DerpNStink VulnHub — Walkthrough

Kioptrix: Level 4 Vulnhub — Walkthrough
April 9, 2019
Hackfest 2016: Quaoar – Vulnhub Walkthrough
April 9, 2019
Share This:

DerpNStink is the web based vulnerable machine The best thing of this machine is that different techniques are involved in exploiting the vulnerabilities and you have to make your way through them.

You can Download this machine from: https://www.vulnhub.com/entry/derpnstink-1,221/

  • Boot The machine
  • Find the ip of your machine via nmap or netdiscove

Once we have the IP address the next step i always perform is the NMAP Scan. It can be any NMAP scan as the machine is deployed on your local network.

  • SSH
  • FTP
  • WEBSERVER

are running

Lets go and check the website running on port 80

This is the web page up and running on port 80 and nothing special in here. Let’s take a look onto the source code of this page.

Yes! so on checking the source code we have found the 1st flag. (Its Easy )

Lets try to check robots.txt

On checking the temporary directory. It simply says “try harder!” which means that we are required to try more harder.

On checking the php directory is is simply forbidden and we don’t really have much permission to see what’s inside.

Let’s find if there are any hidden directories. (gobuster , dirb etc will help)

When entering to the dir weblog it redirect us to derpnstink.local and i got this from dirb result

so we need to edit our host file and retry

Now we are able to access the WordPress blog. Let’s directly move forward and try to log into the WordPress blog.

Let’s try the admin:admin combination.

That’s all. We are inside the admin panel. As this is WordPress. Let’s run the WPScan to look for any vulnerabilities and also the user names available for this blog.

wpscan result

Slideshow Gallery is vulnerable to Arbitrary file upload

and wpscan revels one more user unclestinky

So now we have to upload php backdoor to get shell

If you dont know how to do so follow this: https://www.youtube.com/watch?v=FuVr9YaUrbE

So now i have shell

  • cat /etc/passswd (reveals 2 user)
  • mrderp
  • stinky

We know that WordPress website is up and running. Let’s grab the database credentials.

So the username is “root” and the password is “mysql”.

we got /php dir in robots.txt so it means phpmyadmin is running under php dir

Lets login using root : mysql

Viewing the wp_users table we see the hashes for the user unclestinky

unclestinky seems to have two potential passwords $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 $P$BQbCmzW/ICRqb1hU96nIVUFOlNMKJM1

Using john and rockyou.txt we determine the password is wedgie57

Let’s try to ssh as stinky

Ops

Wasn’t there an authentication enabled ftp service.

The same creds work for ftp

Stinky:wedgie57

The following text from files/network-logs/derpissues.txt provides some context for the pcap file.

Also we find the private key for stinky

Under documents is the pcap file mentioned in the derpissues.txt

We find the following creds in the pcap file.

mrderp

derpderpderpderpderpderpderp

Lets ssh we these.

No key required for mrderp and we are in

More digging around and we find the following:

The pastebin points us to:

mrderp ALL=(ALL) /home/mrderp/binaries/derpy*

Which is the same from our sudo abilities

Based on this entry. Lets create a program which we can run as root. We created a binaries directory and then compiled the “suid.c” to “derpy” which created a program to provide us a root shell

NOW WE ARE ROOT

Happy Hacking…

Share This:

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: