derpnstink CTF write-ups

This challenge is very simple to gain shell is good to start for beginners like me and very challenging when it comes to privilege escalation.

So let’s begin!

Let’s scan the target to check all open ports or running services

There are FTP and HTTP

Let’s check HTTP what’s on there

I think derp is the guy on the left and stink on the right and nothing interesting on the web pages

Let’s inspect element the web pages to check if there is something there

I found the first flag!

And let’s scan all the possible directories

And I saw a “phpmyadmin” and “wp-admin” I have no idea what is phpmyadmin because I’m not a developer by trade but I tried to google it “ phpMyAdmin is a free and open source administration tool for MySQL and MariaDB. As a portable web application written primarily in PHP, it has become one of the most popular MySQL administration tools, especially for web hosting services.” by Wikipedia

Now I know phpmyadmin is for databases and the target is running WordPress

I tried to check what’s on /tempory and said “try harder” very famous hacker quotes by offsec

And I’ve checked the /weblog or the Wordpress site and nothing interesting here

I add the target machine domain and IP on my /etc/hosts file to resolve locally

And here where I found the domain “derpnstink.local”

Here’s the phpmyadmin login page

And yeah is a WordPress site

Let’s scan the WordPress site using wpscan to find any vulnerabilities on the WordPress site

And I found a “slideshow gallery” vulnerability

Use the reference to get the exploit code

Let’s read carefully the code and copy/paste it to your computer

Make it executable

And now modify the php revershell code according to your computer IP and port you want to use.

And run the script!

I successfully upload the revershell on the target and now click the URL to run the revershell

Make sure you have netcat listener and once you’ve clicked the URL you will receive a revershell from the target machine

Now I have a shell

Let’s check /passwd file to check all users

And I found this WordPress configuration file on /var/www/html

There’s mysql user and password!

Let’s try to log in on phpmyadmin using “root/mysql” credentials

And I Successfully logged in

Now I tried to brute-force the WordPress site and successfully logged in using ”admin/admin” but this is not a real admin account

So let’s explore phpmyadmin and I found the WordPress users and the md5 hashes

I don’t want to crack “unclestinky” password because I know the admin password is “admin” so I copied the hashes of “admin” user and paste it to “unclestinky” hash

And now “unclestinky” password is “admin”

Let’s Login using “unclestinky” credentials

And I successfully logged in!

I found the second flag!

I found some mysql hashes

So tried to crack “unclestinky” password

And I got “unclestinky” password “wedgie57”

Let’s FTP to the server using user “unclestinky” password “wedgie57”

Upon checking, I saw an SSH RSA keys

Now copy it and paste it to ~/home/user/.ssh/id_rsa

And change the file permission to 400 so only the owner can read and write to the file

Now Let’s ssh using every user on the machine

Stinky user worked!

And I saw the third flag!

Upon checking, I saw a .pcap file or captured traffic on the network I think I can see users and password there

I run the python simplehttpserver on the target machine to copy the .pcap file to my computer

I tried to use Wireshark to analyze it but its very hard because there is a lot of traffic

So I tried to use tcpdump and grep it to easily read the output

And I saw “mrderp” passowrd “derpderpderpderpderpderpderp”

So let’s ssh the target machine using that credentials and successfully logged in!

Let’s explore it

Upon checking, I saw this ticket regarding “sudoers file issue” from the service desk, And I think this is a clue…

And I saw this another clue

Upon googling I saw this python script that exploits misconfigured uid and gid

Let’s save it and run it

No output?? Later I will try to learn more about privilege escalation.

So I tried to switch to root user

And finally, I got root

And I saw the final flag!