VulnHub

DerpNStink

https://www.vulnhub.com/entry/derpnstink-1,221/

 

 

 

Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…

 

Time Management

One of the bigger issues in all these hacker challenges comes back to time management.

If there is a vulnerability in a machine…. then the question is never ‘if’ I can exploit it. The question always comes back to ‘when’ can I exploit it.

What do I have to learn in the mean time? Do I have to go and learn a brand new language? A new technology? Will I have to go and build a bunch of VMs and spend a week running various labs? Is this even a well known vulnerability? Or am I going to all this trouble for a hack that could/should work? In other words…. long winding rabbit holes = bad.

From reading reviews I know bad time management can be a major downfall for people taking OSCP exam which I plan on doing in the near future. The plan is to build up good habits now before the real pressure starts.

So with that said, there are 4 flags in this challenge. Its suggested that this can be done in about 1.5 hours. Im giving myself an hour.

 

Let the games begin……

 

So first things first. Lets run an nmap scan against this machine.

nmap 192.168.80.141 -p- -A -sV –version-all

 

Right away we can see there are some interesting services running. We got FTP (VSFTPD), SSH (OpenSSH) and a web server (Apache).

The web server is always a good first choice. It opens up numerous attack vectors to us.

Im not sure if this ever works in the real world- but a quick glance at the source code on the index page brings us our first flag. (I often wonder why so many of these challenges leave flags in source code?)

 

flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166)

 

Thats the first flag captured and Im only 10-15 mins in. So next step is to run a Dirbuster scan and see what this brings up. Within minutes we have some directories/pages to work with:

 

WordPress! Great. I fire up a WPScan and let that run in the background while I take a stab at trying out default/easy guess credentials. This is something I always test on any challenges. And unlike the flag we just found in the source code, this is something that actually does work from time-to-time in the real world. So many admins/users out there just hitting Next…Next…Next…Next the whole way through whatever installation/configuration they are doing.

And the good news….? This quick check paid of.  admin:admin lets us right in!

As soon you log in you see on the dashboard there is a draft file called Flag.txt So lets just open that up and take a look:

 

flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

 

Great. We are 20-25 mins in and have found flag number 2. A quick look around and the only other thing standing out for me is that this is not an admin account.

In other words: no easy access to upload a malicious plugin.

Lets go back and take a look at the WPScan and see if that is showing anything interesting. And of course it has found multiple problems. But one in particular is really standing out for me right now. An arbitrary file upload.

 

 

A quick check on exploit-db.com and we have the following:

 

 

 

Are you thinking what Im thinking? I could upload a web shell onto the server and its game over.  Now Im not going to get too excited about this just yet. It does look promising but it wouldn’t be the first time I thought I was on the verge of rooting a server and then 2 hours later still not even an inch closer.

So where to get this web shell? Im trying to get away from relying on Metasploit all the time so I generate one with Weevely.

 

 

weevely generate Pass123 remote.php

I upload this file into the slideshow gallery and on first attempt Im able to connect.

 

weevely http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/remote.php Pass123

 

Thats the good news. The bad news is Im having major problems trying to get myself into a proper TTY shell. At this point Im down to just over 20 minutes so Im going to move on and have a quick search through the filesystem hoping for another flag.

I didn’t find a flag but I did find the following in the wordpress config file.

 

 

This could be lucrative. You can find all kinds of goodies buried in databases. With any bit of luck this will come in the form of Flag3.

 

 

No flags unfortunately. But I did find a user hash for Uncle Stinky. Im very conscious of time at this point and Im not putting all my eggs into the WordPress basket. Ive already pulled one flag from there- whats the odds the last two are also on it?

I want to get access to the user directories on that server and Im going to gamble the rest of my time on cracking them.

And Im also not convinced either that me not been able to escalate that shell was anything other than my own inexperience with Weevely (first time using it).

So Im going to go back and load up a reverse shell that Im more au-fait with and while Im doing that Im going to feed that user hash for Uncle Stinky into a cracker (Golden Rule #5: People recycle passwords).

 

I upload the reverse php file after changing port/ip for my own machine.

php-reverse-shell.php

 

And then on my machine I set Netcat to listen on port 4666. This is what I had set the reverse shell to dial back to. The following screenshot shows the connection after it was made.

Oh and obviously this been a reverse shell, you need to have Netcat listening in advance of uploading the file. But you already knew that though, didn’t you?

 

 

By the time I got the reverse shell edited, uploaded, connected and spawned a proper terminal through python the brute force on the hash had finished (rockyou.txt) and I have a password for Uncle Stinky. From snooping around the file system earlier I know he has an account on here called stinky.

 

 

And that gamble has just paid off.

Thats Flag number 3 right there. Im down to about 7 minutes left at this stage so I really need to move fast on this. I take a look around and in the documents folder I find a rather large .pcap file.

This is a problem….

Why a .pcap file? This is a stand alone machine challenge? Is this going to be something obscure. Maybe the 4th flag was on a separate server/website and the creator of this challenge took a packet capture of an interaction that includes the flag. Its very possible that the flag is buried in there somewhere.

But then again, this could easily be a distraction dropped here to make me waste a bunch of time and Im just not willing to spend my last few minutes dissecting a .pcap file.

Moving on I find an SSH private key. Not a flag- but its definitely a mini victory all the same.

 

And then after some more snooping around I find this interesting conversation about a packet capture Stinky has just taken.

derpissues.txt

So is there more to that .pcap file? Or is this just an attempt to keep someones interest up and digging down a winding rabbit hole. Either way, Im out of time.

I got 3 out of 4 flags and its killing me to walk away. Its not the score I wanted, and no doubt this is going to drive me crazy thinking, wondering where that last flag is. Maybe when this post is published, and when nobody is looking I’ll have to fire up that machine again and take a second peek!

 


 

Hardening Recommendations

 

You’ve just read/seen the interactions Ive had with this machine so Im sure there are other ways to exploit it that I haven’t even looked at.  But certainly what would have killed my line of attack dead in its tracks would have been:

  1. If the admin was more diligent in keeping software fully patched.
  2. If the admin didn’t leave default credentials set on anything. Ever.
  3. If Stinky wasn’t in the habbit of recycling passwords.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *