Funbox — Vulnhub Walkthrough

3 min readApr 27, 2021


Hi, below is my first-ever CTF walkthrough, this box was rated as intermediate difficulty in Proving Grounds, without further ado, let’s get started. Enjoy !

Walkthrough credit:

Network Enumeration

nmap -sC -sV -oA nmap/funbox

Add IP and hostname to /etc/hosts :

We can tell it was using Wordpress by scrolling down :

Let’s use wpscan for Wordpress enumeration :

wpscan --url -eu

Found two users, admin and joe :


I use Hydra to bruteforce FTP password for user joe and luckily got

login: joe password: 12345

The credentials also valid for SSH, before getting into SSH, let’s see what inside FTP :

Got a file named mbox. By looking at this conversation, we can guess user root having a backupscript :

Now let’s SSH to user joe with password 12345 :

While trying to change directory, it was getting restricted :

To escape rbash, i found this website :

I used this command to escape rbash :

ssh joe@ -t "bash --noprofile"

Privilege Escalation

While looking at /home/funny , i found hidden script Since early in the conversation we know that there was a backup script. we can expect there was a cronjob running in background to generate this

Since the was owned by user funny and we had the permission to edit it :

-rwxrwxrwx 1 funny funny      143 Apr 27 15:57

So we can expect getting more information via this user. Also keep in mind this statement in early conversation :

Hi Joe, please tell funny the backupscript is done.

I modified the script to reverse shell and start listening on port 4444 in local :

And within a minute, voila, we got root !

Hope you enjoyed this walkthrough, see you next time !