Hi all, i really enjoyed pwning this VM! :)
You can find the machine there > Ganana
Let’s start always with nmap.
Let’s check FTP first since we have anonymous allowed.
Useless, let’s check http now, we can see that a wordpress site running there :
Let’s run wpscan on it.
WOW, that means we can’t enumerate users, let’s test it out.
And we cant also visit admin panel. When we visit
/wp-admin redirect us to
/404 crazy. Let’s run
gobuster for further enumeration.
Here we go, the interesting stuff :
The most important thing here is the
/tasks when we visit it we can see :
And we can find the
.pcapng file as
Analyzing pcapng file with wireshark
.pcapng -> packet capture file
wireshark -> is a network protocol analyzer
Follow my steps :
Now we can apply filters, because we want to search for plain text credentials on http we will apply this filter :
All the credentials :
wordpress/phpmyadmin exploitation -> shell as www-data
After some tries only the
When we login into the panel we can see this post :
Let’s decode it :
I got stuck here for lot of minutes.. because i totally forgot of
phpmyadmin haha silly me :D
phpmyadmin -> for administration of MySQL over the web
We can login in with
Of course we will focus on
wp_users table :
Here we will do a little trick, probably user
charleywalker is the admin, let’s change his password. Follow my steps :
We’re in as
charleywalker:pwned let’s spawn a reverse shell. Follow my steps :
You can execute the shell now under :
We can privesc to jarretlee really easy :
jarretlee -> jeevan
Under his directory we can see this hidden file :
Let’s decode it.
Seems like a copy of
/etc/shadow let’s crack it with john.
jeevan -> root
Now privesc to root is really easy, if we check groups :
jeevan is in docker group, if user is a member of the docker group we can run this and take root shell :
Let’s grab the flag.
Lot of fun, we need more VMs like this one! :D