Vulnhub - Funbox2: Rookie
Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first
I went away again for a few days; this time with the family - so that was nice. Now it’s back to the boxes: Funbox: Rookie. This was easier than the last one.
We’ve got FTP, SSH and HTTP on Port 80.
If I get FTP on one of these boxes I always try anonymous login and it works here, we get 11 zip files and a couple of messages, two of which are hidden. One is base64 encoded but they’re basically identical - the zip files belong to users and contain password protected SSH keys.
We can convert these to a John friendly format and attack them with rockyou:
But, most of them don’t crack easily. Two of them do however; and we can try to SSH in as those users with their keys. One logs out again immediately; the other one (tom) works.
In the meantime I’ve been running enumeration on the webserver with gobuster mostly targeting the disallowed directory logs (from robots.txt) but this is drawing a blank; presumably this is the rabbit-hole the description refers to.
Once we SSH in as our user, we notice in his home directory a file called .mysql_history. We can cat this file, and it contains something that looks like a password in amongst the other stuff. Could it be? Yes - it’s his sudo password. The rest is very simple: