FunBoxEasyEnum

  1. Started with a TCP Scan on the target via Nmap. 

Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-16 13:05 IST
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 13:05 (0:00:06 remaining)
Nmap scan report for 192.168.180.132
Host is up (0.078s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 9c:52:32:5b:8b:f6:38:c7:7f:a1:b7:04:85:49:54:f3 (RSA)
|   256 d6:13:56:06:15:36:24:ad:65:5e:7a:a1:8c:e5:64:f4 (ECDSA)
|_  256 1b:a9:f3:5a:d0:51:83:18:3a:23:dd:c4:a9:be:59:f0 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.52 seconds

  1. Ports 22 and 80 were found.

  2. There was a default Apache web page on port 80.

  1. I ran a directory scan on the target and found a mini.php file .

  1. This was it, I uploaded a reverse shell from pentestmonkey to the directory and considering it was the root directory, I executed the reverse shell in the same directory and simultaneously ran a Netcat listener on port 1234.

  1. I had obtained the initial foothold

  2. Next, in the objectives listed out on Offsec for this lab, it was stated that we had to guess the password for one of the users present on the system.

  3. On the mini shell on the web page I navigated to the home directory and found five users.

  1. I tried switching user to goat from the initial foothold and randomly entered goat as the password too which surprisingly worked in the first go.

  2. I ran sudo -l to check for the commands I could run as sudo on the target.

  1. Next step was to go to GTFObins and see how I could exploit /usr/bin/mysql and do privilege escalation.

sudo mysql -e '\! /bin/sh'

  1. I used the above to elevate my privileges to root and obtain the root flag.

  2. I also found the first flag in the /var/www/local.txt file.

  3. That was it for this box.

PreviousSeppukuNextPhotographer

Last updated