DerpNStink is the web based vulnerable machine The best thing of this machine is that different techniques are involved in exploiting the vulnerabilities and you have to make your way through them.
You can Download this machine from: https://www.vulnhub.com/entry/derpnstink-1,221/
Once we have the IP address the next step i always perform is the NMAP Scan. It can be any NMAP scan as the machine is deployed on your local network.
Lets go and check the website running on port 80
This is the web page up and running on port 80 and nothing special in here. Let’s take a look onto the source code of this page.
Yes! so on checking the source code we have found the 1st flag. (Its Easy )
Lets try to check robots.txt
On checking the temporary directory. It simply says “try harder!” which means that we are required to try more harder.
On checking the php directory is is simply forbidden and we don’t really have much permission to see what’s inside.
Let’s find if there are any hidden directories. (gobuster , dirb etc will help)
When entering to the dir weblog it redirect us to derpnstink.local and i got this from dirb result
so we need to edit our host file and retry
Now we are able to access the WordPress blog. Let’s directly move forward and try to log into the WordPress blog.
Let’s try the admin:admin combination.
That’s all. We are inside the admin panel. As this is WordPress. Let’s run the WPScan to look for any vulnerabilities and also the user names available for this blog.
Slideshow Gallery is vulnerable to Arbitrary file upload
and wpscan revels one more user unclestinky
So now we have to upload php backdoor to get shell
If you dont know how to do so follow this: https://www.youtube.com/watch?v=FuVr9YaUrbE
So now i have shell
We know that WordPress website is up and running. Let’s grab the database credentials.
So the username is “root” and the password is “mysql”.
we got /php dir in robots.txt so it means phpmyadmin is running under php dir
Lets login using root : mysql
Viewing the wp_users table we see the hashes for the user unclestinky
unclestinky seems to have two potential passwords $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 $P$BQbCmzW/ICRqb1hU96nIVUFOlNMKJM1
Using john and rockyou.txt we determine the password is wedgie57
Let’s try to ssh as stinky
Wasn’t there an authentication enabled ftp service.
The same creds work for ftp
The following text from files/network-logs/derpissues.txt provides some context for the pcap file.
Also we find the private key for stinky
Under documents is the pcap file mentioned in the derpissues.txt
We find the following creds in the pcap file.
Lets ssh we these.
No key required for mrderp and we are in
More digging around and we find the following:
The pastebin points us to:
mrderp ALL=(ALL) /home/mrderp/binaries/derpy*
Which is the same from our sudo abilities
Based on this entry. Lets create a program which we can run as root. We created a binaries directory and then compiled the “suid.c” to “derpy” which created a program to provide us a root shell
NOW WE ARE ROOT