Capture the flag (CTF)

GANANA: 1 VulnHub CTF walkthrough part one

LetsPen Test
May 17, 2021 by
LetsPen Test

This easy to intermediate VulnHub capture the flag (CTF) requires you to know some Linux commands and be able to run basic pentesting tools.

Please Note: For all of these machines, I have used Oracle Virtual Box to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Summary

Steps required to solve this CTF:

  • Getting the target machine's IP Address by running Netdiscover utility
  • Scanning open ports by using the Nmap scanner
  • Enumerating HTTP service with Dirb utility
  • Identifying WordPress vulnerabilities
  • Enumerating FTP service

The walkthrough

Step 1

The first step to start solving any CTF is to identify the target machine's IP address. Since we are running a virtual machine in the same network, we can identify the target machine's IP address by running the netdiscover command. The results from the netdiscover command can be seen in the following screenshot.

Command used: << netdiscover >>

In the above screenshot, we can see that we have identified the IP address of all the devices connected to our router but due to security reasons, we have hidden the MAC address of my personal connected devices. Our target machine's IP address that we will be working on throughout this challenge is 192.168.1.18 (the target machine's IP address). We will be using 192.168.1.20 as the attacker IP address.

Note: The target machine's IP address would be different in your case as it is being assigned by the DHCP.

Step 2

Let’s explore all the entry points into the target machine from where we can start identifying weaknesses in the system to gain root access. In the next step, we will be running a port scan on the target machine.

To do this, we have decided to run an "Nmap" scan, which is a very popular port scanning tool available in Kali Linux. The Nmap scan command and results can be seen in the following screenshot.

Command used: << nmap 192.168.1.18 -p- sV >>

In the Nmap scan, we have used the "-sV" switch for version enumeration. We also used the "-p-" option for a full port scan. It tells Nmap to conduct the scan on all the 65535 ports on the target machine. By default, Nmap conducts the scan only on known 1024 ports. So, it is especially important to conduct a full port scan during the pentest or solve the CTF for maximum results.

From the result, we found that there are four open ports available in the target machine. The open ports 22, 80, 443 and 6777 are being used for the SSH, HTTP, HTTPS and FTP services, respectively.

In the next step, we will start enumerating the target machine as HTTP port 80.

Step 3

Let’s start exploring port 80 to identify vulnerabilities through the web applications being hosted on the target machine. We opened the target machine's IP address on the browser.

As we can see above, a simple image file is displayed on the browser. Let’s identify hidden files and folders on the target machine by using some brute-forcing techniques. We will run a Dirb scan for this purpose as it brute forces the target IP for known files and folders that could be available. The Dirb scan can be seen in the following screenshot.

Command used: << dirb http://192.168.1.18 >>

The Dirb scan proved to be very useful as it provided a lot of files and directories on the target machine. The results seem interesting, so let’s open the identified files on the browser and try to find ways to get further privileges. We started with "phpMyAdmin," which can be seen below.

As we know, "phpMyAdmin" is used to manage the SQL database of the application via a web-based interface. The phpMyAdmin page was accessible, and we tried a lot of default usernames and passwords to log in from here, but none would work. So, let’s move on to another interesting file on the target machine IP.

There is a WordPress website running on the target machine and we can access the wp-admin login page on it. Here again, we tried various default usernames and password combinations, but all in vain. During the enumeration, we found a text file which can be seen below.

From the above message, we can make out that there is a user admin who has created another temp account, the details of which can be found in the "pcapng" file. As we do not have any access to the target machine, we took note of this information and moved on to other methods to gain target machine access.

Step 4

We found a wp-admin page on the target machine which means that there must be a WordPress application running on the target machine, so let’s use WPScan on the target machine IP to find any further details. The WPScan results can be seen in the following screenshot.

Command used: << wpscan --url http://192.168.1.18 >>

We were hoping to find some vulnerable plugins that could be exploited further but there was nothing very useful. So, after trying many things on this port, we decided to move on to another port which was found to be open on the target machine.

Step 5

Since we already know from step two that the FTP port was also open, I tried to log in to the FTP by using the anonymous credentials, which works, and which can be seen in the following screenshot.

Command used: << ftp 192.168.1.18 6777 >>

In the above screenshot, we tried to connect to the FTP port 6777 as an "anonymous" user. The login was successful, as the anonymous user was not disabled on the target machine. So, let’s explore the target machine with the FTP login.

Command used:

  • << get .Note.txt >>
  • << cat .Note.txt >>

As we can see above, after logging into the target machine as an FTP user, we checked the files in the current directory. There was a text file "note.txt" in the welcome folder. We opened the file using the cat command but there was nothing useful for our cause. We checked the "tmp" folder for the pcapng file, which was mentioned in the previous hint, but nothing could be found. We tried instead to guess the filename, as in the hint message the author has described the user name "jarret." We guessed the filename to be "jarret.pcapng" and opened it on the browser. The result can be seen in the following screenshot.

The above screenshot confirms the availability of the file "jarret.pcapng" on the target machine. Now, we need to extract the contents of this file for any hidden clues. Let’s download the file on the attacker machine first. We used the "wget" utility for this purpose.

Command used: << wget http://192.168.1.18/jarret.pcapng >>

The file is now downloaded on our attacker machine and we can further investigate the internal contents of the file. We know that the pcapng file contains a dump of data packets captured over a network. So, we opened the file on Wireshark to read the captured requests. The jarret.pcpng file contents as displayed on Wireshark can be seen in the following screenshot.

The file contained a lot of requests; we started exploring each request one-by-one, trying to find any hints that can be used to our advantage. After exploring for some time, we found a few interesting requests that are shown in the following screenshot.

There was a login request where the username and password were captured in cleartext in the network. However, though we do not know whether the login was successful or not, we can try these credentials to log in to the target machine. As there were multiple requests, we prepared a list of all the usernames and password combinations. This can be seen below.

Username Password

jarretlee nopassword

jarretlee jarretlee

jarretlee passwordis jarret

jarretlee jarretLEE

jarretlee NoBrUtEfOrCe__R3Qu1R3d__

So far, we enumerated all the open ports and identified a pcab file that contains some usernames and passwords.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

So, in the next part of this CTF, we will use these credentials on different entry points to get and identify the flags.

Until then, I encourage you to try to finish this CTF! There are enough hints given in the above steps.

 

Sources:

Ganana: 1, VulnHub (please link to Ganana: 1: https://www.vulnhub.com/entry/ganana-1,497/

Ganana: 1 (download), VulnHub (https://download.vulnhub.com/ganana/GANANA.ova

Ganana: 1 (torrent), VulnHub (https://download.vulnhub.com/ganana/GANANA.ova.torrent

LetsPen Test
LetsPen Test