Hi, below is my first-ever CTF writeup/walkthrough, this box was rated as intermediate difficulty in Proving Grounds, without further ado, let’s get started. Enjoy !
nmap -sC -sV -oA nmap/funbox 192.168.242.77
Add IP and hostname to /etc/hosts :
We can tell it was using Wordpress by scrolling down :
Let’s use wpscan for Wordpress enumeration :
wpscan --url http://funbox.fritz.box/ -eu
Found two users, admin and joe :
I use Hydra to bruteforce FTP password for user joe and luckily got
login: joe password: 12345
The credentials also valid for SSH, before getting into SSH, let’s see what inside FTP :
Got a file named mbox. By looking at this conversation, we can guess user root having a backupscript :
Now let’s SSH to user joe with password 12345 :
While trying to change directory, it was getting restricted :
To escape rbash, i found this website :
rbash escape - rbash restricted shell-escape - hackNos
rbash escape | escape rbash | rbash restricted shell-escape | rbash jail break | rbash commands What is a rbash shell…
I used this command to escape rbash :
ssh email@example.com -t "bash --noprofile"
While looking at /home/funny , i found hidden script .backup.sh. Since early in the conversation we know that there was a backup script. we can expect there was a cronjob running in background to generate this .backup.sh.
Since the .backup.sh was owned by user funny and we had the permission to edit it :
-rwxrwxrwx 1 funny funny 143 Apr 27 15:57 .backup.sh
So we can expect getting more information via this user. Also keep in mind this statement in early conversation :
Hi Joe, please tell funny the backupscript is done.
I modified the .backup.sh script to reverse shell and start listening on port 4444 in local :
And within a minute, voila, we got root !
Hope you enjoyed this walkthrough, see you next time !