Time for another walk-through and now this time i targeted an amazing machine called “Funbox: Next Level” created by 0815R2d2 . I must say that funbox series is one of the most challenging and beginner friendly machine I’ve found on the vulnhub. you can download this machine from here :- https://www.vulnhub.com/entry/funbox-next-level,547/
1.) Target discovery with NMAP:
“# nmap -sn 192.168.43.1/24”
Form the above command we found that our target machine’s ip address is “192.168.43.177”
2.) Port and services detection with NMAP:
“# nmap -sS -vv -p- -sV 192.168.43.177”
So from nmap service detection we found two services running on the target machine ssh and http.
3.) Web Enumeration:
let’s have a look on web part
So it looks like a simple apache web server but remember it’s funbox nothing is simple here ;)
Now after that I fired “dirb” for directory brute forcing .
“# dirb http://192.168.43.177/ ”
Haa!.. As i told you it’s funbox nothing is simple here, so we got a drupal directory in which wordpress is installed.
Let me tell you one thing if you were thinking about wpscan then forget about it, here wpscan will not work ,so we have to try for some manual enumeration
For manual enumeration on wordpress we usually try to enumerate users first.
From the user enumeration we got two users admin, ben and a flag with it. It’s a base64 encoding ,so we have to decode this.
“# echo “FLAG” |base64 -d”
A funny message from the author, but nothing interesting. So its time to brute force the password for the user ben.
I used hydra to attack ssh with user “ben” and “rockyou.txt” as password file.
“hydra -l ben -P /opt/wordlist/rockyou.txt ssh://192.168.43.177 -t 16”
After few seconds I got the right credentials for user ben
Username: ben Password: pookie
I got the ssh connection. Now our next step is to read the final flag placed in root directory.
4.) Reading the FLAG:
After spending some time and enumerating things I found that their are two more users adam and maria and a mail server is also running on the machine, So we can try to read the mails in “/var/mail/” directory.
The “cat” command is not allowed to use so i used “nl” command to read stuffs. Here we got a mail from maria describing some info about user “adam” with its password “qwedsayxc!”. Then I switched user ben to adam.
Great!.. user adam can run some set of commands with “sudo” and one of them is “dd” command which is used to copy file, It means that we can copy any file on the server to any location with root permission.
So I tried to copy and read the root flag without escalating my privileges.
“# cd /tmp/”
“sudo dd if=/root/flag.txt of=/tmp/flag.txt”