Vulnhub DerpNstink machine Writeup

Vulnhub DerpNstink machine Writeup

In Vulnhub DerpNstink machine Writeup will capture the flag 4 times!!
We are going to learn different techniques including:
– Scanning
– Web directory enumeration
– WordPress plugin vulnerability
– Phpmyadmin change database password
– Network traffic analysis Wireshark
– Sudo privilege escalation

1. Scanning:

DerpNstink nmap scan

# nmap -A -p-

As always start with nmap scan and check open ports: FTP, SSH, HTTP.

View page source as a basic information gathering step:


Scroll down, Found first flag!!

flag 1

read the same page source, will lead you to: view-source:


so we have user stinky, and we need to add a name of derpnstink to our local dns /etc/hosts but what is the domain name?

2. web directory enumeration:

let’s use dirb to enum directories:

# dirb -r

dirb results

found some dirs, testing each one, php directory maybe interesting, bruteforce for sub-directory

# dirb -r

php directory enum

Found for database management, still need credentials, keep it for now.

Also visiting redirects us to the name but failed since we didn’t add it yet to our local /etc/hosts file.
Add it and refresh the page, and here we found the blog!!


3. WordPress penetration testing:

Try to login with default admin/admin


That was easy, we are in a wordpress blog, lets enum with wp-scan

# wpscan –url http://derpnstink.local/weblog/ -e p

wpscan result

We found slideshow-gallery plugin version 1.4.6 , check if it is vulnerable.

# searchsploit wordpress slideshow gallery 1.4.6

searchsploit slaideshow gallery wordpress plugin

And there is an exploit for that in metasploite:

metasploit wordpress sildeshow gallery exploit

Good, we have a reverse-shell as www-data user.
Improve our basic shell to interactive shell:

python -c “import pty;pty.spawn(‘/bin/bash’)”

cat /etc/passwd

Found users: stinky, mrderp


Go and check important files that we have access like wordpress config file wp-config.php

cat wp-config.php

and we got Database credentials root/mysql


login to

Navigate to wordpress db in wp_users, there are 2 users unclestinky,admin and hashed passwords, but we know admin passwrd is admin which we used to login wordpress earlier.

wordpress users hash

What if we copy that hash for admin to unclestinky!! its password will be admin too.

Now login to wordpress as unclestinky and check for any interesting info.

and here is the second flag!!

Flag 2

Back again to phpmyadmin and navigate to mysql database user table, check local users hashes, copy unclestinky hash and try to crack it.

user hash

Using any online hash cracker like:

Result: wedgie57

hash cracker

Password reuse:

check that credentials stinky/wedgie57 for other services like SSH,FTP .

[Notice: use the local account name for same user stinky, not mysql name as unclestinky]:

Successfully logged in for FTP.

Enum files and folders,
found derpissues.txt, which is a conversation, seems the admin capture the traffic, the capture might be intersting!
Also found key.txt, download it.

 private key for ssh

Read it, it is a private ssh key, try it for stinky ssh login with private key without password and we are in !!

[don’t foget to correct the permission for the file to 700 to be acceptable]

# chmod 700 key.txt
# ssh -i key.txt [email protected]

Fine, we got the third flag from Desktop/flag.txt

ssh with private key

4. Network traffic analysis wireshark:

Searching for files in stinky’s home folder, found the capture derpissues.pcap in Documents folder.

Copy it to your machine , I used scp the file to my machine SSH, you may just copy the file to the ftp path and download it from ftp!!

Open with wireshark:
Analyze -> Conversation filter -> TCP

analyze tcp conversations

Right click on the TCP stream for POST url -> Follow -> TCP Stream

capture password from tcp stream

Look, we can see the password from the POST data:

Switch to mrderp user with the captured password:

$ su mrderp

5.  Privilege escalation:

sudo -l

$ sudo -l

He can run any files or scripts in the path /home/mrderp/binaries/derpy*

Create binaries folder.
Create a shell named which contain one line only: /bin/bash

run it as root!!

CTF root flag

cd /root/Desktop
cat flag.txt

Finally We Capture the Flag for the root!!

Comments are closed.