Home Funbox Part 3

Funbox Part 3


Part 3 of a series of machines Funbox, which can be found here created by 0815R2d2.
This is also a boot2root machine with a lot of rabit holes and can really cause a headache if you’re too focused. But fortunately didnt happen with me by chance. Starts off with a book store what has default creds and a shell being uploaded to the website. Getting in it was pretty easy to get SSH access as user and then ‘sudo -l’ gives off privilege escalation tricks. Let’s go.


Using rustscan for port scan:
rustscan -a -r 1-65530 -- -A -sC -vvv Not putting the whole output because it feels messy but these are the ports that were open:

22 ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1
80 http Apache httpd 2.4.41
33060 sql mysqlx

The HTTP website also hints at ‘/gym’ directory which is in robots.txt. But just to be going through my methodology I’ll start a gobuster scan as well.
The website shows a default webpage of apache. But my directory scan shows a lot more.

Directory Scan


Okay there’s a lot to go through. But I started with the obvious ones first. ‘/admin’ looks good. Looked around, tried some default passwords. Nothing worked. Okay instead of wasting time here, let’s move on. ‘/secret’ seems sus. But it did’nt have anything other than a quote. We already know what robots.txt has. And I thought that obviously this looks like the only good way of entry. So let’s eliminate the others first. MOving on to ‘/store’, there is a admin login page as well. Tried default password of ADMMIN:ADMIN and oh we’re in!
By looking at what we can edit in a book, I found that we can also add a image as book cover. Hmm.. Does it take anything other than a image? Let’s upload a reverse shell php and test it.

Shell Upload

Ooop. Looks like it worked. To find where exactly did it go, I tried to view the image of any other book cover and found it.

Image Folder

And it gave us a shell.


Spawning a PTY Shell and stablizing the shell for better viewing

PTY Shell

Looking around I found a tony directory in home directory. Which contained a ‘password.txt’ file. And this file contained SSH password for the user tony.

SSH Password

Privilege Escalation

So we SSH into the Tony user and use the command ‘sudo -l’ to see what this user can run as sudo

Sudo Perms

Okay we have a lot of things here. The best one that I see first is ‘pkexec’. I have done this before and I know how we can use it to gain a root shell. Using the same method.


And just like that this really easy machine is pwned. I’m glad I didn’t go through the robots.txt rabbit hole becasue I know I would have wasted a lot of time on it. But anyways Part 3 is done. I’ll see you in the next part. And as always if you ever need to contact me my contacts are down in th e footer below.

This post is licensed under CC BY 4.0 by the author.