Vulnhub - Funbox: Next Level
Lets separate the script-kids from script-teenies.
Hint: The first impression is not always the right one!
No updates for a few days; I was away for work for a bit and I’ve been partway through a few things - but now I’ve completed Funbox: Next Level. Here’s how.
Not much to say here, we’ve just got SSH on 22 and HTTP on Port 80. Nmap says Port 80 is Apache; presumably that’s where we are looking.
Drupal; but not really
So gobuster quickly tells us that we’ve got a drupal directory, so that seems like a good place to look. Except when we try to look inside of that directory:
root@kali:/opt/vulnhub/nextlevel# gobuster dir -u http://192.168.1.92/drupal -w /usr/share/dirb/wordlists/common.txt
gobuster gets sad and says:
(Client.Timeout exceeded while awaiting headers)
Hmm, what’s going on? If we visit http://192.168.1.92/drupal in Firefox, we get a message that it is waiting for 192.168.178.33. This is not an IP on my network, so is unreachable - and no wonder gobuster times out. So what is happening? Somehow the server is trying to do a redirect to an IP address that doesn’t exist - what do we do?
Fortunately, WFUZZ doesn’t care about that:
root@kali:/opt/vulnhub/nextlevel# wfuzz -c --hh 274 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt http://192.168.1.92/drupal/FUZZ.php
This brings up a couple of interesting things, including wp-login. So are we actually running wordpress? Spoiler alert: yes.
Normally I’d run wpscan on a wordpress site and frankly this was no exception. But how do we deal with the redirect? There is a switch we can use to ignore it:
Running wpscan -e turns up two users; ben and admin. Also xmlrpc is enabled, so we can try a password attack:
root@kali:/opt/vulnhub/nextlevel# wpscan --url http://192.168.1.92/drupal --ignore-main-redirect --force -U 'ben,admin' -P /usr/share/seclists/Passwords/probable-v2-top12000.txt
However, it doesn’t work. Now what?
et tu, Bruteforce?
Well, we know one of our usernames, so let’s see what Hydra thinks:
Boom, we’re in. We can ssh in as ben.
On the box
On the box, life is still a little difficult. We’ve got no head, tail or cat. Maybe others too, but that’s what I tried and they all didn’t work. Which made linpeas sad too. Is there a way to get around not being able to read files? Sure:
ben@funbox5:/$ python3 -c 'import sys; sys.stdout.write(sys.stdin.read())' < /etc/passwd
So that’s useful. With it, we can read Ben’s mail:
So now we can su as Adam.
What can Adam do? Adam can use dd as root. Also de and df, whatever they are. Actually de doesn’t exist, and I didn’t worry about df.
What can we do with dd? GTFOBins says we can read and write privileged files. So how about we try writing to /etc/passwd? We essentially want to append a new line. I’ll do that by using dd to do a read of /etc/passwd into a temporary file, I’ll append a new line to that, and then I’ll overwrite the real /etc/passwd with my copy. Sounds good? Let’s see:
Thank you, 0815R2d2.