CTF Write-Up: MoneyBox –1

Hello Friends,
Today I’m going to give you a walkthrough of the Moneybox-1 CTF on VulnHub. I have to say, I really enjoyed this one. It is set up for beginners, and this time, it really was. As a beginner myself, I was able go through it, with the exception of the last flag which I had to look up, because you have to be root to get the last flag, and privilege escalation is one of my weak points at the moment.

This CTF has 3 flags, with the 3rd being the final root flag.
Lets go.

// RECON
The first thing I do after finding the IP of the VM is run scans, generally its these 3:
1. Nmap.
2. Nikto.
3. GoBuster.
This helps give me a general idea of what I’m working with.

1. Nmap.
I ran this command: nmap -T5 -sC -sV -Pn -p- -oA nmap <VM-IP>
This revealed to me there are 3 ports open on this system.
21 : FTP (with Anonymous login allowed).
22 : SSH.
80 : HTTP.
Ok, this is good, lets see try things one by one.

Port 80 : HTTP.
I open up a browser and I type in the VM-IP in the address bar. I’m greeted with a simple web page, welcoming me to the challenge, and saying that it’s a simple machine said “Don’t Over Think it”. Ok. I’ll try to keep it simple.

I try to go to /robots.txt , but there isn’t one.
I look at the source code of that welcome page, nothing is there.
Alright. I made note of what I’ve done on this port, let me move on the next port.

Port 21 : FTP (with Anonymous login allowed).
Seeing that “Anonymous” is allowed, that means I should be able to FTP in without a password, so lets try it and see if that is the case.
I ran this command: ftp <VM-IP>
It asked for a username, I typed: anonymous
it asked for a password, I just left it empty and hit enter.
It worked, I’m logged into the FTP as “anonymous”. Lets see what is in here.
I ran: ls -la

I find an image called “trytofind.jpg”, I remembered the advice of “Don’t over think it”, so clearly this picture is important so I download it to my local machine.
I ran this command: get trytofind.jpg
I ran a few commands on it, that didn’t produce much for me.
Those commands were: file / exiftool / strings / binwalk.
They all indicated it was an image, nothing more.
So in my local machine where I have that image file, I ran: ls -la
And that image file looked VERY large, so there is something in it for SURE, time to find out what’s in there.
I ended up using Steghide on it.
I ran this command: steghide extract –sf trytofind.jpg
It asked for a passphrase, dang it. I don’t have one, but this does tell me that there is something in this image. I make a note of my findings on this port, and that I need a passphrase for this image.

Port 22: SSH.
From experience, I know that you need a username and password, or a username and an ssh key to be able to use this, and since I don’t have either, I just made a note that this port is open, and once I find a username I can come back to it.

Directory Enumeration.
Let me see what other directories are out there, maybe one of them will have more information for me.
You will notice that I always port the results to a text file, that is just how I like to do it, that way I can come back to the information whenever I want without needing to keep that terminal window open, or re-running the command if that terminal is closed by accident.

2. Nikto.
I ran this command: nikto –h VM-IP > nikto_results.txt
But that didn’t reveal anything for me.
One thing I’ve learned is that different tools that do the same thing, can sometimes find different things, so its good practice to try the same enumeration using different tools.

3. GoBuster.
I rant his command: gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://<VM-IP> > goBust_results.txt
This found a couple of directories.
/blogs (Status: 301).
/server-status (Status: 403).
You know how when you go to a page that isn’t working, and it says “404 Page Not Found”? Well I learned that any page that gives you a status in the 400s, will most likely not work, based on that I decided to not go to the “/server-status” page.
Now, 300s is a different story. (Status: 301) means that that specific page is being re-directed to another page, which means that its live, so lets go there.
I go to the browser: VM-IP/blogs
We are at a page with a message from T0m-H4k3r, but nothing is revealed. Hmmm, lets dig deeper.
I view the source of that page, and at the bottom there is a comment indicating there is a hidden directory called “S3cr3t-T3xt”. Excellent.

I go to the browser: VM-IP/S3cr3t-T3xt
Another simple webpage, that says “There is nothing here”, which means there is most likely something there.
I view the source of that page, and at the very very bottom, there is another comment, simply says:
Secret Key 3xtr4ctd4t4
If you “translate” the leet-speak, it says “Extract Data”.
THE PICTURE!! .. that was the first thing that came to mind, because we literally do need to extract data from it, and we need a passphrase to do that. So that’s what I attempted.

Went back to the picture.
I ran this command again: steghide extract –sf trytofind.jpg
It asked for a passphrase, I typed: 3xtr4ctd4t4
BAM, it extracted a “data.txt”, sweet.
I read the data.txt, it was a message to someone named “renu”, and its telling him that his password is weak and that he needs to change it. That was it.
Ok. We now have a user, renu. We also know that the SSH port is open which needs a username & password, lets find renu’s password.
Nothing in that file, or web pages gave me anything. I even tried using “3xtr4ctd4t4” as renu’s ssh password, which didn’t work as I presumed, I just wanted to rule it out. Alright, our next goal is to find renu’s password.

Renu
I decided to use Hydra & rockyou.txt to see if it finds a match for renu’s password.
I ran this command: hydra -t 1 -f -V -l renu -P /usr/share/wordlists/rockyou.txt <VM-IP> ssh -e nsr
This took a while, so I took that time to clean up my notes, make a cup of tea, even went for a little walk, just to get some fresh air. After a long while, hydra said it found a match.
renu : 987654321
Lets see if that works

SSH
I ran this command: ssh renu@VM-IP
When it asked for a password, I typed this: 987654321
It worked, we have now SSH-ed into the box.

// FLAG 1
We have successfully SSH-ed into the box.
Lets look around.
I ran: ls -la
Found a “user1.txt”, I read it and it was the First Flag.
Excellent, 2 more to go.

// FLAG 2
After finding that first flag, I wanted to do some exploring for clues for the second flag. I used the “cd ..” command until I got to the “/home” directory, then ran another “ls -la”, and there I see another user folder “lily”. Most likely that is where the 2nd flag is.
I ran: cd lily
That put me in Lily’s folder.
Then I ran: ls -la
There I see “user2.txt”, surprisingly I am able to read it and indeed that is the Second Flag.

// FLAG 3 : Final Root Flag
If past CTFs are any indications, then it means that the final flag will be in the root directory. I’m still logged in as “renu”, and of course I am not able to go the root folder. Ok. Let me see if I can run any “sudo” commands.
I ran this command: sudo -l
Nothing, renu’s account does not have sudo privileges, this clearly means that I need to pivot to Lily’s account. So I dug around a bit more in Lily’s folder, I went to the .ssh folder, there was no RSA, but the there was the “authorized_keys” file, I decided to read it, and it was the exact same information that was in Renu’s .ssh file.

Failed Attempt:
I went to Renu’s .ssh file, opened his private “id_rsa” file, copied the whole thing over to my local machine, saved it and ran “chmod 644 id_rsa” on it, then tried to ssh as Lily with it.
I ran: ssh -I id_rsa lily@VM-ip
It gave me a warning, and asked for a password, which I don’t have, I tried it as an empty password, I even tried using the contents in the “flags”, but nothing worked.
This was new to me, I had never seen an account with .ssh file, and no id_rsa file in it before, but I just had an inkling that this has to be the way in. After looking around, I did find a write up the showed a way to log into ssh as a different user in this particular situation.

Successful Attempt:
I would go back to the .ssh file in Lily’s account
So my location is now: /home/lily/.ssh
Then I would ran this command: ssh lily@VM-IP
BAM, that worked! I’m now SSH-ed in as Lily.
Lets see if she has sudo privileges.
I ran: sudo -l
She does, she can run this command with no password: /usr/bin/perl
Since my Privilege Escalation skills are lacking, I had to look up how to become root, and now I understand.

Given the info provided, that means that Lily can run the command “sudo perl” without needing a password, so all I need to do, is find a Sudo command that uses Perl that could make me root.
One such resource is GTFObins.

Root.
I ran the command: sudo perl -e ‘exec “/bin/sh”;’
The prompt changed, so I ran: id
That told me I was root.
I ran: ls -la
Saw the root.txt there, and read it, it congratulated meand gave me the final flag.

// Conclusion
There you go.
That was a fun box, and I learned a few new things from it.
First that SSH trick, I now know that if I am user 1, and can go into a .ssh folder of user 2, that has no id_rsa file, but has the autherization_key of user 1, then while I’m there, I can run the ssh command become user 2 without a password.

Second, I now understand how to interpret the results of the “sudo -l” to help me get better with my Privilege Escalation side of things.

As you noticed, the Recon took most of the time, which is very typical, usually that and Privilege Escalation are the two that take up the most time, at least for me. But I do get to learn a lot of neat tricks, and I wanted to share them with you.

I hope that was helpful.
Go (ethically) Hack The Planet (or a CTF).
[R/F]