[VulnHub] MoneyBox Walkthrough

A walkthrough for the MoneyBox virtual machine, available from VulnHub.

[VulnHub] MoneyBox Walkthrough

Difficulty level: Easy
Aim: Get root access and capture x3 flags.
Author: Kirthik_T

VulnHub: http://www.vulnhub.com/entry/moneybox-1,653/

Information Gathering

The target IP is not provided, but can be easily discovered using arp-scan:

sudo arp-scan --interface=eth1




With the target identified we can run nmap to discover open ports/services:

nmap -sC -sV -vvv

From this we can see the following ports and services:

  • port 21/tcp - FTP - (vsftpd 3.0.3 - with anonymous login allowed)
  • port 22/tcp - SSH - OpenSSH 7.9p1
  • port 80/tcp - HTTP - Apache httpd 2.4.38


The anonymous FTP sounds interesting and you may have noticed that nmap also identified a file named 'trytofind.jpg' during it's scan. We'll connect to the FTP service and download this:

ls -la
get trytofind.jpg

It's not much use at the moment, but going off past experience there is likely to be some steganography involved here.

Let's move on to the HTTP service and check that in our browser:

Again, not much here, but let's throw gobuster at it to brute-force some directories:

gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt```

We've found a blogs directory to explore:

Viewing the source code for this page reveals another hidden directory:

The source code for this page gives us a secret key:

We can use this key with steghide to extract hidden information from the JPG image we found earlier - the result is a file named data.txt:

steghide extract -sf trytofind.jpg
cat data.txt

Gaining Access

OK, we have discovered a user named renu and been told that this account has a weak password, so let's throw hydra at this and attempt to brute-force the SSH service:

hydra -l renu -P /usr/share/wordlists/rockyou.txt ssh://

Success! We have a password for renu and can now login via SSH:

ssh [email protected]

The first flag can be found within the home directory of renu:

ls -la
cat user1.txt

Further enumeration finds a user named lily, and that it is possible to access this users home directory, where we can find the second flag:

cd ..
ls -la
cd lily
ls -la

cat user2.txt

Privilege Escalation

The current user renu has no sudo privileges, so it is likely we need to escalate to lily before we can go further.

The home directory for lily contains a .ssh folder with an authorized_keys file. The contents of this file shows that renu can login via SSH as lily without requiring a password:

ssh [email protected]

Great! We have escalated our privileges to lily.

Checking the sudo rights for lily, we can see that this user can run the /usr/bin/perl binary as root.

sudo -l

We can take advantage of this to elevate our privileges and spawn a root shell:

sudo perl -e 'exec "/bin/sh";'

Finally, we can switch into the /root directory and obtain the final flag:

cd /root
ls -la
cat .root.txt

Please feel free to contact me via Twitter and thanks for reading.