We start out with an nmap scan.
nmap0

Lets take a look at the webserver.
webpage
Greeted with a plain page with some images.

We look at the source and find the first flag.
flag1

However if we take a closer look at the page source we see a file "/webnotes/info.txt"
info
infocon
This gives us the hint to add the domain to /etc/hosts because their blog can only be accessed using a vhost header.

We start by enumerating the directories.
gobust0
We find /weblog/ and /temporary/. We visit /weblog/ because /temporary/ is empty. When we go there we are redirected to derpnstink.local, lets add this domain to our hosts file. On my machine it is located at /etc/hosts.
hosts
I added the IP -TAB- derpnstink.local then save and exit the file.

Then in my browser I go to http://derpnstink.local/weblog/. We are met with a WordPress blog. First thing I do is run a quick scan with Wpscan.
"wpscan --url http://derpnstink.local/weblog/ --enumerate u"
It finds two users, admin and unclestinky. I try some basic default credentials. admin:admin seemed to get me into admin. However admin has no permissions. We look at our scan and see there are some vulnerable plugins.

wpvuln
Searching this exploit I found an msf version of it and decided to just use that.

msf

Using this exploit I got a shell and began searching around the system until I found a directory /var/www/html/php/ I took a look in there and found info.php which led to me finding out that phpmyadmin was hosted in this directory.

phpinf

But before I visit this like with any WordPress installation we take a look at wp-config.php which had the database credentials for the mysql database root:mysql.

So I visit derpnstink.local/php/phpmyadmin/ to enter the mysql credentials. User: root Pasword: mysql and we are in the database.
I take a look at the users in the wordpress database, grab the hashes and run them through john with rockyou.txt for my wordlist.

phpmyadmin
unclestinky : wedgie57
admin : admin

We use these to login to the FTP server
I got by with the username stinky and password wedgie57 I later came to realize that in the web directory /webnotes/ the index.html has shell output which gives away the username stinky.

I navigated to files then the ssh directory which there are 7 but once you get to the seventh ssh directory you will see a file called key.txt. I then use the FTP command "get key.txt" to download what I presume is an ssh key.

ftp

I then change the key files permissions so that OpenSSH client will allow me to use it.

keyy

Next I ssh into the stinky account using the RSA key.

sshlogin

And we're in!

I take a look at stinky's files and find in his Desktop directory the 3rd flag...? I missed one??? Hm. I continue on anyway.

flag3

In stinky's Documents directory I find a file called derpissues.pcap, a packet capture!

I download the packet capture and begin sifting through the packets using wireshark. I analyze all the HTTP packets until I come across a packet with credentials for mrderp.

wireshark-1

Next I try these credentials in the shell.

derp

Skadoosh! now we are mrderp lets snoop around!.

In mrderp's Desktop directory I found a file called helpdesk.log. I read the contents and found a pastebin link. I navigated to it and it had sudoers configuration options.

pbin

They used an asterisk, which allows us to be able to sudo any file starting with derpy in the /home/mrderp/binaries/ directory.

I create the binaries directory and create a small bash script that will give us a shell.

shroot

Next I run "chmod 777 derpy.sh && sudo ./derpy.sh"

rooted

Now we have root and find flag4 in /root/Desktop/flag.txt. But what about flag2?? I never found it.. Well a little bit of bash magic can find this for us.

flag2find

We find two files containing the string "flag2(", next we grep for the contents of them.

flag2

The long lost 2nd Flag! I enjoyed this CTF showing some realistic issues that are found in the real world like default passwords. This is a great VM for people just getting started on CTF's.

Thanks to the creator @securekomodo on Twitter for this entertaining CTF.