DerpNStink — Walkthrough
Description from Vulnhub
Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live… Instructions:
This is a boot2root Ubuntu based virtual machine. It was tested on VMware Fusion and VMware Workstation12 using DHCP settings for its network interface. It was designed to model some of the earlier machines I encountered during my OSCP labs also with a few minor curve-balls but nothing too fancy. Stick to your classic hacking methodology and enumerate all the things!
Your goal is to remotely attack the VM and find all 4 flags eventually leading you to full root access. Don’t forget to #tryharder
Example: flag1(AB0BFD73DAAEC7912DCDCA1BA0BA3D05). Do not waste time decrypting the hash in the flag as it has no value in the challenge other than an identifier.
I started scanning the machine with Nmap. My scan options included default scripts, version enumeration on all ports. This yielded the following result:
The FTP and SSH services looked secure by searching for the version numbers, so I moved on to port 80. Nmap kindly tells us that there are 2 disallowed entries in the robots.txt
file. First, let's check out the site! I opened the Inspector to check out the source and found the first flag in a nested div
element.
flag1(52E37291AEDF6A46D7D0BB8A6312F4
F9F1AA4975C248C3F0E008CBA09D6E9166)
I continued with a directory scan using gobuster
. Except /weblog
and /temporary
, I found some pretty standard directories.
First, I visited the /temporary
directory which was a dead end.
Then, I went to visit /weblog
and I got redirected to http://derpnstink.local/weblog/
. To resolve the local DNS issue (obviously the site didn't load), I added derpnstink.local
to my /etc/hosts
file. After that, I just looked around to see if I notice something unsusual. Finally, I ran wpscan --url http://derpnstink.local/weblog -e
to enumerate users, plugins, themes, etc...
The above picture shows that wpscan
identified a slideshow-gallery
plugin which is vulnerable to arbitrary file upload. The vulnerability has a Metasploit module but since I'm preparing for OSCP, I just decided to use this Python exploit: https://www.exploit-db.com/exploits/34681 However, the exploit requires authentication and I only got 2 username without password.
It was time to guess (or brute-force)! Luckily, I hit jackpot with admin : admin
. I wasn't able to edit PHP files or anything, so I resorted to the previously mentioned exploit.
I set up my reverse shell listener on port 443 and created a PHP reverse shell file which is also required for the exploit to work. After clicking the link at the bottom, I got a connection back as www-data
. First, I checked the /php
directory that I couldn't access previously and found a info.php
file. This file contained a comment about the a phpmyadmin
installation. With recursive directory scanning, I could have probably found this file earlier. Let's just take a note about this for now.
I continued to look for sensitive file regarding the Wordpress installation in the weblog
directory. The wp-config.php
usually contains configurations for the MySQL database like secret keys, database table prefixes and credentials. It's always a good idea to check this when dealing with Wordpress.
Alright, we’re slowly progressing. I used these credentials to log into /php/phpmyadmin
and quickly looked around. The wp-posts
table contained the second flag for this machine as you can see on the picture below. I utilized the print view functionality to get a more appealing visual representation of the table.
flag2(a7d355b26bda6bf1196ccffead0b2cf
2b81f0a9de5b4876b44407f1dc07e51e6)
I went all the way down to the wp_users
table to see, if I can find some password hashes because I remembered that wpscan
gave us 2 users and I was only able to guess one of them.
I found the password hash for unclestinky
and used hashcat
with mode 400 to crack it.
By printing out the /etc/passwd
file, I identified 2 potential users (mrderp
& stinky
) on the machine. Fortunately, the cracked password worked for stinky
who had SSH keys which we can use to get a proper connection to the target machine.
I copied the private SSH key to my machine, set the correct permission and connected to the target. The third flag can be found in the Desktop
directory.
flag3(07f62b021771d3cf67e2e1faf18769c
c5e5c119ad7d4d1847a11e11d6d5a7ecb)
There was an interesting directory called ftp
in the home directory which contained a private SSH key and a funny conversation between stinky
and mrderp
.
I deduced that I should look for a packet capture file somewhere and I found it in the Documents
directory. Python was installed, so I used it to create a simple HTTP server in that directory and easily download the filefor further investigation.
Wireshark is an excellent tool to analyze packet captures. I used it to filter for HTTP POST requests because password change / login usually associated with this type of request. You can nicely follow the events mentioned in the conversation. It looks like a new accoutn got created for mrderp
and his password isderpderpderpderpderpderpderp
.
I thought, maybe he uses the same password for his local account. Yes, he was indeed using the same password for his local account. Remember, don’t reuse passwords! After switching to mrderp
, I quickly checked which commands can he run as root and found a strange entry.
The path to the entry was completely made up and there was a wild card at the end. So many possibilities, but I just went for the quickest and easiest one. I created the binaries
directory and a shell script inside that named derpy.sh
. The extension doesn't matter because of the wild card, so you can create any type of script you want, it'll work. My shell script only spawned a new Bash shell which is more than enough in this case. After running the script with sudo
, I got a new a shell with root privileges.
flag4(49dca65f362fee401292ed7ada96f9
6295eab1e589c52e4e66bf4aedda715fdd)
Before You Go
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏