FunBox Walkthrough

We start by scanning the host with nmap -A -T4 -p- 192.168.1.10 -vv

Using dirb http://192.168.1.10 we can see that thr host is running WordPress but we need to change our Hosts file and add the site http://funbox.fritz.box/ to it so it can work:

Enumerating the box looking for users on WordPress we get tow users:

wpscan –url http://funbox.fritz.box/ -e u

Using Wpscan to brute force the user joe:

wpscan –url http://funbox.fritz.box/ -P /root/pass/rockyou.txt -U joe

And the password for the admin:

I was able to install “File Manager” from the Plugins sections:

Then in the Upload folder we can upload our reverse shell file:

Then visit the site folder where the shell is and open it and wait for the listening port on your machine:

We can “su joe” and the password is 12345 as we found it before using Wpscan:

We can generate an ssh key to login via ssh using “ssh-keygen” command:

Then we login using ssh by using ssh joe@funbox -t “bash –noprofile”

Now in the home directory of the user “funny” these is a bash file we can edit and ad a reverse shell:

Run the file ./backup.sh and  with our listening port 4444 and will get a reverse shell back:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s