Lunchbreaker Walkthrough – Vulnhub – Writeup

Funbox: Lunchbreaker is one of the machines from the Funbox series. It’s a series about cracking passwords only. I personally don’t prefer bruteforcing password, however it’s a good point for starters. “Lunchbreaker Walkthrough – Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/funbox-lunchbreaker,700/

Walkthrough of hacksudo 3

Identify the target

As usual, I started the challenge with the identification of the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24

Scan open ports

Next, I ran nmap scan to get the information of open ports in the target.

sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.35

Here, we can see that anonymous ftp login is allowed. Hence, I decided to download the files to my local machine.

Getting FTP credentials

To login to the FTP server, the following command works.

ftp 10.0.2.35
get .s3cr3t
get supers3cr3t

There is another directory wordpress that doesn’t have any information that we require for this box.

.s3cr3t

cat .s3cr3t

The file contained the following information.

SWYgdGhlIHJhZGlhbmNlIG9mIGEgdGhvdXNhbmQgc3VucyAvIHdlcmUgdG8gYnVyc3QgYXQgb25jZSBpbnRvIHRoZSBza3kgLyB0aGF0IHdvdWxkIGJlIGxpa2UgLyB0aGUgc3BsZW5kb3Igb2YgdGhlIE1pZ2h0eSBPbmUgYW5kIEkgYW0gYmVjb21lIERlYXRoLCB0aGUgc2hhdHRlcmVyIG9mIHdvcmxkcw==

So, I decoded the bas64 encoded text.

cat .s3cr3t | base64 -d 

It gave the following output.

If the radiance of a thousand suns / were to burst at once into the sky / that would be like / the splendor of the Mighty One and I am become Death, the shatterer of worlds

.s3cr3t

cat .s3cr3t

The file has the following text.

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++.>+++++++++++..----.<<++.>>-------.+..+++++++++++.<<.>>-------.+++++.++++++.-----.<<.>>-.-------------.+++++++++++++++++++.+.---.-------------.<<.>>----.+++++++++++++.----------.<<.>>++++++++++++++++.------------.---.+++++++++.<<.>>+++++++++++.----------.++++++.<<.>>++.--------------.+++..<<.>>+++++++++.-------.----------.+.+++++++++++++.+.+.-------------------.+++++++++++++.----------.<<.>>+.+++++++++++++++++.-----------------.+++++++++++++.+++++++.-----.------------.+.+++++.-------.<<.>>-----.+++.+++++++++++++++..---------------.+++++++++++++.<<++++++++++++++.------------.

We can see the brainf*ck code which I decoded online to get the following output.

Look deep into nature and then you will understand everything better.

Up to now, I didn’t get anything.

Enumerate web server

Since there is nothing much on the FTP server, I moved towards the webserver. The default page had a beautiful picture of lavender.

While looking at the comments, I found the possible usernames and hostname of the target.

At first glance, we got the possible usernames, jane, miller, j.miller. Likewise, we got the hostname of the target. So, I added the hostname to my hosts file.

sudo vi /etc/hosts

Furthermore, when I looked at the robots.txt, I got a hint to not use any directory bruteforcing tool. It rather says to do what you see.

Bruteforce – Jane

Next, I decided to bruteforce the logins of two possible servers – ftp and ssh.

hydra -V -l jane -P /home/kali/rockyou.txt funbox8.ctf ftp

Since we found the password to log in as jane to the FTP server, I proceeded with the login.

We only have read access to the directory. Likewise, there is a directory called backups which has a file called keys.txt. That didn’t give me anything.

cd backups
get keys.txt
cat keys.txt
kJGgh-kiu65-zghku-76zzt-hgf56
llij8-fgzZ-rTzU1-ddfgz-i876S

I once again logged into the FTP server and found out that the current directory is /home/jane of the target. That means, the root of the target is served in the FTP server.

pwd

Hence, I could look at the users of the machine by simply switching directory one previous level.

cd /home
ls -al

Now that I have the usernames, I could proceed to further bruteforcing.

Bruteforce – other users

I placed the other usernames than jane into a file (users) like as follows.

Then, I did the bruteforcing using the users’ list and the password.

hydra -V -L users -P /home/kali/rockyou.txt funbox8.ctf ftp -u 
# -u will revolve around users not passwords   

I logged in as jim but didn’t get anything.

However, after a while, I got credentials of another user as well.

Then, I decided to check if the user had reused the password to log into SSH.

ssh jules@funbox8.ctf

Bruteforce – John

In the directory of john, I saw a file called .backups.

ls -al
ls -al .backups

The directory contained files that have wordlists. Two of the files are empty as well. However, I decided to copy the directory to my local directory suing scp (secure copy). If you can SSH to the server, you can copy file securely to and from the server.

scp -r jules@funbox8.ctf:~/.backups .

Now that we have the passwords list, I could bruteforce using this list. Since john is the only user whose password I haven’t found, I changed the previous command.

hydra -l john -P .backups/.bad-passwds funbox8.ctf ftp

I got the password for the ftp server. Hence, I tried reusing the password to the SSH server.

ssh john@funbox8.ctf

Root privilege escalation

When I listed the files of the box, I saw a directory.

ls -al

Then, I got the content of the directory.

cd .todo
ls -al
cat todo.list

It looks like the user had reused the password. Using the password of the user john, I got the access to the root.

su root
cd /root
ls -al
cat root.flag

Conclusion

This is a machine that only revolves are bruteforcing which I didn’t like. Since the purpose of doing CTF is learning something, it would have been great if other simple exploits were present on the machine than the bruteforcing.

Leave a comment