Funbox: 1 Walkthrough
| reference | Funbox: 1 |
| target ip | 192.168.1.8 |
Scan with nmap:
Add the domain funbox.fritz.box to /etc/hosts, since curl redirected from ip to domain:
http://funbox.fritz.box hosts a wordpress, with the username admin.
Brute force with wpscan:
1 | wpscan --url http://funbox.fritz.box --no-banner -U admin -P /usr/share/wordlists/rockyou.txt |
Login into wordpress.
There’s another user:
Brute force with hydra to FTP service:
1 | hydra -l joe -P /usr/share/seclists/Passwords/Common-Credentials/best1050.txt ftp://192.168.1.8 -e nsr -I -V |
This is also the SSH credential.
Rbash:
Escape from rbash:
There’s a cron-like script in /home/funny:
Escalate to root:
/root/flag.txt:
/home/joe/mbox
