CTF Solution: MoneyBox

Wow, it's been a long time since we gave the solution of a practice vulnerable machine. Today, we'll provide the solution to the vulnerable machine in the MoneyBox from vulnhub.

The solution will be given in the following steps:

1. First we get the target machine up and running and from our attacking machine we use the netdiscover command to get the target's IP address.

The IP address here is 10.0.2.11.

2. We find open ports using nmap

The nmap scan shows ports 21/ftp, 22/ssh and 80/http are open. We can also see that ftp supports anonymous login.

3. Logging to ftp anonymously, we are successfull.

   

We then find an image in ftp server.

4. Next up, we download the image to our attacking machine and try to see if there's any hidden data in it using stegseek.

   

The stegseek command is this stegseek --seed trytofind.jpg

We notice that some data was extracted and saved to trytofind.jpg.out and we can display the contents.

The content tells that a user , renu, has a weak password. This is our hint to get remote access.

5. Since we have a username and we know ssh access is enabled on our target, let's try to brute force the ssh login using the username, renu and the popular rockyou as our wordlist - using hydra. hydra -l renu -P /usr/share/wordlists/rockyou.txt 10.0.2.11 ssh

   

Voila, we have renu's password. We can now login via ssh as renu.

6. While as renu, we go through all the files to see if we can get a hint to escalate to root. Going to the home directory, we see that there's another user, lily and surprisingly, renu has read and executable permissions on lily's directory.

   

7. Accessing lily's home directory, we see that there's a .ssh directory that contain an authorized_keys file.

   

8. Here, we will try to gain ssh to lily's account while as renu using the command ssh lily@10.0.2.11 and hope we don't get a password prompt or denied access.

   

We now have access as lily.

9. Let's run the command sudo -l to see if lily has sudo permissions as renu doesn't (Although, we skipped that step for renu).

   

We see that lily has sudo permissions with no password required executed using the /usr/bin/perl executable.

10. We are going to make some research on how we can exploit this (Make yours...Lol...). The result of our research is to run the command, sudo perl -e 'exec "/bin/bash";' , in order to gain root. This command is expected to spawn a shell using perl. Let's see if this works.

Now, we have rooted the machine.

Note that you have to have some basic understanding and be able to do researches to understand fully what was done to get root.

Pheewwwwwww.... That was an easy one. Until we meet again, feliz piratería.

Disclaimer: This solution is provided solely for educational and practical purposes. It is intended to demonstrate the techniques involved in solving cybersecurity challenges and to encourage ethical hacking practices. Any misuse of this information is strictly prohibited and may have legal consequences.