We’ll start this one by downloading the OVA from https://www.vulnhub.com/entry/funbox-rookie,520/ and loading it up on VirtualBox.

Once it boots up we do a netdiscover to find the IP of our victim:

We’ll then proceed to port enumeration using nmap:


We have nothing to attempt SSH, so I leave that for last, FTP would require a user and HTTP nothing, so I start there.

By browsing to the victims IP we get the default Apache page, a dirb, reveals only the homepage and the robots file, disallowing access to the logs folder but when trying to browse to it, it doesn’t seem to even exist:

I give FTP a run the anonymous user and that yields some zip files and some other notes (the .@ files).

I copy those over and try to unzip them, but they’re password protected, I build a small script to go through them all:

Using the rockyou wordlist Ican get access to Tom and Cathrine’s id_rsa keys.

Using Cathrines I got an invalid format for the key so I move on to Tom’s and that one works at the first attempt:

The shell is restricted with rbash so I break out of it with a perl one liner:

perl -e ‘exec “/bin/bash”;’

Only tom has a home folder, maybe that is why I couldn’t log in with Cat’s user.

I proceed to download LinEnum and run it:

Tom is part of the sudo group but I need his password to escalate, I keep reading the LinEnum report and take a peek at the history files:

.bash_history doesn’t have anything but the mysql history has what seems to be a username/password tuple:

\040 is padding so the pass is xx11yy22!

I run a “sudo su” and with the password from the mysql history I am able to escalate up to root :)

And that is all for this simple CTF challenge.