Funbox CTF — vulnhub walkthrough

In this walkthrough I am going to go over the steps I followed to get the flags on this CTF.

First off I got the VM from https://www.vulnhub.com/entry/funbox-1,518/ and loaded it to VirtualBox, loaded the .ova and had to change USB to 1.0 and set the network adapter to the ones on my server.

VM boots up and we just get the login screen with no additional information:

First I’ll start by booting up a Kali VM and then enumerating the devices on my network by using netdiscover:

Which will give me a result with the same MAC address as the VirtualBox configuration:

Now that I have the IP, I’ll do some OS probing with nmap:

If I browse to the IP address I get redirected to funbox.fritz.box:

I fix that by adding an entry on my hosts file:

And the site loads correctly now:

if we scroll all the way down, we can tell it’s using Wordpress:

Using wpscan I do some basic enumeration (plugins/users) to find something obvious:

Uploads directory is available but nothing juicy in it:

We have 2 users: Admin and Joe, usually the admin’s have higher security so I’ll go for the weakest link

Using WPScan again I’ll run Joe through a wordlist (rockyou.txt) and see if we find something:

After a long zero seconds we have a match:

This gives me access to Wordpress but his user doesn’t have permissions for much:

Based on the results from nmap, we’ll try the other entry points, starting by the FTP:

Credentials are valid on FTP and we can extract some emails, hopefully he doesn’t get fired and his account disabled before we finish :)

His credentials also match SSH:

Time for privilege escalation!

Let’s see his sudoer permissions:

Doesn’t work, lets try to browse the disk and no dice:

rbash is complaining that it’s a restricted shell, we can use this guide on how to break out of it:

I’ll use the python version:

Going into the “funny” user I see a html file (a backup) in there and the modified date matches the VM time, since one of the emails said that a backup script was set up, we can think that there is a cronjob running to generate that file, now we need to find it:

Cronjobs drop some valuable information onto syslog, so I’ll see whats in there:

Since that didn’t work, I‘ll go back to the home folder, ll will reveal the dot files with an executable .backup.sh file in it, upon inspection it matches the .tar file we’re seeing and the owner is “funny”, we might be able to get more stuff with his user:

So now I am going to edit the backup script, set it to go to funny’s home and add my ssh key to his authorized_keys folder:

After less than a minute, when the cronjob runs (which by monitoring the backup file, noticed it was set to every minute) I can now log in as “funny”:

I am going to inspect the cron jobs for “funny” to see if we can replicate this same technique to get access to root and I see that it’s only the backup job but something peculiar is that the cron job is set to run on “even” minutes, yet i saw it run on “odd” times (*/2)

So pulling on the same cron thread i go back to my syslog file and look for the root crons:

Funny does have access to the syslog file and I can see that root it’s running the same script as funny just at a different interval (every 5 min.)

So this time I’ll adjust my script to set my ssh keys but for the root user:

And disable funny’s cron:

And we wait for the 5 min interval to go through and ssh via root and we have our flag file :)

Hope you enjoyed this guide, leave me a comment if you have questions :)