Sep 15, 2020
FUNBOX-3: EASY Walkthrough (Vulnhub)
Description
This is a 3rd boot2root CTF made by @0815R2d2. It’s a series of machines found on Vulnhub having rabbit-hole. This is an easy one if, you have knowledge about SQL injection and uploading reverse shell. To download visit: https://www.vulnhub.com/entry/funbox-easy,526/
Knowledge Gained:-
- SQL injection
- Uploading reverse shell
- Privilege escalation techniques
Port Scanning
After identifying the intended victim let’s run a Nmap scan to find the open ports and services running.
Web Reconnaissance
Visiting the home page of the victim on port 80 shows a default page of Ubuntu and has nothing useful. So, I tried gobuster for enumerating the hidden directories.
After enumerating all the URL, we will get two login pages one on /store and the other one on /admin. First, visit the /store and after spending a good amount of time I came to know that it is vulnerable to SQL injection.
Now open the SQLmap and since we are in store it might be the Database name. Let’s try it.
and we got this 😎
Login to the admin account and we see a list of added books and a tab for add new book. Let’s try to upload the PHP reverse file.
Access the PHP reverse file from here!!! Extract the file and change the IP with your kali IP and the file gets successfully upload.
Now open a tab and type the url http://[IP_address]/store/ and you will get the reverse shell.
Navigate to the home directory and we can see the user tony which contains a password.txt file. This file contains the SSH login cred’s let’s get it.
Log to tony through SSH.
Since we have tony password check for the sudo privilege that he has.
Plenty of services 🤑 but only pkexec, time and mtr will help us to escalate the privilege.
Privilege escalation through pkexec ( through time sudo /usr/bin/time /bin/sh)
Privilege escalation through mtr
Wait there is another way to escalate the privilege, which is done through lxd. For this visit the article https://www.hackingarticles.in/lxd-privilege-escalation/ or my one of walkthrough https://medium.com/@Shubham_Singh_/cheran-1-walkthrough-vulnhub-2922832eda4b
For more walkthroughs stay tuned…
Before you go
Visit my other new Vulnhub machine walkthrough’s:-
and clap 👏 if you like what you read. Feedback is always welcomed.
