Lunchbreaker Walkthrough – Vulnhub – Writeup
Funbox: Lunchbreaker is one of the machines from the Funbox series. It’s a series about cracking passwords only. I personally don’t prefer bruteforcing password, however it’s a good point for starters. “Lunchbreaker Walkthrough – Vulnhub – Writeup”
Link to the machine: https://www.vulnhub.com/entry/funbox-lunchbreaker,700/
Identify the target
As usual, I started the challenge with the identification of the IP address of the target machine.
sudo netdiscover -i eth0 -r 10.0.2.0/24
Scan open ports
Next, I ran nmap scan to get the information of open ports in the target.
sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.35
Here, we can see that anonymous ftp login is allowed. Hence, I decided to download the files to my local machine.
Getting FTP credentials
To login to the FTP server, the following command works.
ftp 10.0.2.35
get .s3cr3t
get supers3cr3tThere is another directory wordpress that doesn’t have any information that we require for this box.
.s3cr3t
cat .s3cr3t
The file contained the following information.
SWYgdGhlIHJhZGlhbmNlIG9mIGEgdGhvdXNhbmQgc3VucyAvIHdlcmUgdG8gYnVyc3QgYXQgb25jZSBpbnRvIHRoZSBza3kgLyB0aGF0IHdvdWxkIGJlIGxpa2UgLyB0aGUgc3BsZW5kb3Igb2YgdGhlIE1pZ2h0eSBPbmUgYW5kIEkgYW0gYmVjb21lIERlYXRoLCB0aGUgc2hhdHRlcmVyIG9mIHdvcmxkcw==
So, I decoded the bas64 encoded text.
cat .s3cr3t | base64 -d
It gave the following output.
If the radiance of a thousand suns / were to burst at once into the sky / that would be like / the splendor of the Mighty One and I am become Death, the shatterer of worlds
.s3cr3t
cat .s3cr3t
The file has the following text.
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++.>+++++++++++..----.<<++.>>-------.+..+++++++++++.<<.>>-------.+++++.++++++.-----.<<.>>-.-------------.+++++++++++++++++++.+.---.-------------.<<.>>----.+++++++++++++.----------.<<.>>++++++++++++++++.------------.---.+++++++++.<<.>>+++++++++++.----------.++++++.<<.>>++.--------------.+++..<<.>>+++++++++.-------.----------.+.+++++++++++++.+.+.-------------------.+++++++++++++.----------.<<.>>+.+++++++++++++++++.-----------------.+++++++++++++.+++++++.-----.------------.+.+++++.-------.<<.>>-----.+++.+++++++++++++++..---------------.+++++++++++++.<<++++++++++++++.------------.
We can see the brainf*ck code which I decoded online to get the following output.
Look deep into nature and then you will understand everything better.Up to now, I didn’t get anything.
Enumerate web server
Since there is nothing much on the FTP server, I moved towards the webserver. The default page had a beautiful picture of lavender.
While looking at the comments, I found the possible usernames and hostname of the target.
At first glance, we got the possible usernames, jane, miller, j.miller. Likewise, we got the hostname of the target. So, I added the hostname to my hosts file.
sudo vi /etc/hosts
Furthermore, when I looked at the robots.txt, I got a hint to not use any directory bruteforcing tool. It rather says to do what you see.
Bruteforce – Jane
Next, I decided to bruteforce the logins of two possible servers – ftp and ssh.
hydra -V -l jane -P /home/kali/rockyou.txt funbox8.ctf ftp
Since we found the password to log in as jane to the FTP server, I proceeded with the login.
We only have read access to the directory. Likewise, there is a directory called backups which has a file called keys.txt. That didn’t give me anything.
cd backups
get keys.txt
cat keys.txtkJGgh-kiu65-zghku-76zzt-hgf56
llij8-fgzZ-rTzU1-ddfgz-i876SI once again logged into the FTP server and found out that the current directory is /home/jane of the target. That means, the root of the target is served in the FTP server.
pwd
Hence, I could look at the users of the machine by simply switching directory one previous level.
cd /home
ls -al
Now that I have the usernames, I could proceed to further bruteforcing.
Bruteforce – other users
I placed the other usernames than jane into a file (users) like as follows.
Then, I did the bruteforcing using the users’ list and the password.
hydra -V -L users -P /home/kali/rockyou.txt funbox8.ctf ftp -u
# -u will revolve around users not passwords 
I logged in as jim but didn’t get anything.
However, after a while, I got credentials of another user as well.
Then, I decided to check if the user had reused the password to log into SSH.
ssh jules@funbox8.ctf
Bruteforce – John
In the directory of john, I saw a file called .backups.
ls -al
ls -al .backups
The directory contained files that have wordlists. Two of the files are empty as well. However, I decided to copy the directory to my local directory suing scp (secure copy). If you can SSH to the server, you can copy file securely to and from the server.
scp -r jules@funbox8.ctf:~/.backups .
Now that we have the passwords list, I could bruteforce using this list. Since john is the only user whose password I haven’t found, I changed the previous command.
hydra -l john -P .backups/.bad-passwds funbox8.ctf ftp
I got the password for the ftp server. Hence, I tried reusing the password to the SSH server.
ssh john@funbox8.ctf
Root privilege escalation
When I listed the files of the box, I saw a directory.
ls -al
Then, I got the content of the directory.
cd .todo
ls -al
cat todo.list
It looks like the user had reused the password. Using the password of the user john, I got the access to the root.
su root
cd /root
ls -al
cat root.flag
Conclusion
This is a machine that only revolves are bruteforcing which I didn’t like. Since the purpose of doing CTF is learning something, it would have been great if other simple exploits were present on the machine than the bruteforcing.