Proving Grounds: Funbox 2
- TLDR -

...

Intro:

A quick and simple boot2root box with plenty of rabbit holes. Get in through anonymous FTP login, then cracking some zip passwords. Root is trivial.

Recon:

Starting with an nmap: nmap -sT -A -v -n <ip> -p -. We get ports: [21,22,80].

Checking out the web server, we get the "Apache2 It Works!" default page, and nothing else. We'll continue to the FTP server.

The FTP server allows anonymous login, and has multiple zip files following the naming convention: "<username>.zip".

Cracking Passwords & Getting User:

We can download all the zip files with mget *.zip. Trying to extract any of them prompts us for a password for file "id_rsa". If we can crack the password to one of these files we can use the ssh key to login as that user.

Firstly, we extract all the hashes to a file "wholehashes.txt" using zip2john:

for z in $(ls *zip); do
  zip2john ${z} >> wholehashes.txt
done

Now we have a file of just the hashes ("hashes.txt"), and the whole zip2john result ("wholehashes.txt"). We can crack the passwords in 2 different ways. For the sake of simplicity, we'll just use John. Crack the hashes using: john --wordlist=<wordlist> wholehashes.txt. One this is done we can show our results: john --show wholehashes.txt. We see that we've cracked 2 passwords:

After we unzip both tom.zip and cathrine.zip (and renaming them "id_rsa."), we can try logging in using Cathrine's key, with no success. Tom on the other hand does work: ssh tom@<ip> -i id_rsa.tom. We're in!

Getting Root:

To get root, we can first try sudo -l, but are blocked by a password prompt. We'll need to do some digging around to find Tom's password...

We can check our home directory and see that ".bash_history" and ".mysql_history" are both valid files (and aren't redirected to /dev/null). There's nothing interesting in .bash_history, but .mysql_history is a different story. It's captured Tom adding some credentials to the local MySQL database. Hoping for recycled creds, we try checking for sudo permission again, but with our newfound password. This is a success, and we see that Tom has sudo access to everything! Simply start a new bash shell and we got root: sudo bash.



Last edit: 2021.09.30