Hello everyone , in this post I will be sharing Offsec playground’s easy machine called Funboxrookie ,which had ftp,ssh and http ports open , on http ,apache web server was running which had nothing except the default page while ftp had some zip files password protected , one of them got cracked and gave us the ssh key which we can login and get a shell. But there was restricted bash which we could by pass easily and viewing mysql history revealed us the user’s password which we can use to get root.

NMAP

From the nmap scan we see port 21 ,22 and 80 , so let’s enumerate FTP first

PORT 21 (FTP)

As we saw directory listing from nmap scan , anonmyous login is enabled

We can do ls -la to see files

We have some zip files and two hidden files @admin and @users , we can download all these files using mget *

All the archive files have the same size and asks the password , so reading the two other files we find base64 text and a message telling that passwords are old

That base64 text is nothing but the same message

PORT 80 (HTTP)

The web server has default apache page but from the scan it revealed us that there’s robots.txt

Log doesn’t exists so this is a probably a rabbit hole

PORT 22 (SSH)

I went through all zip files and running fcrackzip to crack this password but I was able to crack tom.zip

We can check sudo -l to see if we can run any commands as sudo but we don't know the password

If we try to use auto complete using tab key we are going to get this error

On printing the environment variable $SHELL we can see it's set to rbash which stands for restricted bash, restricted bash can be seen like this rbash and the purpose of rbash is to not allow you as a pentester to execute commands . There's a blacklist of commands like python,bash,vi,vim,nano,less,cat,cd that you won't be allowed to run and won't be able to spawn bash shell .

But in this case , it’s not that restricted we can just set $SHELL to /bin/bash

We see .mysql_history file and see that there's some queries written there

So this xx11yy22 maybe a password for user tom

References

BS CS undergraduate | CTF Player