Hi all, let’s start!
You can find the machine there > Funbox
Let’s start always with nmap.
Let’s enumerate the port 80 first, when we visit it we get an error and redirect us to
http://funbox.fritz.box/ seems like virtual host. We have to add it to
Now we can see a wordpress site, let’s run
wpscan on it.
No plugins but we can see 2 users
admin,joe let’s run a brute force attack on them with rockyou.
shell as joe - rbash bypass
Perfect, now we can use the same creds for ssh.
rbash we can simply bypass that.
joe -> root
/home/funny i found a hidden backup.sh file that seems like a cronjob:
Let’s run pspy to confirm the cronjob.
We can see it runs as UID 1000 and as UID 0, let’s add a command that changes root password and wait 5 minutes to be sure.
And here we go:
Was fun! :)