top of page

CengBox:2 Vulnhub Walkthrough

Here is my write-up for Cengbox:2 vulnerable machine , an intermediate level machine which can be downloaded from vulnhub.

There are two methods for privilege escalation and we will cover the first and easy one because I really don't like msfconsole sometimes.


IP of the target :

as usual we start with nmap to find open ports and running services using the command

sudo nmap -sC -sV -Pn -p-

nmap result looks interesting , lets try anonymous login in FTP :)

and we found a note.txt file we downloaded the file in our local system using get command and now lets try to read the content of the file.

we have gained some useful information from this message

  • users : Kevin and Aaron

  • Password : default password ( we can try some common passwords)

  • domain name : ceng-company.vm

so we edit the /etc/hosts file as ceng-company.vm

this is what we have on port 80 , nothing useful :( , now we can think of directory bruteforce using the command

wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt -t 25 --hc 404 http://ceng-company.vm/FUZZ

but unfortunately we have nothing here too.

If we remember the message from note.txt file then we found that ceng-company.vm is a domain , what if there is a subdomain? , okay to find that we ae going to use gobuster

gobuster vhost -u ceng-company.vm -w /usr/share/wordlists/dirb/big.txt

most of them have returned code 400 but two subdomain have returned code 403 , we again edit the /etc/hosts file as admin.ceng-company.vm

okay now it's time for directory bruteforce again :)

okay lets open this directory .

This looks like a CMS and without wasting time the we start searching for some common login webpage like /admin or /login and we found both .

you can find these login pages using directory bruteforce also , but trying some common names revealed the login page so I didn't go for the bruteforce :)

Here is little bit of guess work to get the correct email and password

username : Kevin@ceng-company.vm

password : ***** ( #Try_Harder)

and using these credentials we are in as user Kevin , now by some manual searching we found that we can edit some php files .

Content->File Manager->index.php .

we edit this file with pentestmonkey php reverse shell and started a listener on the specified port and after refreshing the page we get the reverse shell.

okay now lets refresh the page and done we are in as user www-data :)

now we checked for user privileges using command sudo -l.

okay lets run this bash script as user swartz.

sudo -u swartz /home/swartz/