Overall Summary
DerpNStink is a Vulnhub machine that can be exploited by first discovering a WordPress site that has a vulnerable plugin called “Slideshow” which allows arbitrary file upload. Privilege escalation consists in becoming two different users by using MySQL and looking at a pcap file with tcpdump and then checking for sudo permissions. This post doesn’t go through the gathering of the flags mentioned by the author.
Scanning and Enumeration
A full nmap scan shows 3 open ports as ftp, ssh, and HTTP.
When I browse the HTTP service a picture is displayed with no other links to other pages.
To find out about other directories and files I used gobuster with a dirbuster wordlist. This is the output returned by gobuster:
An NSE script also revealed that there is a directory called /temporary but browsing to it only displays the message “Try Harder”. Using the gobuster output I browsed to the /weblog directory and it seems like it was trying to access it by using a hostname instead of the IP address.
So now I have a login page but no credentials at all. To keep enumerating I will run wpscan and try to enumerate all the information, I was able to find out a username that is not the default admin user.
If I try some common credentials I was able to log in with the admin account and the password “admin” but it doesn’t seem like this user is able to do much as it has limited options available.
The only interesting option we have is the Slideshow plugin which wpscan was also able to enumerate with a version of 1.4.6
Exploitation
The slideshow version 1.4.6 seems to have a vulnerability of arbitrary file upload and here is the POC exploit:
https://www.exploit-db.com/exploits/34514
. Basically to be able to upload a file I will be doing a post request “/wp-admin/admin.php?page=slideshow” directory. To exploit this vulnerability I will burp to do the POST, I’ll first open up burp to intercept traffic and then go to the slideshow plugin option and click on “AddNew”, without filling any information I will click on Save Slide so that burp can intercept that POST request. This is how the POST request should look like:
http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/php-reverse-shell.php
Post-Exploitation
While checking for permissions and files I noticed that there was a folder named “support” which was own by another user and going inside this folder there is a troubleshooting.txt file.
If I cat this file I see that the user may be able to run commands as sudo which would allow me gain root access on the machine, the pastebin link when opened reveals that the user may use sudo for anything that follows the following structure:
/home/mrderp/binaries/derpy*
I might need to become mrderp to get root privileges, so I’ll keep looking for information within the system. Going to the web directory inside the weblog folder there is a PHP file named wp-config.php which contains credentials to access MySQL with the user “root” and the password “MySQL”.
mysql -u root -p
By listing the databases, selecting the WordPress databases and displaying the tables there was a table named wp_users.
Listing the contents of the wp_users table displays a hash for the “unclestinky” WordPress account and thought that the password could have been used by one of the users in the machine.
I copied the hash from the “unclestinky” user and put it in a file to then use john the ripper to try to crack the password. After a few minutes, John the ripper successfully returned a password.
Now that I have become the “stinky” user I go to his home directory. There are four folders in the home directory and by going to the FTP folder inside the files folder, there is a “network-logs” directory that contains a text file named “derpissues.txt” which has a conversion that talks about a password and a sniffer.
At this point I still haven’t checked all the folders in the home directory. By going to the Documents folder there is a file named “derpissues.pcap” which seems relevant to the information found before to obtain a password that could have been sniffed. The machine has tcpdump installed so I’ll use this tool to view the contents of the file, but the contents of the file are too big to be able to look at everything without missing anything, so lets narrow this down a bit. Just like wireshark (which I could also have used) tcpdump can also apply filters. To read all the contents of the pcap file we can use the following command:
tcpdump -r derpissues.pcap
From the text file I found earlier I know that “mrderp” is trying to access his account on WordPress which could also be the same password used to become this user on this machine, I also know that he is trying log in with his password, so that means I will have to filter the output by POST request and the following command on tcpdump will apply this filter.
tcpdump -r derpissues.pcap -A 'tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504F5354'
The hexadecimal value translates to “POST” . If i scroll down almost to the end of the output there is a text string that seems to be the password.
Using this password I was able to use the “su” command to become the mrderp user.
From information gathered earlier I know that this user can use sudo when working with “/home/mrderp/binaries/derpy*” files. Browsing to the home directory of the user doesn’t show any folder named “binaries”, this makes things easier, I’ll just simply create a folder with that name and a bash file named derpy.sh which will simply execute a bash shell. With those steps I was able to successfully able to become root.