Post

OffSec PG - FunBox - Easy, Enum, Rookie

Posted
PG Artwork
PG Artwork
By Tanishq Rupaal
5 min read

FunBoxEasy

Enumeration

Machine IP → 192.168.101.111

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.101.111

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.41 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.101.111 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • robots.txt
  • index.html
  • index.php
  • profile.php (302)
  • header.php
  • registration.php
  • logout.php
  • dashboard.php (302)
  • leftbar.php
  • forgot-password.php
  • hitcounter.txt
  • icons/ (403)
  • store/
  • admin/
  • secret/
  • gym/

Robots txt file contains the disallwed entry for gym, which was already found by gobuster.

Exploitation

Looking at the store directory, there is a book store with an admin login on the bottom of the page. This has the ability to add a new book which also has a file upload capability. This file is rendered as an image when visiting the book list via the publisher list. The publisher chosen for this was the Packt Publishing because it had 0 books.

The image being rendered can be navigated to separately at the location /store/bootstrap/img/test.php. The contents of the php file were first <?php echo "Hello Test"; ?> to test if the code is actually executed. This did execute upon visiting the aforementioned location, therefore, the code was replaced with the pentest monkey reverse shell.

This gives a reverse shell on the system when listening with netcat. This also gave the user flag.

Privilege Escalation

User

Looking at the /etc/passwd file, there are 2 users of interest → tony and root. Looking at the home directory of tony, it is readable by www-data. This directory had a password.txt file with the following contents →

1
2
3

ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin

The ssh password allows access to the machine as user tony.

Root

Looked at the sudo capabilities of the user tony. The interesting entries were whois, finger, time and cancel. Out of these, only time was the tool which was already installed. time is a command that runs the command passed to it and records the time it took for the command to execute. Since sudo operation is allowed on it, it may escalate privileges while executing the shell.

Therefore, sudo time /bin/bash gives the root shell and thus the root flag.

FunBoxEnum

Enumeration

Machine IP → 192.168.244.132

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.244.132

OS Detection → OS: Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.29 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.244.132 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • icons/ (403)
  • javascript/ (403)
  • mini.php
  • robots.txt
  • phpmyadmin/

Robots txt file lists Enum_this_Box as allowed.

Exploitation

The webpage mini.php is actually a shell interface with some limited options. This was used to read the local flag. This also had the functionality to upload files. This was used to upload the pentest monkey’s reverse shell code and get full shell.

Privilege Escalation

User

Looked at the /etc/passwd file, the users of importance are → root, goat, harry, karla, lissy, sally and oracle. The user oracle’s entry is → oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash. Using John the Ripper to crack this gives the credentials oracle:hiphop. This did not work for ssh though.

Running hydra to brute-force other users by using → hydra -l karla -P /home/tanq/installations/SecLists/rockyou.txt ssh://192.168.225.132. Ran linenum script for more enumeration, however, nothing useful was discovered. Tried user:user form of credentials for all users, which gave a success for goat:goat. This gives the user shell as user goat.

Root

Looking at sudo -l to enumerate privilege of the goat user, they are allowed to run /usr/bin/mysql as root without any password. MySQL has a functionality for spawning a shell. Executing sudo /usr/bin/mysql gives the mysql shell and using \! bash in the mysql shell spawns a bash shell as the user root. This gives the root flag.

FunBoxRookie

Enumeration

Machine IP → 192.168.80.107

Network Scan

Nmap scan → nmap -A -Pn -p- -T4 -o nmap.txt 192.168.80.107

OS Detection → OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

PortServiceOther details (if any)
21FTPProFTPD 1.3.5e
22SSHOpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80HTTPApache httpd 2.4.29 ((Ubuntu))

Web Scan

GoBuster scan → gobuster dir -u http://192.168.80.107 -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt

Directories/files listed →

  • index.html
  • robots.txt

Robots txt file contains entry of /logs/. However, this is not reachable.

Exploitation

The ftp actually allows anonymous login despite the nmap service scan not listing it. Looking at the contents, there are a bunch of zip files with different user names. Cracking these files with fcrackzip against the rockyou.txt list of passwords, the following zip files were successfully cracked →

  • cathrine.zip - catwoman
  • homer.zip - catwoman
  • tom.zip - iubire

Unzipping all these with the respective passwords give an id_rsa file for ssh login. All the files are the same, therefore there is only 1 user. Therefore, trying all usernames, the one that works and grants a shell is the user tom.

This gives the user flag. Navigation and other actions seem limited, therefore, checked shell and this revealed shell as /bin/rbash. This is a restricted shell. Used python to spawn a bash instance to escape this.

Privilege Escalation

Looking at the user directory, there is a mysql history file. The key entry here is that of → insert\040into\040support\040(tom,\040xx11yy22!);. This indicates additions of the user tom into the table support.

Checking to see if this is the password for the user tom by using sudo -l, it indeed works out and shows that tom can perform all operations under sudo without a password. Therefore, using sudo su to get root shell, the root flag can be retrieved.

Lab Practice Notes, OffSec Proving Grounds
oscp lab offsec-proving-grounds
This post is licensed under CC BY 4.0 by the author.