Vulnhub - GANANA: 1
This is a fairly simple machine rated easy to intermediate. There is only one flag to capture root.txt.
This is Ganana: 1 from vulnhub.
We have three open ports, and SSH is closed:
- 22/tcp closed ssh
- 80/tcp open http
- 443/tcp open https
- 6777/tcp open ntz-tracker
Although this says 6777 is ‘ntz-tracker’, a detail scan reveals it is actually FTP:
6777/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
It contains one file:
Hey Welcome to the ORG!!! Hope you have a wonderfull experence working with US!!!
The HTTP and HTTPS versions of the site appear to be the same, so I’ll use them interchangably. There isn’t much on the front page but robots.txt has:
And the favicon.ico redirects to http://ganana/wp-includes/images/w-logo-blue-white-bg.png so we appear to have wordpress.
root@kali:/opt/vulnhub/ganana# wpscan -e --url http://ganana
This doesn’t give us much - no users, plugins, themes. I don’t try aggressive methods.
Gobuster with a basic wordlist finds lots of things:
root@kali:/opt/vulnhub/ganana# gobuster dir -u http://ganana -w /usr/share/seclists/Discovery/Web-Content/common.txt
There are some others too; including phpmyadmin - we’ll get to that later - and tasks. There is a /secret, which has the wordpress login. Trying admin:admin prompts the message:
ERROR: I hate bruteforce
2 attempt(s) left
Yikes! Better not bruteforce.
At https://ganana/tasks we find a note:
hey Jarret Lee!
Do manage the office as the admin is away for a few weeks!
Admin has created an other temp account for you and details in a pcapng file.
So we better find this file. It only takes a few moments, and we can download it:
I open it with wireshark and look through. Eventually I find the gold:
log=jarretlee&pwd=NoBrUtEfOrCe__R3Qu1R3d__&redirect_to=http%3A%2F%2F192.168.3.109%2Fwp-admin%2F&testcookie=1HTTP/1.1 200 OK
What can we do with this? Login to wordpress!
Jarret is not an admin :(
He does have a post though, which is called Keep dis SECRET!!!!
This decodes to:
What can we do with this? Try admin again at /secret? Nope - one try left!
We can login to phpMyAdmin as jarretlee with @lways-@-Sup3r-Secur3-p@SSw0Rd!!. Once we’re there we can find there is only one other wordpress user - charleywalker. I have a quick bash at cracking his hash, but it doesn’t work. So I just change it to the same as Jarret’s and go back to wordpress.
Charley is a wordpress admin. It turns out we have several plugins making things harder:
Loginizer: Loginizer is a WordPress plugin which helps you fight against bruteforce attack by blocking login for the IP after it reaches maximum retries allowed.
Stop User Enumeration: User enumeration is a technique used by hackers to get your login name if you are using permalinks. This plugin stops that.
WPS Hide Login: Protect your website by changing the login URL and preventing access to wp-login.php page and wp-admin directory while not logged-in
Ah well since Charley likes plugins so much we will add one of our own, to get a reverse shell bwahaha! This works, and we’re on.
We get a shell as daemon to start with,
uid=1(daemon) gid=1(daemon) groups=1(daemon)
But we can su jarretlee with his ‘no bruteforce’ password we retrieved earlier. Once we get there, he has a file called .backups, which is base64 encoded. This contains a hash:
We can throw this at John and crack it:
Now we can su jeevan. Jeevan doesn’t have a home directory, but he is a member of the docker group; so that’s our privesc.
Rooted, and I didn’t even use linpeas. So yes not complicated but a few steps involved and I quite liked this one. Thumbs up Jeevana Chandra.