DerpnStink: VulnHub
Today we are going to take a look at DerpNStink on VulnHub. As usual we will start off with an NMAP scan of the Vulnerable Machine.
We can see 4 ports that are open, FTP won’t give us much yet and when looking deeper into port 8000 it seemed like a false positive and it wasn’t actually up. Looking at port 80 we can see that there is a robots.txt
Going to 10.0.3.14 and looking at the HTML code we see the following:
Let’s check out that webnotes/info.txt
Looks like we need to update our /etc/hosts file
Now that we have that, let’s do a gobuster scan on it and see if there is anything we are missing
And we see weblog which was talked about in webnotes. Taking a look at weblog and it seems like it is a wordpress site:
We can utilize wpscan to see more about the site, usernames and plugins
There is a lot of information above, things that point out to us is that there is 1 user and it is admin, from there, there is also a plugin called slideshow gallery. The first thing we need to see is if we can actually get into the wordpress site with admin. Let’s go to wp-admin and see:
We will first try admin:admin and see if that logs us in
Sure enough it does! However, it does not look like a normal wordpress exploit. Let’s look at that plugin that was being used.
Reading the txt file we can see that we can upload a php reverse shell, but where? There is a tab called slideshow to the left, when clicking on that we get the following, you may not have test there just yet, that is my reverse shell that I already uploaded.
Now we can use pentest monkey reverse shell, which is also on kali under web shells, or just do a locate php-reverse and you will see it. Remember to change the IP address and port if needed:
Now upload that under a new slide:
Make sure you start up a listener and then click on test and you should get a reverse shell!
So we know that WordPress is up and running, we can take a look at its config file to see if there are plain text creds for MySQL inside it:
Alright we have some plaintext creds, we can use those to login to MySQL and hopefully pull some more passwords:
Yes, we have a hash, we can throw that into john and see if he can crack it:
John does crack it, now we need to find a username that may go to this password. Right now we have the database username, however, that may not be the same as the login name for a machine. To do this we can cat /etc/passwd on the box and see if there are some names we can use:
Looks like we have a stinky and also an mrderp, let’s change users:
As seen we are now stink, we can start to take a look around his home directory:
We find a strange pcap file in documents, we need to get that back to ourselves. This is really however you want to do it, there is both python and python3 on the system so you can just make a web server and download back on your own machine.
Now we can take a look at the WireShark file, and on TCP Stream 37 we can see the following:
Make sure you copy and paste the password and then you can try to login as mrderp on the box:
Awesome we are now in as mrderp, let’s do the same thing as before with a sudo –l
Looks like if we make a directory called binaries and put whatever we want in there we can end up running it as root. Let’s try that out:
Looks like we are root, thanks for following the walkthrough.