Moneybox Walkthrough
Platform: Offsec | PG Play
Difficulty: Easy
OS: Linux
Author: Pawan Kumar (Vulntricks)
Date: [04/07/2025]
🛰️ 1. Reconnaissance
Quick Scan using RustScan
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 1093656 Feb 26 2021 trytofind.jpg
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.45.181
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 1e:30:ce:72:81:e0:a2:3d:5c:28:88:8b:12:ac:fa:ac (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWBZjFZOMKU5jDBL6SwW+89IV0wojGRFPnrSIyxVOp/N7sNSln6NttNOQu1gsC4Sp7WziJ+hL5Map7t7YWJ9Rj9lvcaQU48aTtTzEsL5T991Wm3ZNvZjS0yhSL9Scf6VGxoO0EGqV+z3Z1OMKU609bm8PLoNaxfNXl2zDRdyrAN3VBT4jp8zlgfaT0W4kKQJ9u77IiHXBOU+6JrBg1b4F9x/wYT6zXxtGjH3tJTF8g4E6Da2eHOWsq3ERd40M+Oi1v4Du3+bQRd3Z4KVDOQ1utmdyFI+HcrGxjIPqqRAP0h2PLLm4qh/QZBvPO8cAPUdduLLeqmFGn/qg/FP08nBgZ
| 256 01:9d:fa:fb:f2:06:37:c0:12:fc:01:8b:24:8f:53:ae (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC8xP+l2BvuK5pg2bEpcDV1GAoAI3kIpMznpUyfOJS29SF9N2XyYV1eEcvf0O8exXyxCs+RjVbk+8cxBs8K36CU=
| 256 2f:34:b3:d0:74:b4:7f:8d:17:d2:37:b1:2e:32:f7:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ92TDnimudy2EtcS6I1ja1fGn+OBm3z2/8rxwcZknEH
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: MoneyBox
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Enumeartion
Enumearting port 21 FTP
From the NMAP scanning we already see that anonymous login is allowed. After login we see there is a jpg file.
This is just a cat Image ...
Ignoring what just happened, Moving ahead with further enumeartion...
Enumearting port 80
As the website says not overthinking. so viewed the source code and Nothing..
A quick directory enumeration on this ...
└─$ feroxbuster --url $URL --wordlist /usr/share/seclists/Discovery/Web-Content/quickhits.txt -k
Quick hits fail.. Moving further.
Gobuster is the key , trying gobuster command and peeking into the directories.
└─$ gobuster dir --url $URL --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -x txt,pdf,conf,php,aspx,html
Got a hit on blogs.
Looking at the source code I found this text
Using the directory name `S3cr3t-T3xt' got this page.
again looked into source code, found secret key `3xtr4ctd4t4'
Intitial Access
I remembered the image file from the FTP
Analyzing the file using steghide tool found that there is a data file embeded to it and this is the password to extract it.
Extracting the file.
└─$ steghide --extract -sf trytofind.jpg
Enter passphrase:
wrote extracted data to "data.txt".
Reading data from file
So we found a username renu and a hint that the passowrd is weak, so potentially we can bruteforce it. Let's try it then.
Used hydra to bruteforce the SSH login
└─$ hydra -l renu -P /usr/share/wordlists/rockyou.txt ssh://$IP
Login using user and password...
Privilege Escalation
After some enumeartion found bash history from the user
and looks like we can access lily user without passowrd so let's go for it.
A nd it worked. we have privilege for lily. Checking if we can execute any command as root user.
So we can execute perl as root user from lily. A quick check on GTFOBINS
So that we can just excalate priv.
we have root access now .
