Thursday, February 3, 2022



- Layout for this exercise:


 The goal of this exercise is to develop a hacking process (discovering 4 flags) for the vulnerable machine DerpNStink, from the VulnHub pentesting platform.

DerpNStink can be downloaded from here:,221/

- Once downloaded  DerpNStink and extracted with VirtualBox:


- netdiscover identifies DerpNStink's IP

- Scanning with Nmap:

- Scanning deeper port 80 we discover robots.txt and directories /php, /temporary:

- Going to the browser:

- dirbusting the web server we also discover directory /weblog, what according to its content seems to be a Wordpress webpage:

- Reading robots.txt:

- Acess to /php is denied:

- Nothing interesting at /temporary:

- Editing /etc/hosts:

- Now we can view-source the webpage and discover FLAG_1:

- Browsing /weblog:

- The bottom part confirms that it is powered by Wordpress:

- So let's use Wpscan to scan the Wordpress webpage, searching for users and plugins, and discovering user admin and plugin slideshow-gallery:

- Trying admin:admin the login is successful:


- Copying locally php-reverse-shell.php, renaming it to myshell.php and adapting to our needs:

- Setting a listener session:

- Now, let's upload myshell.php to Slideshow gallery:

- Once we are sure that the upload has been successful let's Save Slide:

- As a consequence a remote shell is triggered:

- It seems to be two users mrderp and stinky:

- Going to /weblog:

- Reading wp-config.php we discover database credentials root:mysql:

- Entering the database:

- Showing databases:

- Using database wordpress and looking for tables inside it:

- Selecting all from table wp_users:

- Let's focus our attention on these encrypted credentials:

- Creating file text p:

- Identifying what type of encryption is used:

- Applying John The Ripper and wordlist rockyou.txt we discover password wedgie57:

- Using these password wedgie75 for user unclestinky:

- The FLAG_2 is available:

- Access to SSH for user unclestinky is denied:

- By the way, at this moment of the process let's improve the shell :

- Switching to user stinky with password wedgie75 is allowed:

- Checking home folder for user stinky:

- There is a public key available:

- Inside Desktop we can read FLAG_3:

- Inside Documents there is a .pcap file:

- Transferring the .pcap file to Kali:

- Opening with wireshark:

- Follow the TCP stream we discover credentials mrderp:derpderpderpderpderpderpderp:


- SSH-ing for user mrderp:

- Checking for mrderp's sudoer privileges:

- However when going to /home/mrderp the surprise is that /binaries/derpy* does not exist:

- Creating folder /binaries and script, passing to it "bin/bash'', and giving execution permissions:

- Executing with sudo we get a root shell:

- Reading FLAG_4: