This will also be brief. It’s FUNBOX: UNDER CONSTRUCTION! from VulnHub:
As always, it’s a very easy box for beginners.
This one has SSH, HTTP and various mail ports - for SMTP, POP3 and IMAP. We’re interested in the web stuff.
At http://192.168.1.78/catalog/ we find osCommerce Online Merchant v220.127.116.11 which has various exploits. We can grab an unauthenticated RCE exploit from searchsploit and edit it:
Note the above has been modified for the correct URLs and it sends me a reverse shell, like so:
I’m going to explain this slightly backwards. There is a cronjob running as the user Joe:
Which is calling a shell script we can read:
And that file contains the root password base64 encoded:
How did we know this? Pspy can find it, although it seems a bit flaky. Anyhoo, we move on….