Thursday, February 3, 2022

DerpNStink

 DERP_N_STINK_1

- Layout for this exercise:




1 - INTRODUCTION

 The goal of this exercise is to develop a hacking process (discovering 4 flags) for the vulnerable machine DerpNStink, from the VulnHub pentesting platform.


DerpNStink can be downloaded from here:

https://www.vulnhub.com/entry/derpnstink-1,221/

- Once downloaded  DerpNStink and extracted with VirtualBox:




2 - ENUMERATION

- netdiscover identifies DerpNStink's IP 192.168.1.32:






- Scanning with Nmap:










- Scanning deeper port 80 we discover robots.txt and directories /php, /temporary:












- Going to the browser:




















- dirbusting the web server we also discover directory /weblog, what according to its content seems to be a Wordpress webpage:




- Reading robots.txt:








- Acess to /php is denied:











- Nothing interesting at /temporary:








- Editing /etc/hosts:






- Now we can view-source the webpage and discover FLAG_1:


















- Browsing /weblog:
















- The bottom part confirms that it is powered by Wordpress:




















- So let's use Wpscan to scan the Wordpress webpage, searching for users and plugins, and discovering user admin and plugin slideshow-gallery:








- Trying admin:admin the login is successful:





























3 - EXPLOITATION

- Copying locally php-reverse-shell.php, renaming it to myshell.php and adapting to our needs:








- Setting a listener session:





- Now, let's upload myshell.php to Slideshow gallery:























- Once we are sure that the upload has been successful let's Save Slide:










- As a consequence a remote shell is triggered:










- It seems to be two users mrderp and stinky:










- Going to /weblog:



- Reading wp-config.php we discover database credentials root:mysql:








- Entering the database:





- Showing databases:





- Using database wordpress and looking for tables inside it:




- Selecting all from table wp_users:





- Let's focus our attention on these encrypted credentials:







- Creating file text p:



- Identifying what type of encryption is used:















- Applying John The Ripper and wordlist rockyou.txt we discover password wedgie57:









- Using these password wedgie75 for user unclestinky:





















- The FLAG_2 is available:


















- Access to SSH for user unclestinky is denied:










- By the way, at this moment of the process let's improve the shell :






- Switching to user stinky with password wedgie75 is allowed:








- Checking home folder for user stinky:










- There is a public key available:









- Inside Desktop we can read FLAG_3:









- Inside Documents there is a .pcap file:









- Transferring the .pcap file to Kali:

















- Opening with wireshark:




























- Follow the TCP stream we discover credentials mrderp:derpderpderpderpderpderpderp:








4 - PRIVILEGE ESCALATION

- SSH-ing for user mrderp:


























- Checking for mrderp's sudoer privileges:








- However when going to /home/mrderp the surprise is that /binaries/derpy* does not exist:
















- Creating folder /binaries and script derpy1.sh, passing to it "bin/bash'', and giving execution permissions:







- Executing derpy1.sh with sudo we get a root shell:





- Reading FLAG_4:














at