derpnstink CTF write-ups
This challenge is very simple to gain shell is good to start for beginners like me and very challenging when it comes to privilege escalation.
So let’s begin!
Let’s scan the target to check all open ports or running services
There are FTP and HTTP
Let’s check HTTP what’s on there
I think derp is the guy on the left and stink on the right and nothing interesting on the web pages
Let’s inspect element the web pages to check if there is something there
I found the first flag!
And let’s scan all the possible directories
And I saw a “phpmyadmin” and “wp-admin” I have no idea what is phpmyadmin because I’m not a developer by trade but I tried to google it “ phpMyAdmin is a free and open source administration tool for MySQL and MariaDB. As a portable web application written primarily in PHP, it has become one of the most popular MySQL administration tools, especially for web hosting services.” by Wikipedia https://en.wikipedia.org/wiki/PhpMyAdmin
Now I know phpmyadmin is for databases and the target is running WordPress
I tried to check what’s on /tempory and said “try harder” very famous hacker quotes by offsec
And I’ve checked the /weblog or the Wordpress site and nothing interesting here
I add the target machine domain and IP on my /etc/hosts file to resolve locally
And here where I found the domain “derpnstink.local”
Here’s the phpmyadmin login page
And yeah is a WordPress site
Let’s scan the WordPress site using wpscan to find any vulnerabilities on the WordPress site
And I found a “slideshow gallery” vulnerability
Use the reference to get the exploit code
Let’s read carefully the code and copy/paste it to your computer
Make it executable
And now modify the php revershell code according to your computer IP and port you want to use.
And run the wpslideshowexploit.sh script!
I successfully upload the revershell on the target and now click the URL to run the revershell
Make sure you have netcat listener and once you’ve clicked the URL you will receive a revershell from the target machine
Now I have a shell
Let’s check /passwd file to check all users
And I found this WordPress configuration file on /var/www/html
There’s mysql user and password!
Let’s try to log in on phpmyadmin using “root/mysql” credentials
And I Successfully logged in
Now I tried to brute-force the WordPress site and successfully logged in using ”admin/admin” but this is not a real admin account
So let’s explore phpmyadmin and I found the WordPress users and the md5 hashes
I don’t want to crack “unclestinky” password because I know the admin password is “admin” so I copied the hashes of “admin” user and paste it to “unclestinky” hash
And now “unclestinky” password is “admin”
Let’s Login using “unclestinky” credentials
And I successfully logged in!
I found the second flag!
I found some mysql hashes
So tried to crack “unclestinky” password
And I got “unclestinky” password “wedgie57”
Let’s FTP to the server using user “unclestinky” password “wedgie57”
Upon checking, I saw an SSH RSA keys
Now copy it and paste it to ~/home/user/.ssh/id_rsa
And change the file permission to 400 so only the owner can read and write to the file
Now Let’s ssh using every user on the machine
Stinky user worked!
And I saw the third flag!
Upon checking, I saw a .pcap file or captured traffic on the network I think I can see users and password there
I run the python simplehttpserver on the target machine to copy the .pcap file to my computer
I tried to use Wireshark to analyze it but its very hard because there is a lot of traffic
So I tried to use tcpdump and grep it to easily read the output
And I saw “mrderp” passowrd “derpderpderpderpderpderpderp”
So let’s ssh the target machine using that credentials and successfully logged in!
Let’s explore it
Upon checking, I saw this ticket regarding “sudoers file issue” from the service desk, And I think this is a clue…
And I saw this another clue
Upon googling I saw this python script that exploits misconfigured uid and gid
Let’s save it and run it
No output?? Later I will try to learn more about privilege escalation.
So I tried to switch to root user
And finally, I got root
And I saw the final flag!