VulnHub drone-DerpNStink
VulnHub drone-DerpNStink
Download link: https://www.vulnhub.com/entry/derpnstink-1,221/ After
downloading the target machine, open it under VMware Workstation, and configure the network card as a bridge.
Task : Elevate privileges and obtain four flag
attack machines: kali linux 192.168.8.151
Target machine: 192.168.8.177
1. Information collection
Nmap to determine the target of the attack
Command: nmap -sP 192.168.8.0/24
nmap scans the open ports of the target machine
Command: nmap -sV -p- 192.168.8.177
Visit http://192.168.8.177 to
view the source code and find info.txt with flag1 hidden at the bottom. Visit info.txt, prompting us to bind local dns to
modify etc/hosts to bind local dns
directory blasting
Visit the blog http://derpnstink.local/weblog/, at the bottom, find that the CMS of this blog is
the background login interface of WordPress to access WordPress http://derpnstink.local/weblog/wp-admin, use the default user name admin and password admin to log in. The login is successful but the authority is not high. It seems that admin is not a real administrator. At the same time, it is found that the version of WordPress is 4.6.20.
Use wpscan to scan Wordpress. The scan found that the slideshow-gallery plug-in vulnerability can be used.
Command: wpscan --url http://derpnstink.local/weblog/
Second, right escalation
Use metersploit to find the slideshow-gallery plug-in vulnerability, and use the vulnerability to get the shell to
use python to enter the pseudo protocol, and view the WordPress configuration file to obtain the database user name and password.
Log in to phpmyadmin, which can be seen in the wp-users table under the wordpress database Another blog user unclestinky
saves the hash value of unclestinky's password in the text, uses the john command, uses the dictionary rockyou to crack the password, and finally gets the password wedgie57 to
log in to the unclestinky blog, and finds that flag2
enters the home directory in the target machine. Two users are found, one of which is stinky. Since nmap scanned ports 21 and 22 before, it is guessed that stinky may use the same password to log in to ftp or ssh. Try to log in to the ftp server with the password wedgie57, successfully log in and find the ssh key
of the stinky user. Use the key to log in to ssh and
find the flag3
. Find the pcap file in the Document directory, open the file with wireshark, filter the http protocol, and finally find the password of
mrderp to log in to mrderp Ssh, find a log file in the Desktop directory, open it and find that it is a chat log. According to the chat log, we know that we need to
visit the webpage visited by https://pastebin.com/RzK9WfGw . It reminds us that we can be on any host where the mrderp username appears. Use any user to execute /home/mrderp/binaries/derpy*, here we can use binary privilege escalation
because the binaries directory cannot be found, so create the directory with the same name and create the binary file derpy.sh, after writing the following commands in derpy.sh Save and exit, you can get root privileges after sudo executes the file
Enter the root directory and find flag4
So far, all four flags have been found.