Ganana:1 Vulnhub Walkthrough

Updated: Jul 1

In this article we are going to solve another boot2root box , ganana from vulnhub , This is a beginner to intermediate level machine .


IP of the target :

As usual I started with nmap to find open ports and services running in the system using the command

sudo nmap -sC -sV -Pn -p-

we have FTP on port 6777 which allows anonymous login , lets see if I can get something useful there.

doesn't seems to be much useful , lets try with port 80 enumeration , on port 80 I found an image , I tried some common tools for steganography but I found nothing hidden in the image or any useful metadata , next option is directory bruteforce and after a lot of extension I found something useful with extension .txt by using the command

gobuster dir -w /usr/share/wordlists/dirb/common.txt -t 80 -u -x txt

I notice that this website is developed using WordPress and I tried wpscan but got nothing useful , on /secret we have wordpress login panel and on /tasks.txt we have some more information .

I again started directory bruteforce to search for files with extension .pcapng but got nothing then I start capturing packets using wireshark but that was not enough then at last I guessed the name of file to be jarret.pcapng and yes it worked ,

after downloading the file I opened it with wireshark using command wireshark jarret.pcapng

After a lot of packet searching , a thought came in my mind that after all we are searching for some login details then I can try searching for some Regular Expression like GET /wp-admin/ or /wp-admin/ and yes with this filter I found two packets and after following that packet in TCP Stream I found the password to login into wordpress .

okay we have username as jarretlee and password as *****

After login into wordpress I found a post with some encoded text in it

after decoding the text it seems to be like a password for something

but where to use this password ?? , if we remember directory bruteforce then we have discovered one more useful application /phpmyadmin , lets try these creds

username => jarretlee

password => @lways-@-*************

I found number of databases but bitnami_wordpress looks interesting , lets check the name of the tables this database has , I found two users in wp_users with their password hash and as you can see that I have changed the hash of user charleywalker to the hash of user jarretlee as we know the password of user jarretlee so now we also know the password for user charleywalker :)

lets try login into wordpress using the creds

username => charleywalker

password=> same as of user jarretlee

we are in as user charleywalker and I think this user can perform all the operations and by editing the theme twentytwenty 404.php file I got the reverse shell ( not showing all the steps because we have done this many times )

okay I am in as user daemon and now just after getting the shell , I checked the home directory and found one user as jarretlee

daemon user can't read the .backups file , now by using the password *** , I am in as user jarretlee

now after reading the .backups file I found some encoded text ( probably base64) and after decoding it I found the hash of another user .

after cracking the hash with john , I found the password of user jeevan , so without wasting time I logged in as user jeevan.

umm docker , I like docker for privilege escalation and by just using the gtfobins trick to get root using docker , I am in as user root and can read the final flag.

and this completed the challenge , don't forget to say BOOOM!! when you got the root access because you can't read the flag without saying BOOOM!!

Recent Posts

See All

Website change notice

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.