MoneyBox — Vulnhub Walkthrough
Hey guys , This my first article on medium , In this we will do the vulnerable machine Moneybox from vulnhub which was released by Kirthik_T. This is a beginner friendly machine. i hope you will enjoy it.
Identifying the target from Network
Before getting start up it is important to identify the target from our network. we can use Arp-scan or netdiscover to discover the ip address of the target from our network.
sudo netdiscover -i eth0
here my target machine was assigned with ip address 192.168.1.8 , so we can add it to our hosts file as money.box .
Enumeration
I always starts with nmap scan to search for open ports and services that are running on the box. my usual nmap scan always contains script scanning, version enumeration and all ports.
nmap -sCV -p- money.box
looking at the results we can see that there is only 3 ports are open. An Ftp service running on port 21 , SSH service on port 22 and a Apache webserver on port 80 . we can also see that our nmap detect a file called trytofind.jpg present on the ftp server. so let’s look into it.
ftp money.box
here the machine allows us to do anonymous login. so we can give the username and password as anonymous for login.
here we downloaded the jpg file to our local machine using the get command.
now we have that image , what about steganography..? so i used steghide tool to extract the data with some common passwords but nothing worked .
steghide — extract -sf trytofind.jpg
so we need to find out another way . from the nmap result we can see an apache webserver running on port 80. so let’s check it out.
on index page there is only a welcome note and nothing hided on source code. so let’s run our gobuster tool inorder to find some hidden directories on the webserver.
gobuster dir -w <wordlist here> -u <url here>
here i used the raft-medium as wordlist from Seclists.
here our gobuster discovered a hidden directory /blogs from the server. so let’s check it out.
On the index page of the directory blog we can see another note . but looking on source show some intresting content.
it’s reveal’s another hidden directory called /S3cr3t-T3xt . so let’s also check it out.
there is nothing on on the index page expect a note. but what about source code.? let’s also look it.
here we found an another comment contains a secret key. so we found something useful to us. what about using it for our steganography extraction.
here the key worked and a new file called data.txt extracted from the image.
from the contents of data.txt we will get a username renu. and we can also see that the password of renu is also week . which will give us an hint to perform a bruteforceing .
BRUTEFORCING
now we can start brute force renu’s ssh login useing our hydra tool using rockyou.txt as password wordlist.
hydra -l renu -P <wordlist here> ssh//money.box
from the result hydra cracked the ssh login sucessfully with and found password 987654321 for login.
INITIAL ACCESS
now we can login with username renu with password 987654321 through ssh.
so we got our first user flag.
PRIVILEGE ESCALATION
After getting the user flag i tried to discover the other users that are present on this box.from the home directory we can see presence another user called lily.
from renu’s .ssh directory we will get a ssh private key. useing that ssh key .we can login as lily.
we got our second user flag sucessfully. now it’s time to become root user.
first we can check the sudeors list.
sudo -l
here user lily can run the binary perl as root user.
so let’s check it in the gtfobin.
from gtfobin we can obtain the command to drop a root shell.
sudo perl -e ‘exec “/bin/bash”;’
now we are root user , so let’s check for the last root flag which present on the root directory.
CONCLUSION
Thank you guys to read my walkthrough. i hope you enjoyed it.
“TIP : always read the .bash_history file after obtaining a intial access”
bye see you soon…
