funbox gaokao walkthrough writeup vulnhub

Funbox Gaokao Walkthrough – Vulnhub – Writeup

Funbox Gaokao is a machine that the author has intended for beginners. This machine needs a bit of brute force and some knowledge of the FTP protocol. “Funbox Gaokao Walkthrough – Vulnhub – Writeup”

Link to the machine:,707/

Twitter handle of the author:

Walkthrough of Hacksudo Series

Identify the target

The first step while working with the vulnhub challenges is to discover the IP address of the target machine.

sudo netdiscover -i eth0 -r

Scan open ports

Then, I scanned the open ports to identify the exposed services on the target.

sudo nmap -v -T4 -A -p- -oN nmap.log

We have got anonymous access to the FTP server, an SSH server, a web server and a mysql server.

Enumerate FTP server

Since we have got anonymous access to the FTP server, I started from there. Since the default ftp client isn’t that good, I would be using lftp later.


There is a banner of the server that gives us a potential user of the machine. Also, it gives us the hostname which doesn’t have any significance for this purpose of walkthrough. Hence, I started bruteforcing the password of the user.

hydra -V -l sky -P /home/kali/rockyou.txt ftp

As you can see, we got the password for the user sky and hence I logged in.


ls -al

You can see that it is the /home/sky directory of the target machine. Hence, I went one step back to identify the list of other users and found out there are two other users lucy and sarah. Then, I tried bruteforcing the password of sarah which was successful, but it was a rabbithole. There is another rabbit hole, which is the password of sky can login to the mysql server.

Moving forward, there is a file called user.flag which has the following content. Here, I am using the lftp client, because it makes the life easier.

lftp -u sky,_pass_

ls -al
cat user.flag

I got a hint from the user @D4rw1n from Vulnhub discord channel.

We can see that the flag has a shell script and the file has the executable assess for the user sarah. Hence, we might guess that there is a cron job that is run by sarah. Thus, I downloaded the file to my local machine, updated the script and uploaded it to the ftp server.

get user.flag
# update the script
put user.flag
ls -al

You can see that there permissions are intact. However, if you messed up the permissions somehow, you can see that the FTP server has some site commands enabled.

Using these site commands, we can invoke these commands in the server.

Meanwhile, I also listened on the port 4444.

nc -nlvp 4444

After a while, I got the reverse shell.

Then, I proceeded with upgrading the shell. Check the following post on how to do that.

Upgrade to an intelligent reverse shell

However, since the python way didn’t work to get me a PTY shell, I used the following method.

SHELL=/bin/bash script -q /dev/null

Next, when I searched for the suid binaries, I found out that bash has setuid enabled.

find / -perm -4000 -exec ls -al {} \; 2>/dev/null

This means, we can escalate privileges.


bash -p
cd /root
ls -al
cat root.flag

0 0 votes
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments