VulnHub Edition: DerpNStink
DerpNStink CTF
Exploiting a vulnerable apache server which was using Ubuntu version 2.7
Strategy:
Compromise the vulnerable machine in order to gain privileged access for the root. And exploit the sql database.
Tactics:
Perform a network scan. Using netdiscover and nmap to discover target Ip 192.168.1.122
From the Nmap scan, I noticed that this following machine does use an apache server, a sql database. For the website we can inspect the source code and we exfiltrate the first flag. Flag1-Key
Performing a nikto scan to analyze the vulnerable ports. It contains a /php and a /temporary directory. And also has a robots.txt file. Used dirbuster to bruteforce the directories with a wordlist. After brute forcing we find out that it runs on WordPress.
301 status redirects to the derpnstink.local/weblogs page.
Tried to access the wordpress login page. With the username “admin” and password “admin” and gave me access to the WordPress dashboard. Also performed a WPscan to check the vulnerabilities.
This did not give access to any user dashboard or root privileges. But still could play around with the slides. So I tried two ways to exploit this. The first way which was through Metasploit did not work for me. The TCP request did not bind with the HostIP for some reason and did not create a shell. So I tried inserting a php shell in the slides gallery with success and tried connecting to the shell via a tcp connection through port 4444 via netcat.
Got access to the server with user “www-data” via the shell. Listing the directories and gaining access to the other users but no luck.
Search through the directories and gained access to the sql server and got access the root sql database.
Gained access to the wordpress users table. Got the users And exfiltrated the 2nd flag key. Flag2-Key
Used hydra password cracking tool to crack the password for the user stinky, took about 20 mins, so be patient. Stinky: wedgie57
Searched the directories /home/Desktop, found the 3rd Flag. Flag3-Key. The server contains two users. stinky and mrderp. Haven’t gained privileges for mrderp yet.
Accessed more files for the user stinky and exfiltrated the key.txt file from the ssh directory.
Accessing the ftp directories, I found a derpissues.txt file inside the network logs dir but could not read the message. Back in the home dir, found a derpissues.pcap file.
Checked a few directories before finally finding the vsftpd.conf file. Tried viewing it.
Used the TCP dump method to gain privileged access for user mrderp.
Password: derpderpderpderpderpderpderp
This gave me a backdoor stating any file name, named derpy in the binaries directory in the home directory would give escalated privileges off root.
Made a /binaries directory and created an interactive env bash script and imported it into the shell via a simple http python server through port 1234
Finally gained privileged access to the server as root and exfiltrated the 4th Flag. Flag-4
Final thoughts: This was tricky & took too damn long but was an awesome CTF. I would rate this at a hard level difficulty, struggled at different points but learnt so much.