DERP_N_STINK_1
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process (discovering 4 flags) for the vulnerable machine DerpNStink, from the VulnHub pentesting platform.
- DerpNStink can be downloaded from here:
https://www.vulnhub.com/entry/derpnstink-1,221/
- Once downloaded DerpNStink and extracted with VirtualBox:
2 - ENUMERATION
- netdiscover identifies DerpNStink's IP 192.168.1.32:
- Scanning with Nmap:
- Scanning deeper port 80 we discover robots.txt and directories /php, /temporary:
- Going to the browser:
- dirbusting the web server we also discover directory /weblog, what according to its content seems to be a Wordpress webpage:
- Reading robots.txt:
- Acess to /php is denied:
- Nothing interesting at /temporary:
- Editing /etc/hosts:
- Now we can view-source the webpage and discover FLAG_1:
- Browsing /weblog:
- The bottom part confirms that it is powered by Wordpress:
- So let's use Wpscan to scan the Wordpress webpage, searching for users and plugins, and discovering user admin and plugin slideshow-gallery:
- Trying admin:admin the login is successful:
3 - EXPLOITATION
- Copying locally php-reverse-shell.php, renaming it to myshell.php and adapting to our needs:
- Setting a listener session:
- Now, let's upload myshell.php to Slideshow gallery:
- Once we are sure that the upload has been successful let's Save Slide:
- As a consequence a remote shell is triggered:
- It seems to be two users mrderp and stinky:
- Going to /weblog:
- Reading wp-config.php we discover database credentials root:mysql:
- Entering the database:
- Showing databases:
- Using database wordpress and looking for tables inside it:
- Selecting all from table wp_users:
- Let's focus our attention on these encrypted credentials:
- Creating file text p:
- Identifying what type of encryption is used:
- Applying John The Ripper and wordlist rockyou.txt we discover password wedgie57:
- Using these password wedgie75 for user unclestinky:
- The FLAG_2 is available:
- Access to SSH for user unclestinky is denied:
- By the way, at this moment of the process let's improve the shell :
- Switching to user stinky with password wedgie75 is allowed:
- Checking home folder for user stinky:
- There is a public key available:
- Inside Desktop we can read FLAG_3:
- Inside Documents there is a .pcap file:
- Transferring the .pcap file to Kali:
- Opening with wireshark:
- Follow the TCP stream we discover credentials mrderp:derpderpderpderpderpderpderp:
4 - PRIVILEGE ESCALATION
- SSH-ing for user mrderp:
- Checking for mrderp's sudoer privileges:
- However when going to /home/mrderp the surprise is that /binaries/derpy* does not exist:
- Creating folder /binaries and script derpy1.sh, passing to it "bin/bash'', and giving execution permissions:
- Executing derpy1.sh with sudo we get a root shell:
- Reading FLAG_4: