you can download from here: https://download.vulnhub.com/ganana/GANANA.ova
After the setup of machine in virtual box , we can use nmap scan to find the Target IP:
Command: nmap -sn 192.168.1.1/24
Press enter or click to view image in full size
Target: 192.168.1.6
Now we have the IP address we can use nmap to scan the target to discover any open ports and services:
Command: nmap -v -sT -sV -sC -A -p- 192.168.1.6
Press enter or click to view image in full size
we have 2 ports [ http,ftp] open and 2 ports [ https,ssh] closed.
let’s see http [80] port ..
Press enter or click to view image in full size
As we can see above, a simple image file is displayed on the browser. Let’s identify hidden files and folders on the target machine by using some brute-forcing techniques. We will run a Dirsearch scan for this purpose as it brute forces the target IP for known files and folders that could be available.
Command: d/phpmyadmin/irsearch -u http://192.168.1.6
Press enter or click to view image in full size
in this we get phpmyadmin page is running
Press enter or click to view image in full size
in other hand we also get
Press enter or click to view image in full size
/secret page where wordpress i running
Press enter or click to view image in full size
Now we have to find credentials for login
in dirb scan i got a page called /tasks which gives us some information
Command: dirb http://192.168.1.6
We got user name jarretlee and in this its say something about pcapng file
Let’s download pcapng and see in wireshark
Press enter or click to view image in full size
In wireshark we see http stream after this i found credential
username= jarretlee & password = NoBrUtEfOrCe_R3Qu1R3d_
I login in wordpress
after login i got a SECRET base64encoded value
Press enter or click to view image in full size
when i decode this i got = @lways-@-Sup3r-Secur3-p@SSw0Rd!!
I guess this password of phpmyadmin
let’s try for login
yehh … i login into phymyadmin
Press enter or click to view image in full size
and change the hash of charlewalker and login into wordpress again with charelywalker password.
after login i try to get revershell shell by editor page and i got it
Press enter or click to view image in full size
and start listner in my hand
Press enter or click to view image in full size
yahhh.. we got initial shell and i also do stables this shell
python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
ctrl+z
stty -a | head -n1 | cut -d ‘;’ -f 2–3 | cut -b2- | sed ‘s/; /\n/’
stty raw -echo; fg
reset
ctrl+d
from these command i got stable shell
PRIVILEGE ESCALATION
We have jarretlee credential let’s switch to jarretlee
Get Jayshree Mishra’s stories in your inbox
Join Medium for free to get updates from this writer.
in jarretlee /backup i got base64encoded value lets decode this
Press enter or click to view image in full size
Press enter or click to view image in full size
i found a username jeevan and there hash lets crack the hash
Press enter or click to view image in full size
yahhh… i got password of jeevan
Let’s switch to jeevan
Escalate from user jeevan to user root:
Press enter or click to view image in full size
in this we see docker is running
so let’s try to get root shell from docker
For this i use gtfobins
Command : docker run -v /:/mnt — rm -it alpine chroot /mnt sh
after this command we got root privilege
Press enter or click to view image in full size
