DERPNSTINK: 1 Walkthrough
DESCRIPTION:
DESCRIPTION:
Mr. Derp and Uncle Stinky are two system administrators who are starting their own company, DerpNStink. Instead of hiring qualified professionals to build up their IT landscape, they decided to hack together their own system which is almost ready to go live…
Enumeration
More Enumeration…
wpscan — url http://derpnstink.local/weblog/ -t 10 -e u,ap,at,tt — plugins-detection aggressive
📌 slideshow-gallery has authenticated file upload.
let’s brutefore both the users.
we got the creds admin:admin
Now, only way to get reverse shell is through the vulnerable plugin.
Exploitation
Let’s run the shell.php to get reverse shell.
once you get the shell, get the mysql creds from the wp-config.php file.
it is root/mysql
- I logged into the phpmyadmin and got the hash of unclestinky.
let’s su to stinky
and explore his folder.
i found a .pcap file inside the Document of the user.
let’s su to mrderp with this password.