DerpNStink 1: CTF walkthrough
We can search for the IP address of the VM with arp-scan:
Then we can search for open ports:
First of all we have to update our /etc/hosts file with the derpnstink domain name according to this file.
So, we simply have to execute this command:
Then, the first flag can be found in the source code of the index.html page.
Now, we can search for others directories or pages.
That's why we can, first, use gobuster. After few seconds the weblog directory will appear.
Then, another scan will show us that we have a Wordpress blog.
Finally, we can log in the Wordpress admin panel with the user: admin and the password: admin.
After a bit of searching, we can see that we can upload arbitrary files when we add a new slide.
Note, I used the basic php-reverse shell from pentestmonkey, basic php-reverse shell who give me a first access to the system.
In the system we can log in the mysql service with the credentials that we can find in the /var/www/html/weblog/wp-config.php file.
After that, we can find the second flag in the mysql wp_posts table of the wordpress database.
Moreover, in the wp_users table, another user is present, unclestinky.
We can easily crack this Wordpress hash with hashcat.
So, the password for the user stinky is wedgie57.
The third flag can be found in the Desktop of the stinky user.
For the moment the SSH service can be only used with an private key.
Fortunately for us, a private key is hidden in the /home/stinky/ftp/files/ssh/ssh/ssh/ssh/ssh/ssh/ssh folder.
We use this private key to log in the system.
After a bit of searching we can find an interesting conversation located at : ftp/files/network-logs/derpissues.txt and a pcap file in user's documents.
If we download and analyse this pcap file with Wireshark we can find the password of the mrderp user.
If we use the user mrderp, we can find a weird files called helpdesk.log in the Desktop. File who give us a link to a pastbin page.
If we take a look at this pastebin we can see that the /etc/sudoer file appears to contain this rule.
This rule means that if we create a file named derpy in the /home/mrderp/binaries/ folder we will be able to execute this file with root privilege.
We successfully gain root privilege and we get the last flag of the CTF.