Sign in

Funbox — Vulnhub Walkthrough

Hi, below is my first-ever CTF walkthrough, this box was rated as intermediate difficulty in Proving Grounds, without further ado, let’s get started. Enjoy !

Walkthrough credit: https://soapffz.com/sec/434.html

Network Enumeration

Add IP and hostname to /etc/hosts :

We can tell it was using Wordpress by scrolling down :

Let’s use wpscan for Wordpress enumeration :

Found two users, admin and joe :

Exploitation

I use Hydra to bruteforce FTP password for user joe and luckily got

The credentials also valid for SSH, before getting into SSH, let’s see what inside FTP :

Got a file named mbox. By looking at this conversation, we can guess user root having a backupscript :

Now let’s SSH to user joe with password 12345 :

While trying to change directory, it was getting restricted :

To escape rbash, i found this website :

I used this command to escape rbash :

Privilege Escalation

While looking at /home/funny , i found hidden script .backup.sh. Since early in the conversation we know that there was a backup script. we can expect there was a cronjob running in background to generate this .backup.sh.

Since the .backup.sh was owned by user funny and we had the permission to edit it :

So we can expect getting more information via this user. Also keep in mind this statement in early conversation :

Hi Joe, please tell funny the backupscript is done.

I modified the .backup.sh script to reverse shell and start listening on port 4444 in local :

And within a minute, voila, we got root !

Hope you enjoyed this walkthrough, see you next time !

Information Technology Student