the target with Nikto and found 2 interesting output.
Well, target is running on WordPress, I used wpscan to gather more information.
wpscan --url https://10.0.2.9:12380/blogblog --enumerate u --disable-tls-checks
I brute-forced username for their password with wpscan.
wpscan --url https://10.0.2.9:12380/blogblog --username john --passwords /usr/share/wordlists/rockyou.txt --disable-tls-checks
I logged in to wordpress with john:incorrect and uploaded a php-reverse-shell in plugin which I got from here.
The uploaded location was /wp-content/uploads (got it from wpscan)
And finally I was able to get reverse shell with the help of Netcat.
I enumerated further to find the kernel version and downloaded its exploit from here.
Further downloading and executing the exploit gave me root access to the system.
Visit : AzureSkynet