🐧MoneyBox

192.168.84.230

Enumeration

map 192.168.84.230 -p- -sV

Results :

Port 21 Enum

ftp [email protected] Found that FTP does allow anonymous login. One file listed.

trytofind.jpg

Port 22 Enum

Banner grab.

Banner

Port 80 Enum

Landing page.

Dirbuster results.

Dirbuster Scan

Found at /blogs/index.html source code.

Found at /S3cr3t-T3xt/index.html source code.

Steganography

HAD TO GET HINT HERE

Got hint that there may be information hidden in the trytofind.jpg. Used https://futureboy.us/stegano Use stenography decoder along with the secret key .

Hello.....  renu

      I tell you something Important.Your Password is too Week So Change Your Password
Don't Underestimate it.......

Shell

Started brute forcing SSH with Hydra.

hydra -l renu -P /usr/share/wordlists/rockyou.txt ssh://192.168.84.230

Found that there is another user named lily.

After a while had to get another hint. But did notice port 22 open internally. After going back and reviewing a video. If I had checked lily's authorized keys I would of found that renu's was authorized to be used by lily.

Tried connecting with lily and the id_rsa found in renu's file but it did not work.

Was able to use SSH to get from renu to lily with id_rsa in renu/.ssh/

ssh lily@localhost -i id_rsa

Checked the user's sudo permissions

sudo permissions

Root

Using a privilege escalation from GTFO bins.

sudo perl -e 'exec "/bin/sh";'
Root

Source: https://gtfobins.github.io/gtfobins/perl/

PreviousFunBoxRookieNextCyberSploit1

Last updated

Was this helpful?