DERPNSTINK: 1 Walkthrough

DESCRIPTION:

DESCRIPTION:

Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…

DerpNStink: 1
Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to…

Enumeration

seems like we have wordpress @ /weblog/

More Enumeration…

add the host name to /etc/hosts
wpscan — url http://derpnstink.local/weblog/ -t 10 -e u,ap,at,tt — plugins-detection aggressive

📌 slideshow-gallery has authenticated file upload.

let’s brutefore both the users.

took a long-time

we got the creds admin:admin

Now, only way to get reverse shell is through the vulnerable plugin.


Exploitation

Let’s run the shell.php to get reverse shell.

once you get the shell, get the mysql creds from the wp-config.php file.

it is root/mysql

  • I logged into the phpmyadmin and got the hash of unclestinky.

let’s su to stinky

and explore his folder.

i found a .pcap file inside the Document of the user.

let’s su to mrderp with this password.

use sudo permission to get root