🤼FunboxEasy(OffSec)

IP Address: 192.168.232.111

Start run the nmap command to identify the open ports

nmap 192.168.232.111 -p- -A -oN ~/machines/funboxeasy/funboxeasy-all.txt

During nmap scan we could discover below ports open

22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.41 ((Ubuntu))

33060/tcp open mysqlx?

we will try to enumerate the open ports

1.we will try to browse website which is 80 port open

2.We will try to use port 22 with default credentials and The port is used for Secure Shell (SSH) communication and allows remote administration access to the VM.

Nothing identified now we will do website enumeration using gobuster and ffuf

Step 2: We will try to use Gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.232.111

During Gobuster scan we could identified below directories

http://192.168.232.111/store/ http://192.168.232.111/admin/ http://192.168.232.111/secret/ http://192.168.232.111/gym/ http://192.168.232.111/admin/index.php http://192.168.232.111/robots.txt http://192.168.232.111/index.php

try to enumerate one by one using Gobuster/Nikto/FFUF/dirb to identify the subdirectories.

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.232.111/store/FUZZ

During store scan we identified below links

http://192.168.232.111/store/template http://192.168.232.111/store/database http://192.168.232.111/store/models http://192.168.232.111/store/functions http://192.168.232.111/store/bootstrap http://192.168.232.111/store/controllers

In template directory we identified one readme.txt file which is included the admin:admin credentials that we use to login the store.

Let us try to navigate the above directories to identify any useful information.

Step 3: We will try to use ffuf to enumerate the webpage

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.232.111/FUZZ

Step 3 - try to run using nikto command

nikto -h http://192.168.232.111/

we have identified the same directories same as Gobuster scan.

In template directory we identified one readme.txt file which is included the admin:admin credentials that we use to login the store.Try to add new book option to upload the php reverseshell.

$ cat password.txt ssh: yxcvbnmYYY

gym/admin: asdfghjklXXX

/store: [email protected] admin

find / -type f -perm -u=s -exec ls -l {} ; 2>/dev/null

www-data@funbox3:/home/tony$ find / -type f -perm -u=s -exec ls -l {} ; 2>/dev/null find / -type f -perm -u=s -exec ls -l {} ; 2>/dev/null -rwsr-xr-- 1 root messagebus 51344 Jun 11 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 22840 Aug 16 2019 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-x 1 root root 473576 May 29 2020 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 130152 Jul 10 2020 /usr/lib/snapd/snap-confine -rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-x 1 root root 39144 Apr 2 2020 /usr/bin/umount -rwsr-xr-x 1 root root 166056 Feb 3 2020 /usr/bin/sudo -rwsr-xr-x 1 root root 14720 Apr 21 2017 /usr/bin/time -rwsr-xr-x 1 root root 85064 Apr 16 2020 /usr/bin/chfn -rwsr-xr-x 1 root root 55528 Apr 2 2020 /usr/bin/mount -rwsr-xr-x 1 root root 88464 Apr 16 2020 /usr/bin/gpasswd -rwsr-xr-x 1 root root 44784 Apr 16 2020 /usr/bin/newgrp -rwsr-xr-x 1 root root 31032 Aug 16 2019 /usr/bin/pkexec -rwsr-xr-x 1 root root 68208 Apr 16 2020 /usr/bin/passwd -rwsr-xr-x 1 root root 67816 Apr 2 2020 /usr/bin/su -rwsr-sr-x 1 daemon daemon 55560 Nov 12 2018 /usr/bin/at -rwsr-xr-x 1 root root 53040 Apr 16 2020 /usr/bin/chsh -rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount -rwsr-xr-x 1 root root 110792 Sep 4 2020 /snap/snapd/9279/usr/lib/snapd/snap-confine -rwsr-xr-x 1 root root 110792 Oct 8 2020 /snap/snapd/9721/usr/lib/snapd/snap-confine -rwsr-xr-x 1 root root 43088 Sep 16 2020 /snap/core18/1932/bin/mount -rwsr-xr-x 1 root root 64424 Jun 28 2019 /snap/core18/1932/bin/ping -rwsr-xr-x 1 root root 44664 Mar 22 2019 /snap/core18/1932/bin/su -rwsr-xr-x 1 root root 26696 Sep 16 2020 /snap/core18/1932/bin/umount -rwsr-xr-x 1 root root 76496 Mar 22 2019 /snap/core18/1932/usr/bin/chfn -rwsr-xr-x 1 root root 44528 Mar 22 2019 /snap/core18/1932/usr/bin/chsh -rwsr-xr-x 1 root root 75824 Mar 22 2019 /snap/core18/1932/usr/bin/gpasswd -rwsr-xr-x 1 root root 40344 Mar 22 2019 /snap/core18/1932/usr/bin/newgrp -rwsr-xr-x 1 root root 59640 Mar 22 2019 /snap/core18/1932/usr/bin/passwd -rwsr-xr-x 1 root root 149080 Jan 31 2020 /snap/core18/1932/usr/bin/sudo -rwsr-xr-- 1 root systemd-resolve 42992 Jun 11 2020 /snap/core18/1932/usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 436552 Mar 4 2019 /snap/core18/1932/usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 43088 Mar 5 2020 /snap/core18/1885/bin/mount -rwsr-xr-x 1 root root 64424 Jun 28 2019 /snap/core18/1885/bin/ping -rwsr-xr-x 1 root root 44664 Mar 22 2019 /snap/core18/1885/bin/su -rwsr-xr-x 1 root root 26696 Mar 5 2020 /snap/core18/1885/bin/umount -rwsr-xr-x 1 root root 76496 Mar 22 2019 /snap/core18/1885/usr/bin/chfn -rwsr-xr-x 1 root root 44528 Mar 22 2019 /snap/core18/1885/usr/bin/chsh -rwsr-xr-x 1 root root 75824 Mar 22 2019 /snap/core18/1885/usr/bin/gpasswd -rwsr-xr-x 1 root root 40344 Mar 22 2019 /snap/core18/1885/usr/bin/newgrp -rwsr-xr-x 1 root root 59640 Mar 22 2019 /snap/core18/1885/usr/bin/passwd -rwsr-xr-x 1 root root 149080 Jan 31 2020 /snap/core18/1885/usr/bin/sudo -rwsr-xr-- 1 root systemd-resolve 42992 Jun 11 2020 /snap/core18/1885/usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 436552 Mar 4 2019 /snap/core18/1885/usr/lib/openssh/ssh-keysign www-data@funbox3:/home/tony$

identify the binary which we can escalate

-rwsr-xr-x 1 root root 14720 Apr 21 2017 /usr/bin/time

go to gtfobins

PreviousHa-natraj(OffSec)NextFunboxEasyEnum(OffSec)

Last updated 1 year ago

Was this helpful?