DerpNStink: 1

[ vulnhub  boot2root  walkthrough  ]

Goal

4 Flags / Root

Download

https://www.vulnhub.com/entry/derpnstink-1,221/

Walkthrough

nmap
alt text

default 80
alt text

flag 1 found buried in source
alt text

ran dirb
alt text

/temporary had nothing
alt text

ran additional dirb against /php finding phpmyadmin
alt text

ran additional dirb against /weblog finding wordpress
alt text

/etc/hosts file needs to have dns entry added for any resolve
alt text

wordpress site exists
alt text

wordpress enumeration finds two users
alt text
alt text

admin user on wordpress password is found
alt text
alt text

admin is not really an admin though
alt text

looking for a way to gain reverse shell, wpscan reveals slideshow upload plugin vuln
alt text

uploading reverse php gives low level reverse shell
alt text

wp-config reveals root mysql
alt text

going back to phpmyadmin, 2nd wp account hash found
alt text

running against john reveals password
alt text

this gives admin level access to wp and flag 2
alt text

/home reveals two users
alt text

no other escalation options for these, trying same wp pass for stinky on ftp works
alt text
alt text

file name key.txt is found buried and is a private key
alt text
alt text

using downloaded key file gives ssh access as stinky
alt text

flag 3 is found
alt text

pcap file found reveals mrderp password
alt text

su to mrderp is successful
alt text

file found on root folder /support reveals pastebin link
alt text

link shows what commands mrderp can run as sudo
alt text

sudo commands are verified
alt text

there is no binaries folder under mrderp home directory
alt text

from here we setup for root access by creating folder and a file named derpy that will call a shell
alt text

running derpy with sudo gives root access and last flag
alt text

Written on June 25, 2018
Share on: