DerpNStink CTF

Today we will try CTF prepared by Bryan Smith called DerpNStink: 1. You can find it available here. Let's try it...

Your machine is waiting here:

Quick scan with nmap:

 

When I saw main page I thought it's related with SouthPark somehow...

 

So I decided to prepare a short username list (to try it with SSH enumeration):

 

Checking:

 

Not much... Let's get back to WWW scan. Checking webpage with gobuster:

 

And we shoud see robots.txt file contains few new links to check:

Checking:

 

Ok, trying... ;)

 

Checking another link(s):

 

My first guess was to add 'match and replace' rules to Burp Proxy:

 

Checking:

 

Still nothing... again:

 

No luck. So I decided to change my 'etc/hosts' (on both OS: Kali and Windows). Now we can see something new:

 

Rescan (with gobuster) using new etc/hosts content:

And now we are here:

Now we are able to use wpscan against our new webpage. When I was reading results from the scan I decided to also use some bruteforce to check 'password policy' on remote web panel:

In the meantime I was looking for some other links to check. I used gobuster (not much new links) and then I decided to use dirb again (but this time I use ith without -r switch):

Checking:

 Checking:

So far so good, checking next:

Checking with Metasploit:

Ok, cool. :) Checking access:

Searching for the upload in the plugin mentioned by wpscan (check log for more details):

 Verify:

 

Great! We're in! Time for some enumeration:

We found users, cool :) Next:

Ok. Now:

Checking root access to DB:

I decided to check for some more passwords:

Let's get only usernames and passwords:

Now quick Google-search for cracked hashes:

Great. I decided to check my new password(s) with new account(s):

Ups... what's wrong? Maybe it's time for a kernel-exploit?

Nope. So I decided to switch to 2nd user:

 

Checking:

 

Ok, there is the flag nr 2 :) (where is nr1? ;)) Checking users:

Using user to setup an exploit from Metasploit:

Verifying:

Great! 

Checking again. This time we will try to use some grabbed credentials:

 Great. Checking ls -laR for this user:

More:

And we found a key:

 Looking for more hints:

And we are here:

Let's check our new found key now:

Great! We are in! :) Searching for the PCAP file:

I copied the file (using scp) to my Kali box:

Checking (with tcpdump):

Checking more POST requests:

We got it:

Checking SSH access:

Checking files inside users' HOME dir:

And we are here:

This part was the easy one:

Checking last flag:

And the shadow file:

 
And that's all folks :)

See you next time!

Cheers