Proving Ground / Vulnhub Moneybox 1 walkthrough
The walkthrough
Please note: For all these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.
I solve this machine for PG (offensive security proving grounds)
Let’s run the nmap scan
nmap -A 192.168.208.230
Nmap scan report for 192.168.208.230
Host is up (0.25s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r — r — 1 0 0 1093656 Feb 26 2021 trytofind.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.49.208
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 — secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
| 256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
|_ 256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: MoneyBox
|_http-server-header: Apache/2.4.38 (Debian)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=11/17%OT=21%CT=1%CU=43153%PV=Y%DS=2%DC=T%G=Y%TM=6375C6
OS:A0%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10A%TI=Z%II=RI%TS=A)OPS(O1
OS:=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW
OS:7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=
OS:Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%R
OS:D=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q
OS:=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=
OS:G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelEnumeration
Let’s Check the FTP service port 21
Let’s download trytofind.jpg file
Directory Brute-Forcing Port 80
ffuf -u http://192.168.208.230/FUZZ -w /usr/share/wordlists/dirb/common.txt -c -e .txt,.php,.zip,.bak
/’___\ /’___\ /’___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/v1.3.1 Kali Exclusive ❤
________________________________________________:: Method : GET
:: URL : http://192.168.208.230/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .txt .php .zip .bak
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________blogs [Status: 301, Size: 318, Words: 20, Lines: 10]
index.html [Status: 200, Size: 621, Words: 264, Lines: 18]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10]
Let’s get this URL > http://192.168.208.230/
Let’s check the /blogs directory
http://192.168.208.230/blogs/
Let’s check the Page Source
Let’s check this directory /S3cr3t-T3xt
http://192.168.208.230/S3cr3t-T3xt/
Let’s check page viewsource
Secret Key : 3xtr4ctd4t4
Run the steghide tool and secret key this 3xtr4ctd4t4
Check the Contents of data.txt file
Let’s brute-force the password for SSH
UserName : renu
Password : 987654321
Let’s login the ssh
Get the Flag
Let’s check the history
Let’s login the lily user
Privilege Escalation
Let’s check sudo rights
Check GTFOBins site for perl exploit
Let’s run the perl
Get the Flag
