vulnhub-18-derpNstink - My-oscp-all-things

ipaddress:192.168.110.11 ### information_gathering open-port: ``` Discovered open port 80/tcp on 192.168.110.11 Discovered open port 21/tcp on 192.168.110.11 Discovered open port 22/tcp on 192.168.110.11 ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611050320634-2a0da1e3-cf4d-46a0-bac2-44b57540ecf2.png#align=left&display=inline&height=479&margin=%5Bobject%20Object%5D&name=image.png&originHeight=958&originWidth=1402&size=274812&status=done&style=none&width=701) view the port of 80 webpage->can find [http://192.168.110.11/robots.txt](http://192.168.110.11/robots.txt) ``` User-agent: * Disallow: /php/ Disallow: /temporary/ ``` use dirbuster and wfuzz can find: [http://192.168.110.11//weblog/](http://192.168.110.11//weblog/) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611050721118-7705f6b7-d20f-4db6-af74-1612f14f9704.png#align=left&display=inline&height=769&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1538&originWidth=1902&size=750980&status=done&style=none&width=951) ``` wpscan --url [http://192.168.110.11//weblog/](http://192.168.110.11//weblog/) -e u ``` find user: ``` unclestinky admin ``` ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611051161416-5efc15bf-2825-4893-bae8-e9505ae5b5c0.png#align=left&display=inline&height=978&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1956&originWidth=3584&size=956063&status=done&style=none&width=1792) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611051332447-cc8c3b22-b91a-43de-80f8-245efb4bdb7a.png#align=left&display=inline&height=291&margin=%5Bobject%20Object%5D&name=image.png&originHeight=582&originWidth=1506&size=108139&status=done&style=none&width=753) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611051918536-8b05d364-6563-4f1f-bb73-e74d2ec1dd88.png#align=left&display=inline&height=718&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1436&originWidth=1022&size=1024347&status=done&style=none&width=511) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611051981871-62006351-5bde-464d-8a12-aafe56ff805f.png#align=left&display=inline&height=77&margin=%5Bobject%20Object%5D&name=image.png&originHeight=154&originWidth=1134&size=95338&status=done&style=none&width=567) gedit /etc/hosts -> add 192.168.110.11 [derpnstink.local](http://derpnstink.local/weblog/wp-content/uploads/slideshow-gallery/) ### Establish a foothold and view [http://derpnstink.local/weblog/wp-admin](http://derpnstink.local/weblog/wp-admin/admin.php?page=slideshow-slides&Galleryupdated=true&Gallerymessage=Slide+has+been+saved) use admin admin to login and reverse a shell -> can read wp-config:root mysql ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611110396894-29a51363-2053-4361-b6f4-eed827f6dd77.png#align=left&display=inline&height=389&margin=%5Bobject%20Object%5D&name=image.png&originHeight=778&originWidth=1266&size=251200&status=done&style=none&width=633) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611115861646-8b0976af-13bb-4033-b81d-5d4114892a2f.png#align=left&display=inline&height=228&margin=%5Bobject%20Object%5D&name=image.png&originHeight=456&originWidth=2118&size=270405&status=done&style=none&width=1059) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611115842612-be48f93c-d8ba-4001-aee7-83c173fc5b04.png#align=left&display=inline&height=276&margin=%5Bobject%20Object%5D&name=image.png&originHeight=552&originWidth=1632&size=255318&status=done&style=none&width=816) username:stinky pwd:wedgie57 ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611115948015-c77c4285-11fe-456c-b2a0-334b3ea63fb7.png#align=left&display=inline&height=214&margin=%5Bobject%20Object%5D&name=image.png&originHeight=428&originWidth=766&size=89462&status=done&style=none&width=383) ### Privilege Escalation ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611115987793-f91f56db-604a-4d57-ae31-f3bb69d566de.png#align=left&display=inline&height=440&margin=%5Bobject%20Object%5D&name=image.png&originHeight=880&originWidth=1350&size=248479&status=done&style=none&width=675) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611116175925-a5495215-0553-4a9e-a737-458049619dcf.png#align=left&display=inline&height=379&margin=%5Bobject%20Object%5D&name=image.png&originHeight=758&originWidth=1358&size=291079&status=done&style=none&width=679) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611116303079-1ee3e9f7-1356-4d85-81fd-f0aef2d15b01.png#align=left&display=inline&height=240&margin=%5Bobject%20Object%5D&name=image.png&originHeight=480&originWidth=840&size=85028&status=done&style=none&width=420)![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611116803406-99288ea6-a93b-46c7-82f7-9360138b0514.png#align=left&display=inline&height=400&margin=%5Bobject%20Object%5D&name=image.png&originHeight=800&originWidth=1918&size=414674&status=done&style=none&width=959) mrderp derpderpderpderpderpderpderp login it: ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611122567151-baf33fe8-aea8-4c1e-800f-bc222e76bacc.png#align=left&display=inline&height=822&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1644&originWidth=1644&size=813491&status=done&style=none&width=822) ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611122658168-7f627ef0-e75c-486d-b5f8-9e37e787e978.png#align=left&display=inline&height=284&margin=%5Bobject%20Object%5D&name=image.png&originHeight=568&originWidth=1628&size=356073&status=done&style=none&width=814) okay~ we get the root! ![image.png](https://cdn.nlark.com/yuque/0/2021/png/10362401/1611122772088-1139fca0-c3ee-4fa5-9873-f3e5cb78b9e4.png#align=left&display=inline&height=597&margin=%5Bobject%20Object%5D&name=image.png&originHeight=1194&originWidth=1456&size=581187&status=done&style=none&width=728)