Vulnhub - GANANA: 1
Introduction
This is a fairly simple machine rated easy to intermediate. There is only one flag to capture root.txt.
This is Ganana: 1 from vulnhub.
Ports
We have three open ports, and SSH is closed:
- 22/tcp closed ssh
- 80/tcp open http
- 443/tcp open https
- 6777/tcp open ntz-tracker
Although this says 6777 is ‘ntz-tracker’, a detail scan reveals it is actually FTP:
6777/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
FTP
It contains one file:
Hey Welcome to the ORG!!! Hope you have a wonderfull experence working with US!!!
Not helpful.
HTTP/HTTPS
The HTTP and HTTPS versions of the site appear to be the same, so I’ll use them interchangably. There isn’t much on the front page but robots.txt has:
User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
And the favicon.ico redirects to http://ganana/wp-includes/images/w-logo-blue-white-bg.png so we appear to have wordpress.
wpscan
root@kali:/opt/vulnhub/ganana# wpscan -e --url http://ganana
This doesn’t give us much - no users, plugins, themes. I don’t try aggressive methods.
Gobuster
Gobuster with a basic wordlist finds lots of things:
root@kali:/opt/vulnhub/ganana# gobuster dir -u http://ganana -w /usr/share/seclists/Discovery/Web-Content/common.txt
eg:
There are some others too; including phpmyadmin - we’ll get to that later - and tasks. There is a /secret, which has the wordpress login. Trying admin:admin prompts the message:
ERROR: I hate bruteforce
2 attempt(s) left
Yikes! Better not bruteforce.
Tasks
At https://ganana/tasks we find a note:
hey Jarret Lee!
Do manage the office as the admin is away for a few weeks!
Admin has created an other temp account for you and details in a pcapng file.
So we better find this file. It only takes a few moments, and we can download it:
I open it with wireshark and look through. Eventually I find the gold:
log=jarretlee&pwd=NoBrUtEfOrCe__R3Qu1R3d__&redirect_to=http%3A%2F%2F192.168.3.109%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK
What can we do with this? Login to wordpress!
WP
Jarret is not an admin :(
He does have a post though, which is called Keep dis SECRET!!!!
QGx3YXlzLUAtU3VwM3ItU2VjdXIzLXBAU1N3MFJkISE
This decodes to:
@lways-@-Sup3r-Secur3-p@SSw0Rd!!
What can we do with this? Try admin again at /secret? Nope - one try left!
phpMyAdmin
We can login to phpMyAdmin as jarretlee with @lways-@-Sup3r-Secur3-p@SSw0Rd!!. Once we’re there we can find there is only one other wordpress user - charleywalker. I have a quick bash at cracking his hash, but it doesn’t work. So I just change it to the same as Jarret’s and go back to wordpress.
Charley
Charley is a wordpress admin. It turns out we have several plugins making things harder:
Loginizer: Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed.
Stop User Enumeration: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
WPS Hide Login: Protect your website by changing the login URL and preventing access to wp-login.php page and wp-admin directory while not logged-in
Ah well since Charley likes plugins so much we will add one of our own, to get a reverse shell bwahaha! This works, and we’re on.
Shell
We get a shell as daemon to start with,
uid=1(daemon) gid=1(daemon) groups=1(daemon)
But we can su jarretlee with his ‘no bruteforce’ password we retrieved earlier. Once we get there, he has a file called .backups, which is base64 encoded. This contains a hash:
jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::
We can throw this at John and crack it:
Jeevan
Now we can su jeevan. Jeevan doesn’t have a home directory, but he is a member of the docker group; so that’s our privesc.
Rooted, and I didn’t even use linpeas. So yes not complicated but a few steps involved and I quite liked this one. Thumbs up Jeevana Chandra.