Hey there! Today I’m going to solve another boot2root challenge MoneyBox:1 created by Kirthik_T. This is an easy box with 3 flags in it. Without any further a do let’s jump right into it.
1.) Target Discovery
For target discover I use netdiscover command.
└─$ netdiscover -i wlan0
From the above results I got the IP address of our target machine which is 192.168.1.4
2.) Port Scanning and Service Detection
Nmap result shows that there are three ports are open. ftp, ssh, and web. Anonymous access is allowed in ftp shown in the nmap result.
3.) FTP Enumeration
Anonymous access granted. After connecting to ftp I got a image file which I transferred to my local machine.
I ran exiftool and strings command on this image, but got nothing usefull, so I left it for later use and started enumerating the other port which is port 80.
4.) Web Enumeration
First I hit the IP address on the web browser and got a welcome message from the author. Nothing interesting here.
To enumerate directories on the server I fired dirb. dirb shows that there is a ‘/blogs/’ directory over the web server.
I hit the directory on the browser and got another message. I pressed ‘ctrl+u’ to view the source code and there was a hint for another secret directory.
The author mentioned that there is a ‘S3cr3t-T3xt’ Directory on the server.
Again I viewed the source code of the secret directory page and there is a secret key. wait what can I do with this secret key, but the key says ‘3xtr4ctd4t4’ means ‘extractdata’.
And this hit in my mid to run steghide on that image that I found while enumerating the ftp.
So I ran the steghide command and pass the secret key. which extracted ‘data.txt’ file. This data.txt file mentioned a user ‘renu’ and we can see that renu is the user who uses simple or bad passwords which are easy to bruteforce.
5.) Initial Footholds
I used hydra to crack the password of ‘renu’ user and got the password within 30 seconds. The password for the user ‘renu’ is ‘987654321'.
I connected to ssh with the credentials of user ‘renu’ and got the first user flag.
After that I came to know that another user ‘lily’ also exist in the server, so I moved to lily’s home directory and saw a .ssh directory over there.
While enumerating the directory I got a ‘authorized_keys’ file in which ‘renu’ was mentioned, which means that renu can connect to ssh with lily without password.
That’s great !!!.
I was successfully got the lily’s ssh connection without supplying password for lily.
6.) Privilege Escalation
The first thing that we check after getting the user shell is sudo and user lily has a sudo right in which lily can run perl command as root without password.
A simple perl command to get the root shell.
└─$ sudo perl -e ‘exec “/bin/bash”;’
EASY !! privilege escalation right?? I got the root.txt flag and the boot2root challenge is completed. I personally enjoyed this VM.