Posted on

Funbox : Easy

https://www.vulnhub.com/entry/funbox-easy,526/

Review

  • Enumeration gives us multiple pathways
  • Use default credentials to gain access to an online bookstore
  • Add a book that has a php reverse shell attached
  • Once user access is gained , a password file is stored in the open
  • SSH to the user and check for sudo permissions.
  • Use GTFOBins to find for a root exploit

Enumeration

Run nmap scan to find for open ports.

port 80

Run a gobuster scan to find for hidden directories.

/gym/

Found a clue on the contact page of the gym site.

Since it is created with LAMP it is a linux machine.

/secret/

/admin/

Small CRM Projects

Let’s check searchsploit for any exploits.

“Small CRM 3.0 is vulnerable to SQL Injection on it’s admin login because of insufficient user supplied data sanitization and the sql injection payload being executed. Attacker is able to acious payload, successfully taking over admin account.”

Enter the following payload in ‘Username’ and ‘Password’ parameter: ‘ OR ‘x’=’x

CRM access gained.

After some enumeration there’s isn’t much we can do.

The online bookstore has a admin login page.

/store/

Tried default creds like admin : admin and access is gained.

Create a new book and upload a php reverse shell in the image then click on the book to activate the reverse shell.

Foothold

User access gained.

We find some passwords in a file.

SSH to the tony user.

Tony access gained.

Privilege escalation

Check sudo -l for priveledges.

We can use time to get a root access.

Root access is gained.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s