How to hack: Funbox Rookie — vulnhub walkthrough
We’ll start this one by downloading the OVA from https://www.vulnhub.com/entry/funbox-rookie,520/ and loading it up on VirtualBox.
Once it boots up we do a netdiscover to find the IP of our victim:
We’ll then proceed to port enumeration using nmap:
We have nothing to attempt SSH, so I leave that for last, FTP would require a user and HTTP nothing, so I start there.
By browsing to the victims IP we get the default Apache page, a dirb, reveals only the homepage and the robots file, disallowing access to the logs folder but when trying to browse to it, it doesn’t seem to even exist:
I give FTP a run the anonymous user and that yields some zip files and some other notes (the .@ files).
I copy those over and try to unzip them, but they’re password protected, I build a small script to go through them all:
Using the rockyou wordlist Ican get access to Tom and Cathrine’s id_rsa keys.
Using Cathrines I got an invalid format for the key so I move on to Tom’s and that one works at the first attempt:
The shell is restricted with rbash so I break out of it with a perl one liner:
perl -e ‘exec “/bin/bash”;’
Only tom has a home folder, maybe that is why I couldn’t log in with Cat’s user.
I proceed to download LinEnum and run it:
Tom is part of the sudo group but I need his password to escalate, I keep reading the LinEnum report and take a peek at the history files:
.bash_history doesn’t have anything but the mysql history has what seems to be a username/password tuple:
I run a “sudo su” and with the password from the mysql history I am able to escalate up to root :)
And that is all for this simple CTF challenge.
