We start out with an nmap scan.
Lets take a look at the webserver.
Greeted with a plain page with some images.
We look at the source and find the first flag.
However if we take a closer look at the page source we see a file "/webnotes/info.txt"
This gives us the hint to add the domain to /etc/hosts because their blog can only be accessed using a vhost header.
We start by enumerating the directories.
We find /weblog/ and /temporary/. We visit /weblog/ because /temporary/ is empty. When we go there we are redirected to derpnstink.local, lets add this domain to our hosts file. On my machine it is located at /etc/hosts.
I added the IP -TAB- derpnstink.local then save and exit the file.
Then in my browser I go to http://derpnstink.local/weblog/. We are met with a WordPress blog. First thing I do is run a quick scan with Wpscan.
"wpscan --url http://derpnstink.local/weblog/ --enumerate u"
It finds two users, admin and unclestinky. I try some basic default credentials. admin:admin seemed to get me into admin. However admin has no permissions. We look at our scan and see there are some vulnerable plugins.
Searching this exploit I found an msf version of it and decided to just use that.
Using this exploit I got a shell and began searching around the system until I found a directory /var/www/html/php/ I took a look in there and found info.php which led to me finding out that phpmyadmin was hosted in this directory.
But before I visit this like with any WordPress installation we take a look at wp-config.php which had the database credentials for the mysql database root:mysql.
So I visit derpnstink.local/php/phpmyadmin/ to enter the mysql credentials. User: root Pasword: mysql and we are in the database.
I take a look at the users in the wordpress database, grab the hashes and run them through john with rockyou.txt for my wordlist.
unclestinky : wedgie57
admin : admin
We use these to login to the FTP server
I got by with the username stinky and password wedgie57 I later came to realize that in the web directory /webnotes/ the index.html has shell output which gives away the username stinky.
I navigated to files then the ssh directory which there are 7 but once you get to the seventh ssh directory you will see a file called key.txt. I then use the FTP command "get key.txt" to download what I presume is an ssh key.
I then change the key files permissions so that OpenSSH client will allow me to use it.
Next I ssh into the stinky account using the RSA key.
And we're in!
I take a look at stinky's files and find in his Desktop directory the 3rd flag...? I missed one??? Hm. I continue on anyway.
In stinky's Documents directory I find a file called derpissues.pcap, a packet capture!
I download the packet capture and begin sifting through the packets using wireshark. I analyze all the HTTP packets until I come across a packet with credentials for mrderp.
Next I try these credentials in the shell.
Skadoosh! now we are mrderp lets snoop around!.
In mrderp's Desktop directory I found a file called helpdesk.log. I read the contents and found a pastebin link. I navigated to it and it had sudoers configuration options.
They used an asterisk, which allows us to be able to sudo any file starting with derpy in the /home/mrderp/binaries/ directory.
I create the binaries directory and create a small bash script that will give us a shell.
Next I run "chmod 777 derpy.sh && sudo ./derpy.sh"
Now we have root and find flag4 in /root/Desktop/flag.txt. But what about flag2?? I never found it.. Well a little bit of bash magic can find this for us.
We find two files containing the string "flag2(", next we grep for the contents of them.
The long lost 2nd Flag! I enjoyed this CTF showing some realistic issues that are found in the real world like default passwords. This is a great VM for people just getting started on CTF's.
Thanks to the creator @securekomodo on Twitter for this entertaining CTF.