Funbox
Nmap
Add funbox.fritz.box to /etc/hosts.
As FTP is open I initially tried anonymous login credentials which are shown to not work in this instance.
Moving over to port 80 we find that we land on a default page for a Wordpress instance.
After a quick look around we find nothing of interest and no further posts made or commented on. Running dirsearch against the target mahcine we find the directory /secret/ and also the file robots.txt.
Robots.txt only contains the following entry: Disallow: /secret/
.
After further directory searching against /secret/ we are unable to find any further information. Running curl against the directory only gives us the output below.
Running WPScan against the host we identify some users and also confirm password logins. Remembering to set the --passwords
parameter to rockyou.txt
From here we have the following credentials:
From here I tried SSH
as joe and was able to login with the given credentials.
After connecting I tried to cd
into /opt/ and was given the restricted message by rbash
.
To escape rbash
(restricted shell) we can spawn a new shell with Python, export a new path and then spawn a python shell again to gain full command of our shell.
After doing so you can see we now have full access to commands.
As always whenever you have Wordpress on a target machine ensure to check /var/www/html/wp-config.php
for database credentials.
Here we have credentials of: wordpress:wordpress
. Moving into MYSQL with the following command:
After entering the password I moved into the Wordpress database and viewing all information in the wp_users table.
From here I tried to SSH and su
into funny who is a local user on the machine with the admin password we got from WPScan
but had no luck here.
Checking out the home directory for the user 'funny' we see when viewing hidden files that a scripts exists called '.backup.sh'.
As we can see this is performing a backup. Looking at the permissions of the file it looks like we can erase the contents and replace it with our own shell.
First I downloaded pspy64 onto the target system to see if this is something being executed by the system on a regular basis. Ensuring that executable permissions are set with chmod
before running.
From the results windows we see the bash is being executed on the .backup.sh script.
With this information lets replace .backup.sh contents with a bash reverse shell.
Then start a netcat
listener on our attacking machine.
After a short while we get a shell as the user funny.
from the above command we see we are part of the 'lxd' group. LXD are Linux containers and when you are a member of this group you can abuse this to gain root privileges.
Run the following commands on the attacking machine:
You may run into issues regarding the alpine mirrors on this step. If so follow the link here to https://github.com/saghul/lxd-alpine-builder/issues/1 the issues page for alphine. The comments section contains the solution to the error.
After the image has been built we need to transfer over to the target machine. Start a Python SimpleHTTPServer
and transfer over the alpine image.
The run the following command to import and create an alias for the alpine image.
For this next part if you get the error message 'The command could not be located because '/snap/bin' is not included in the PATH environment variable.' then run the command below to export a new path which includes /snap/bin.
Next we need to initialize LXD.
When initializing you will be given the options below. Its important for this particular machine that when asked _What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) _to provide the option none otherwise creating a storage pool will fail.
Once completed run the commands below to start the container and connect to it with /bin/sh.
When we execute the last command we will be root inside the container. We then need to move into the directory shown below to move into the main root contents of the primary target.
We are now root.
Last updated