FunBoxEasy — Offensive Security Proving Grounds

Let’s scan for Machine IP with nmap to discover open ports and running services.

As we always enumerate the HTTP port first so let’s do that.

It’s just a normal landing page, so let’s check for hidden directory.

So when we explored /admin.php but currently we try some common username and password but we failed to log in then we open another admin page URL store/admin.php again we try a common password and we successfully login with this credentials admin-admin.

After logging in with the store panel we navigate the admin_add.php URL for adding a new book and the image section we try to upload PHP reverse shell.

Our shell has been uploaded. Before clicking on the shell we have to set up a listener.

we found an interesting file password.txt with helping the SSH password we switch the user www-data to tony and then we run the sudo -l command for privilege escalation.

export TERM=xterm
su tony
python3 -c 'import pty;pty.spawn("/bin/bash")'
sudo -l

Privilege Escalation

our current user has many binary files to run with sudo permission. but I interested in time command. By using the following command we escalate the privilege root user.

sudo time /bin/bash

now we have root shell let’s move the /root directory and read our final flag.

id
cd /root
ls
cat root.flag