Skip to content

Stapler -- Proving Grounds (write-up)

Difficulty: Intermediate Box: Stapler (Proving Grounds) Author: dsec Date: 2025-12-14

TL;DR

FTP anonymous access leaked passwd file. Extracted usernames for brute force. WordPress exploitation for shell. Kernel exploit (39772) for root.

Target info

  • Host: Stapler (Proving Grounds)

Enumeration

Nmap results

Service details

FTP anonymous login:

FTP access

FTP files

Got the passwd file and extracted usernames:

cat passwd | awk -F: '{print $1}' > usernames.txt

Usernames

Foothold

Web enum

WordPress

WP exploitation

Shell access

Privilege escalation

Found kernel exploit 39772:

Exploit info

Compilation

Root

Lessons & takeaways

  • Anonymous FTP access can leak critical files like /etc/passwd
  • Extract usernames from passwd files for targeted brute force
  • Linux kernel exploits (39772) are reliable for older kernels