OffSec PG - FunBoxEasy


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.41 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • robots.txt
  • index.html
  • index.php
  • profile.php (302)
  • header.php
  • registration.php
  • logout.php
  • dashboard.php (302)
  • leftbar.php
  • forgot-password.php
  • hitcounter.txt
  • icons/ (403)
  • store/
  • admin/
  • secret/
  • gym/

Robots txt file contains the disallwed entry for gym, which was already found by gobuster.


Looking at the store directory, there is a book store with an admin login on the bottom of the page. This has the ability to add a new book which also has a file upload capability. This file is rendered as an image when visiting the book list via the publisher list. The publisher chosen for this was the Packt Publishing because it had 0 books.

The image being rendered can be navigated to separately at the location /store/bootstrap/img/test.php. The contents of the php file were first <?php echo "Hello Test"; ?> to test if the code is actually executed. This did execute upon visiting the aforementioned location, therefore, the code was replaced with the pentest monkey reverse shell.

This gives a reverse shell on the system when listening with netcat. This also gave the user flag.

Privilege Escalation


Looking at the /etc/passwd file, there are 2 users of interest → tony and root. Looking at the home directory of tony, it is readable by www-data. This directory had a password.txt file with the following contents →

ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin

The ssh password allows access to the machine as user tony.


Looked at the sudo capabilities of the user tony. The interesting entries were whois, finger, time and cancel. Out of these, only time was the tool which was already installed. time is a command that runs the command passed to it and records the time it took for the command to execute. Since sudo operation is allowed on it, it may escalate privileges while executing the shell.

Therefore, sudo time /bin/bash gives the root shell and thus the root flag.

This post is licensed under CC BY 4.0 by the author.