Updated: Jul 1
In this article we are going to solve another boot2root box , ganana from vulnhub , This is a beginner to intermediate level machine .
IP of the target : 192.168.43.90
As usual I started with nmap to find open ports and services running in the system using the command
sudo nmap -sC -sV -Pn -p- 192.168.43.90
we have FTP on port 6777 which allows anonymous login , lets see if I can get something useful there.
doesn't seems to be much useful , lets try with port 80 enumeration , on port 80 I found an image , I tried some common tools for steganography but I found nothing hidden in the image or any useful metadata , next option is directory bruteforce and after a lot of extension I found something useful with extension .txt by using the command
gobuster dir -w /usr/share/wordlists/dirb/common.txt -t 80 -u http://192.168.43.90/ -x txt
I notice that this website is developed using WordPress and I tried wpscan but got nothing useful , on /secret we have wordpress login panel and on /tasks.txt we have some more information .
I again started directory bruteforce to search for files with extension .pcapng but got nothing then I start capturing packets using wireshark but that was not enough then at last I guessed the name of file to be jarret.pcapng and yes it worked ,http://192.168.43.90/jarret.pcapng
after downloading the file I opened it with wireshark using command wireshark jarret.pcapng
After a lot of packet searching , a thought came in my mind that after all we are searching for some login details then I can try searching for some Regular Expression like GET /wp-admin/ or /wp-admin/ and yes with this filter I found two packets and after following that packet in TCP Stream I found the password to login into wordpress .
okay we have username as jarretlee and password as *****
After login into wordpress I found a post with some encoded text in it
after decoding the text it seems to be like a password for something
but where to use this password ?? , if we remember directory bruteforce then we have discovered one more useful application /phpmyadmin , lets try these creds
username => jarretlee
password => @lways-@-*************
I found number of databases but bitnami_wordpress looks interesting , lets check the name of the tables this database has , I found two users in wp_users with their password hash and as you can see that I have changed the hash of user charleywalker to the hash of user jarretlee as we know the password of user jarretlee so now we also know the password for user charleywalker :)
lets try login into wordpress using the creds
username => charleywalker
password=> same as of user jarretlee
we are in as user charleywalker and I think this user can perform all the operations and by editing the theme twentytwenty 404.php file I got the reverse shell ( not showing all the steps because we have done this many times )
okay I am in as user daemon and now just after getting the shell , I checked the home directory and found one user as jarretlee
daemon user can't read the .backups file , now by using the password *** , I am in as user jarretlee
now after reading the .backups file I found some encoded text ( probably base64) and after decoding it I found the hash of another user .
after cracking the hash with john , I found the password of user jeevan , so without wasting time I logged in as user jeevan.
umm docker , I like docker for privilege escalation and by just using the gtfobins trick to get root using docker , I am in as user root and can read the final flag.
and this completed the challenge , don't forget to say BOOOM!! when you got the root access because you can't read the flag without saying BOOOM!!