search

FunBoxEasyEnum

hashtag
Summary

FunBoxEasyEnumarrow-up-right is an easy-rated box that initial reconnaissance reveals standard services, leading to the discovery of vulnerable web functionality. By exploiting file upload features, RCE is achieved, which subsequently leads to a reverse shell. Privilege escalation is accomplished by performing a BFA against the SSH server and root access is achieved by leveraging a suid binary.

Step
Action
Tool
Gained

1

Dirbusting

ffuf

Upload functionality, RCE

2

BFA against SSH

hydra

Privilege escalation

3

Manual enumeration

LotL

Root access

hashtag
Recon

$ sudo nmap -T4 --min-rate 10000 -p- -open 192.168.210.132 -A

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
$ whatweb http://192.168.210.132

http://192.168.210.132 [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[192.168.210.132], Title[Apache2 Ubuntu Default Page: It works]
$ ffuf -u http://192.168.210.132/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ac -ic -c -e .php,.txt

javascript          [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 41ms]
mini.php            [Status: 200, Size: 3828, Words: 152, Lines: 115, Duration: 40ms]
robots.txt          [Status: 200, Size: 21, Words: 2, Lines: 2, Duration: 39ms]
phpmyadmin          [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 39ms]

hashtag
Auth Bypass

Visiting the directories reveals some interesting clues:

  • /robots.txt -> /Enum_this_Box

  • /mini.php -> upload functionality

  • /phpmyadmin -> login page

Attempting to log into the /phpmyadmin page reveals that MySQL is used on the back-end (Figure 1).

Figure 1: The login page has verbose error messages.

We don't have any credentials to use, so let's turn into the upload functionality and try to upload a basic PHP webshell (Figure 2).

Figure 2: Uplolading a basic PHP webshell.

hashtag
RCE

Since we have already achieved RCE, we can convert our webshell to a reverse shell (Figure 3).

Figure 3: Sending a reverse shell command via our webshell.

Before starting enumerating the box, we can use python3 to upgrade itarrow-up-right and then read local.txt under /var/www/.

There are five users that have a shell on the box, but all of their /home directories are empty. Reading the /etc/passwd file, we can see that there is another user (lissy) that does not have a /home directory. We can also see that for the user oracle its password hash is included, but, unfortunately, cannot be cracked with hashcat.

Looking at open ports, we see that there is a MySQL server on 3306.

Transferring and running linpeas.sharrow-up-right on the target reveals some interesting files.

Reading these files reveals MySQL credentials along with the blowfish_secret.

circle-info

The blowfish_secret in phpMyAdmin is a critical security component that helps protect sensitive data. Accessing this value could potentially allow us to decrypt encrypted data, especially session cookies.

Exploring the database does not help us to progress further.

The same credentials allow us to login into the website, but nothing of use is found there either. So let's step back here: we have a five users that we haven't leveraged yet. The machine has the SSH port open, so we could try brute forcing the password of those users. Brute-forcing SSH can take a long time, so let's start simple by using their names as passwords first.

We can now use ssh to log into the machine as goat.

We can first check if this user can run any program as root.

Checking GTFOBinsarrow-up-right for mysql privilege escalation techniques, we find a way.

PreviousLameNextInclusiveness

Last updated