Funbox3 Walkthrough

We start by scanning the target with nmap -A -T4 -p- 192.168.1.16 -vv

We scan port 80 with dirb http://192.168.1.16 /usr/share/dirb/wordlist/big.txt

Whats interesting is this page where we can download a SQL file www_project.sql and we can find the username and password where we can login in the store login page:

We open the file and there is the username “admin” and the password:

Then we got to http://192.168.1.16/store/admin.php and login:

Up the page there is a button to add new book:

In the Image section I’ve put a php reverse shell file and when finish click “Add new book” and your book will be added:

Click on the image of your book which is the icon on the up left and with your listening port ready you should get a reverse shell back to your machine:

In the home directory a user called Tom and there is a file “password.txt”:

I used the password from the ssh which is “yxcvbnmYYY” with username Tony and logged in via ssh:

The user Tom can run sudo privilege:

Now according to this awesome SITE we can use the “time” command to privilege to root:

The following command is the privilege to root “sudo -u root /usr/bin/time /bin/sh”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s