Hi all, let’s start!
You can find the machine there > Funbox
Enumeration/Reconnaissance
Let’s start always with nmap.
1 |
|
Let’s enumerate the port 80 first, when we visit it we get an error and redirect us to http://funbox.fritz.box/
seems like virtual host. We have to add it to /etc/hosts
1 |
|
Now we can see a wordpress site, let’s run wpscan
on it.
1 |
|
No plugins but we can see 2 users admin,joe
let’s run a brute force attack on them with rockyou.
1 |
|
shell as joe - rbash bypass
Perfect, now we can use the same creds for ssh. joe:12345
LOL.
1 |
|
We’re in rbash
we can simply bypass that.
1 |
|
joe -> root
Under /home/funny
i found a hidden backup.sh file that seems like a cronjob:
1 |
|
Let’s run pspy to confirm the cronjob.
1 |
|
We can see it runs as UID 1000 and as UID 0, let’s add a command that changes root password and wait 5 minutes to be sure.
1 |
|
And here we go:
1 |
|
Was fun! :)