FunboxEasy OffSec Walkthrough: Boot2Root Easy going, but with this FunboxEasy you have to spend a bit more time. Much more, if you stuck in good traps. But most of the traps have hints, that they are traps.
Victim IP: 192.168.220.111 Attacker IP (Kali Linux): 192.168.45.165
Reconnaissance
Frist run command nmap 192.168.220.111 to view the open ports. Which reveals two ports 22 adn 80. Then run nmap -sC -sV -p 22,80 192.168.220.111
-sC for default scripts,-sV for version enumeration and -p to specify the ports.
Looking at the result we can see port 22 ssh port 80 http
Visiting the ip, you can see simple apache default page.
Then running gobuster reveals hidden directory, /store/admin and /secret
At /store , we can see online CSE bookstore. If you do simple search for CSE bookstore we can see it is vulnerable to Unauthenticated Remote Code Execution exploit
I will not be using this exploit. I will do manual process.
In the CSE backstore login page, I tried to enter some default credentials and luckly admin:admin woked
After successful login, we are greeted with section to add new book and we have option to edit added books.
When clicking on edit option, we are greeted with this section. If you look closely, we have option to upload files. With this option, our next step would be to upload a reverse shell and get ourself a shell.
So lets prepare a reverse shell.
I will be using php reverse shell from pentestmonkey
GitHub – pentestmonkey/php-reverse-shell
Contribute to pentestmonkey/php-reverse-shell
Download the php script.
Make sure to change the $ip to your attacker’s machine’s ip. Changing $port is optional, we will need this later.
After changes are done, save and upload this reverse shell.
We have successfully uploaded the reverse shell, now we need to find the location where it is stored.
To find the location, I again ran gobuster and found some interesting directories. Among which /bootstrap is what we need.
Under /bootstrap/img we can see our reverse shell stored.
Before running the reverse shell, we need to make sure netcat listner is ready.
To make netcat listener ready, use command nc -lnvp 443 use same port you used in the reverse shell file.
Now we are ready, simply click the reverse shell from /bootstrap/img
And we have shell as www-data
Under /home we can see one user tony under /home/tony we have jackpot password.txt
GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured…
Lets use GTFOBins
From the result of sudo -l I searched for each entries, and we have some interesting thing for binary pkexec We can use pkexec to drop elevated privilges.
