DerpNStink: 1, GotRootID

Overall Summary

DerpNStink is a Vulnhub machine that can be exploited by first discovering a WordPress site that has a vulnerable plugin called “Slideshow” which allows arbitrary file upload. Privilege escalation consists in becoming two different users by using MySQL and looking at a pcap file with tcpdump and then checking for sudo permissions. This post doesn’t go through the gathering of the flags mentioned by the author.

Scanning and Enumeration

A full nmap scan shows 3 open ports as ftp, ssh, and HTTP.

When I browse the HTTP service a picture is displayed with no other links to other pages.

To find out about other directories and files I used gobuster with a dirbuster wordlist. This is the output returned by gobuster:

An NSE script also revealed that there is a directory called /temporary but browsing to it only displays the message “Try Harder”. Using the gobuster output I browsed to the /weblog directory and it seems like it was trying to access it by using a hostname instead of the IP address.

With this information I edited my hosts file to include that hostname with the IP address.

And refreshing the page now displays a page which seems to be a WordPress site as it was stated at the very bottom of the page (not seen in the screenshot).

Running gobuster against this new directory finds the common directories for a WordPress site including the login page.

So now I have a login page but no credentials at all. To keep enumerating I will run wpscan and try to enumerate all the information, I was able to find out a username that is not the default admin user.

If I try some common credentials I was able to log in with the admin account and the password “admin” but it doesn’t seem like this user is able to do much as it has limited options available.

The only interesting option we have is the Slideshow plugin which wpscan was also able to enumerate with a version of 1.4.6

Exploitation

The slideshow version 1.4.6 seems to have a vulnerability of arbitrary file upload and here is the POC exploit:

https://www.exploit-db.com/exploits/34514

. Basically to be able to upload a file I will be doing a post request “/wp-admin/admin.php?page=slideshow” directory. To exploit this vulnerability I will burp to do the POST, I’ll first open up burp to intercept traffic and then go to the slideshow plugin option and click on “AddNew”, without filling any information I will click on Save Slide so that burp can intercept that POST request. This is how the POST request should look like:

According to the POC by scrolling down I see field called file and that’s where I will include a PHP reverse shell, I will first add the name of the file as “php-reverse-shell.php” and then copy and paste a PHP reverse shell. This is where the PHP code goes:

I then sent the request and received a code of 200 from the server which meant good news for me.

To get a reverse shell and access the PHP file I first set up my netcat listener on port 443 and browsed to the following address to execute the reverse shell.

http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/php-reverse-shell.php

I was able to successfully get a reverse shell as www-data.

Post-Exploitation

While checking for permissions and files I noticed that there was a folder named “support” which was own by another user and going inside this folder there is a troubleshooting.txt file.

If I cat this file I see that the user may be able to run commands as sudo which would allow me gain root access on the machine, the pastebin link when opened reveals that the user may use sudo for anything that follows the following structure:

/home/mrderp/binaries/derpy*

I might need to become mrderp to get root privileges, so I’ll keep looking for information within the system. Going to the web directory inside the weblog folder there is a PHP file named wp-config.php which contains credentials to access MySQL with the user “root” and the password “MySQL”.

With those credentials I was able to access MySQL, this is the command I used to connect to MySQL.

mysql -u root -p

By listing the databases, selecting the WordPress databases and displaying the tables there was a table named wp_users.

Listing the contents of the wp_users table displays a hash for the “unclestinky” WordPress account and thought that the password could have been used by one of the users in the machine.

I copied the hash from the “unclestinky” user and put it in a file to then use john the ripper to try to crack the password. After a few minutes, John the ripper successfully returned a password.

With this password I attempted to become the mrderp user with no success but was able to become the “stinky” user.

Now that I have become the “stinky” user I go to his home directory. There are four folders in the home directory and by going to the FTP folder inside the files folder, there is a “network-logs” directory that contains a text file named “derpissues.txt” which has a conversion that talks about a password and a sniffer.

I’ll keep this information in mind and keep looking around. Inside the same FTP folder there is also a folder named “ssh” and going inside this folder there are multiple other folders with the same name, browsing all those folders eventually led to a text file that contains a private RSA key to be able to SSH in.

I’ll connect to the FTP service as the user “stinky” and download this file to my attacking machine. I had already tried before to SSH with the password obtained with no success, so the private key might allow me to it. I saved the file with the name id_rsa and changed the permissions to “600” with chmod and successfully SSH in as the “stinky” user.

At this point I still haven’t checked all the folders in the home directory. By going to the Documents folder there is a file named “derpissues.pcap” which seems relevant to the information found before to obtain a password that could have been sniffed. The machine has tcpdump installed so I’ll use this tool to view the contents of the file, but the contents of the file are too big to be able to look at everything without missing anything, so lets narrow this down a bit. Just like wireshark (which I could also have used) tcpdump can also apply filters. To read all the contents of the pcap file we can use the following command:

tcpdump -r derpissues.pcap

From the text file I found earlier I know that “mrderp” is trying to access his account on WordPress which could also be the same password used to become this user on this machine, I also know that he is trying log in with his password, so that means I will have to filter the output by POST request and the following command on tcpdump will apply this filter.

tcpdump -r derpissues.pcap -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'

The hexadecimal value translates to “POST” . If i scroll down almost to the end of the output there is a text string that seems to be the password.

Using this password I was able to use the “su” command to become the mrderp user.

From information gathered earlier I know that this user can use sudo when working with “/home/mrderp/binaries/derpy*” files. Browsing to the home directory of the user doesn’t show any folder named “binaries”, this makes things easier, I’ll just simply create a folder with that name and a bash file named derpy.sh which will simply execute a bash shell. With those steps I was able to successfully able to become root.