So it’s been a looooong while since I’ve been able to sit down and work on some boot to root boxes. Between moving and adjusting to running a rental business during the corona virus, working full time, having a family, etc etc etc, there just hasn’t been time. Couple all that with I rekt my webserver in January with a bad update and there was no fun to be had.
WE BACK UP AND RUNNING NOW THOUGH! So here we go.
~$> Download the box here https://www.vulnhub.com/entry/funbox-1,518/
I started out as one does, with some enumeration of the target.
nmap --top-ports=100 172.10.1.48
No need to start with anything crazy. Let’s just see what we’re working with.
Turns out we have three services we’ve uncovered, an ftp server, an ssh server and a webserver.
I want to just see what is running on the machine so I head over to the webserver first. Strangely, when I put the target ip into the browser, I get a redirection to my ISP’s DNS error assist page.
I think I know what’s happening here but let’s do this in the terminal to be sure.
curl -HEAD 172.10.1.48
Yup, as I suspected, it looks like the box is redirecting to a domain that is an intranet domain. Your machine starts with its local DNS records, then it starts expanding out to your network, ISP, world DNS servers. If the record doesn’t exist, you get a DNS error page, which we did.
So to fix this, all we need to do is add this DNS record to our hosts file
nano /etc/hosts
Yup that did the trick, now when we navigate to the target IP, we get the landing page as we expect.
This page looks pretty stock and boring but it still contains valuable information. Sometimes you just need to read.
It looks like the target is running a wordpress page. Kali and Parrot have a great tool that they ship with called wpscan let’s see what we get out of it.
The first thing I’m going to do is run the wpscan with full enumeration.
wpscan --url http://funbox.fritz.box -e
This is going to put out a _ton_ of information about the wordpress installation. It’s going to show you plugins, versions, themes and more.
Nothing major stands out to me in all of that standard information. What does stand out to me though is that we’ve uncovered two users for the site.
Joe and Admin
Now that I have these users, I’m going to try and see if I can brute force their passwords. wpscan is going to be our tool to use again since it has password bruteforcing built in. My goto wordlist is the rockyou.txt wordlist that kali and parrot deploy with under /usr/share/wordlists/rockyou.txt.gz
First put the two user names in a file called usernames each on its own line, then we can run the script again.
wpscan --url http://funbox.fritz.box -U usernames -P /usr/share/wordlists/rockyou.txt
Looks like we got both their passwords!
Now from here you can go log into the wordpress site and poke around if you want. Before I do that though, I want to see if I can SSH in with any of these creds.
ssh 172.10.1.48 -l joe
And would you look at that, we have access!
Now, without question, I suck at privilege escalation. I’m getting better though. I’ve been trying to develop a flow. Start with the home directory and blossom out.
Not a whole lot going on in this directory. Looks like there’s some email yelling at our boi joe over his weak af password. He probably should have listened ¯\_(ツ)_/¯
Something else to note in this email is that there’s mention of a backup script. That might be useful so I’m going to toss that in my notebook along with the credentials.
None of the other files in this directory were fruitful, so I’m going to see if I can access anyone else’s home directory now.
Uhh ohhh, restricted shell. Guess that’s the end of this box :-/
There’s a lot of ways to break out of a restricted shell. I prefer to use the perl method because it works the most for me when I do these machines.
perl -e 'exec "/bin/bash"';
You can find an exhaustive list if you websearch for restricted shell cheat sheet
Okay, now we can continue on.
It looks like we have one other user in the home directory named funny and it appears from ls -la that I can read and execute in that directory.
Looks like a lot of standard stuff in here. Except for that world writeable backup script though 😀
Since that email from earlier mentioned a backup script and this script exists in here, I’m going to say the authors intention was for us to mess with it somehow.
Interesting, when I inspect the file it looks like it’s backing up the web directory. This file is world writeable and someone is executing it so I’m going to drop a reverse shell command in there on the off chance I trigger it somehow.
So after I did that, I started poking around some more, and within a couple minutes, PROFIT!
From there, we can swing over to the root directory and collect our prize in flag.txt
Not a bad way to break the ice after a long break from vulnerable boxes. Thank you to the Author and Vulnhub for the lolz.
