Hi guys! In this article, I am going to show you how to solve machine named Ganana on Vulnhub Platform. Ganana is an easy to intermediate level machine which has only root flag. First step of solving Ganana machine on Vulnhub is fuzzing directories to find secret directoy which gives us hint. After having hint, second step is finding a pcap file and finding correct credentials for wordpress login page. Then ftp enumeration to find username and password for mysql is a step for wordpress login credentials. By using wordpress, getting first shell on the machine is initial step for going further. Once having initial shell, switcing user jarretlee and finding a hidden file which includes second user’s password. After decoding file and having second user, docker is the way to get root flag.
We first start with nmap and see open ports and running services. Port 80 is open and a WordPress is runing on this port, second open port is 443 which is ssl and third open port is 6777 which is ftp.
After checking web page to find some hints or something interesting we found nothing so as further step, we are doing directory fuzzing.
There are a lot of directories found. But one of those is useful for us and it is ‘tasks’ directory. When we visit that directory, we see a hint.
Hint says that there is a pcapng file which includes an account’s credentials. We are guessing name of the file as “jarret.pcapng” and downloading this file. After downloading it, we open that file with wireshark to analyze it.
After some analyzing process we found credentials for jarretlee user. Then we login as jarretlee on wordpress.
As you see on image, there is a draft which is base64 string. When we try to decode it with ‘ echo –n “base64code” | base64 –d ‘ command, we see result as on image below.
It looks like a password but it didn’t work anywhere. We were stuck at this point and so we are enumerating ftp and getting config file of wordpress.
In the config file, we find mysql credentials like “ bn_wordpress:aa75e9fb1”.
When we login in mysql, we see that there is another user but it has different password. But we know user jarretlee’s password so in this step we change hash of other user’s password with hash of other user’s password.
So we can use user jarretlee’s password for user charleywalker. Then we are logging in wordpress as user charleywalker and editing index.php for getting reverse shell.
After having shell, we are switching user jarretlee and do some recon. Then we find a hidden file named “.backup”
We are checking file type with “ file .backups “ command and decode content of file with ‘ echo “base64string” | base64 –d ‘ command.
As you see on image above, it is user jeevan’s password hash. What we are going to in this step is cracking this password hash with john. To do this, we are using “ john jeevan.hash –wordlist=rockyou.txt” command.
And we got user jeevan’s password as “hannahmontana”, now we can switch user. After logging into user jeevan, we reliaze that this user runs docker. We can view images with “ docker images “ command.
There is an image named as ‘bash’ and it has highest size. We can mount image and see what is in it. To do this, we are running “ docker run –v /:/mnt/flag –it imageid “ command. And then we can get flag!