DerpNStink

Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…

URL: DerpNStink

Difficulty: Beginner

Author: Bryan Smith

Enumeration

Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).

netdiscover -i eth1

net

The IP 192.168.56.103 has been found so we will do a port scan with the following IP:

nmap -sS -A -p- -o "nmap" 192.168.56.103

nmap

The first open port is the FTP. Sometimes users can log in as Anonymous with no password needed.

ftp 192.168.56.103
Anonymous

ftp

This was not possible so I will move onto enumerating the next port.

Port 80 is open so have a look on a browser. This is what the web page looks like:

web

Nothing obvious sticks out so look at the source code.

source

There is an interesting link worth checking in one of the < script > tags as shown below. There is a link to /webnotes/info.txt. Go to that directory.

info

There is a message to “stinky” (a possible user) to update the local hosts file with a local DNS so the blog website can be accessed. There was no blog seen initially so let’s go ahead and update our host file on our local machine. Before this, I want to just double-check what else we can find at /webnotes. This is a snippet of what is found:

webnotes

A username [email protected] is mentioned. This is worth noting. There was also a mention of a robots.txt file in the nmap scan so let’s have a look at that as well:

robots

Paths /php and /temporary are listed in this. Let’s check them out:

phptemp

This seems to be a rabbit hole. Nothing to see here. Now let’s continue to updating our hosts file.

A hosts file is a plain text file that all operating systems use to translate hostnames into IP addresses. You can read more about this here.

Edit the /etc/hosts file with gedit or nano.

nano /etc/hosts

Add the machines IP address to a hostname.

192.168.56.103 derpnstink.local

This should now be accessible. You can visit the webpage and enumerate this further.

Use dirb (Web Content Scanner) to find more paths to this website to hopefully find the blog the users have been talking about.

dirb http://derpnstink.local/

dirb

Visit the link and there is a blog. According to the dirb results, there seems to be WordPress running. This is a snippet of my results:

dirbsnip

Wordpress is one of the most popular website making tools which attracts lots of hackers. Let’s use the popular Wordpress Vulnerability scanner WPScan. Here is a link to their website.

Kali Linux should already have this installed so I will be executing the following command:

wpscan --url http://derpnstink.local/weblog/ -e u,vp,vt

-e refers to the enumeration option. u,vp and vt mean the scan will be looking for users, vulnerable plugins and vulnerable themes.

wpscan

Some users have evidently been found: unclestinky and admin.

All the exploits given by WPScan seem to be authenticated which is not yet possible so we will look for a way to gain user access.

I will try bruteforcing since WPScan has an option for bruting passwords. This is the command:

wpscan --url http://derpnstink.local/weblog/ --passwords /usr/share/wordlists/rockyou.txt --username { user } 

I have used the –passwords option to indicate a brute-forcing session. I have given a path to a passwords list and will provide a username after the –username parameter. I first tried unclestinky then admin.

After some time there were no results. I tried the default admin credentials which gave a successful login. For some reason, the rockyou.txt file didn’t contain “admin”.

User

Now that we have authenticated access, we can use an exploit given in the WPScan results. This exploit is ideal.

Expoloit DB

No need to use the code. Just create a .php payload to upload on the vulnerable slideshow vulnerability. There is a premade .php backdoor under the webshells directory on Kali Linux.

payload

I copied this in my current directory with the following command:

locate webshells
cp /usr/share/webshells/php/php-reverse-shell.php .

Edit the payload accordingly. Add your local IP address and a port you will be listening on.

nano php-reverse-shell.php

edit

This is ready to upload to the slideshow plugin on Wordpress. Go to the WP web interface > slideshow and add your slide show.

Add in some information into the fields and upload your payload under “Choose Image”. Save the changes.

upload

Before executing the payload, we need to listen on the chosen port. Set up a netcat session and listen on your specified port.

nc -nvlp 4444

Everything should be ready. Simply click on the slideshow you have just created to execute the payload. You can do this from the main “slideshow” page.

session

We have a reverse shell!

id
pwd

We have a reverse shell with “www-data”. Upgrade the shell:

python3 -c 'import pty;pty.spawn("/bin/bash")'

In order to see other users on this system, we can have a look at /etc/passwd or simply look at the home directories in /home.

cd /home

home

There are 2 users, mrderp and stinky. Looking into stinky’s home directory, we find a Pastebin link: https://pastebin.com/RzK9WfGw

mrderp ALL=(ALL) /home/mrderp/binaries/derpy*

This is the sudo privileges that mrderp has. We need to get access to his account to exploit this.

If you are not familiar with Wordpress, credentials are kept in plaintext on a Wordpress configuration file named wp-config.php. Search for this file and look at the contents using cat.

locate wp-config.php
cat /path/to/wp-config.php

A look at this file gives us some credentials.

locate

These credentials are for the database. Let’s try these out. Go to /php/phpmyadmin.

db

The login is successful.

dblogin

Earlier on when we scanned the Wordpress website, there was another user account. Let’s go to the Wordpress database and change the password to something we know so we can log into that account.

Go to wordpress > wp_users

As we know the password for the admin account, copy and paste the hash into unclestinky’s password field.

change hash

Now login into stinky’s account and see if we can find any more information.

wp login

There isn’t much to see here except for another flag under the posts section:

flag

Let’s move onto other credentials. We are done with Wordpress. Going back to the phpmyadmin database, go to mysql > user for some hash passwords. We can crack some of these ourselves with John or just search them up.

hash

I have used this website to try and find a password for unclestinky / [email protected]:

Crack Station

cracked

*9B776AFB479B31E8047026F1185E952DD1E530CB : wedgie57

The password wedgie57 has been found. Let’s attempt to change the user to stinky with su using the password we found.

su stinky

su

There is another flag in the Desktop directory of stinky.

cd stinky/Desktop
ls -la
cat flag.txt

flag

Under the ftp/files/network-logs directory, there is a snapshot of a conversation between mrderp and stinky. There is a mention of a packet capture which is important as there may be a password in plaintext in there.

convo

There is also an ssh directory under ftp. If you keep going into the ssh directories, there is a .txt file named key. This is a RSA Private key. Read more about it here. It is often used as a ‘key’ when connecting to a server via ssh.

ssh

In order to ssh with a private key, copy this key over to your local machine.

nano ssh
-paste key-
Ctl+x, y, Enter.

nano

Before using this as a key, change the permissions by executing the following command:

chmod 700 ssh

You can read more about chmod and file permissions here.

ssh -i ssh [email protected]

The above code is used to connect to the host derpnstink.local with user stinky. ‘-i ssh’ parameter indicates the ssh file to be used. If your ssh key file has a different name, replace ‘-i ssh’ with ‘-i {file name}’.

ssh

A successful login. The ssh session is easier to work with.

Now in the documents is a pcap file. Let’s analyse this. A .pcap file is a file that has some network traffic recorded. Read more about this here. A popular tool to analyse pcap files is Wireshark.

However, I will be just analysing the strings in this file. ‘Strings’ prints the strings of printable characters in files. Read more about strings here. Hopefully, we can get some sort of password in plaintext from the .pcap file.

strings derpissues.pcap

Returns this:

strings

There is far too many strings to go through. Although we could output it to a file and analyse more, let’s try grepping the results. In this case, I will use ‘grep “pass”’ to see if there is a password field captured in the network traffic. Read more about grep here.

strings derpissues.pcap | grep "pass"

The above command essentially finds all the strings in the .pcap file and only prints when there is a “pass” in the string. Here is the result:

grep

As you can see, the second instance of “pass” looks good.

derpderpderpderpderpderpderp

To test out this password, change user to mrderp and use that password.

su mrderp
id

derpyderp

A successful login.

Privilege Escelation

Now we have access to a user where we can start exploiting the sudo rights as mentioned before. A look at derp’s documents reveals an email he has saved which outlines a problem with a sudo file.

email

This could be referring to that Pastebin we saw earlier. Check the sudo rights of derp:

sudo-l

sudo -l

Mr derp is allowed to run sudo commands in the file location /home/mrderp/binaries/derpy*. As you can see in the screenshot, cd didn’t work so to exploit the sudo rights, let’s create a directory called binaries in /home/mrderp:

mkdir binaries
cd binaries

In this case, anything named derpy* (where * means any) has sudo rights.

echo "/bin/bash" > derpy.sh

The above command is outputting “/bin/bash” into a file called derpy.sh. If this is executed, it will give derpy root privs. To execute this file, it must be made executable.

chmod +x derpy.sh

sh

Now execute the file:

sudo ./derpy.sh
id

exesh

The id command shows we are root. The flag will be located in /root.

Written on May 8, 2020