Money Heist Vulnhub Walkthrough

Today we are going to solve another Vulnhub boot2root machine called Money Heist. The difficulty of the VM Medium Level. you can download here this machine.

Network Scanning

Let’s discovered the target machine IP using the netdiscover tool. there is another option to find the machine IP run the Nmap ping scan.

sudo netdiscover
Money Heist Vulnhub Walkthrough

Now we have our target IP address, my target IP address is ( 192.168.43.155 ) and our next step is discovering target machine open ports and running services.

sudo nmap -sV -sC 192.168.43.155

Enumeration

Since we saw the Nmap scanning output target machine port 80 is open. Let’s explore the machine IP address in the browser.

here, we see the web page currently we haven’t any password information on the machine. Click the registration button and fill the registration form.

http://192.168.43.155
Money Heist Vulnhub Walkthrough

our new user is successfully created, let’s login with our new user credentials. After checking the page source and check our current user cooking we found a JWT ( JSON Web Token ) vulnerability.

We already download the JWT debugger add-on and we run the JWT debugger plugin and open the JWT form token.

Money Heist Vulnhub Walkthrough

We copy the toke and create a jwt_toke.txt file and try to crack the HMAC-SHA256 hash password using the john tool.

john jwt_token.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=HMAC-SHA256

After a minute our hash is cracked and we found a valid signature, let’s change the verified signature and change our current email payload [email protected] to admin and save the cookies.

Money Heist Vulnhub Walkthrough

We back the main page and refresh the page we found a credentials.

Money Heist Vulnhub Walkthrough

and we try to login with the berlin user and we successfully connect with SSH console. we found our first flag in the berlin user home directory let’s read the flag using the cat command.

sudo [email protected]
ls
cat flag_1.txt
cd /home
ls
cd professor
ls

Privilege Escalation

After checking the all user directory we found another user professor password let’s change the berlin to the professor run the su ( switch user ) command. we check the professor user permission and the professor user have sudo permission.

again change the user professor to root user.

cat passwd.txt
su professor
sudo su
cd /root
Money Heist Vulnhub Walkthrough
Another user Flags nairobi and tokyo
cd /home
cd nairobi
ls
cat flag2.txt
cat message.txt
cd ../
cd tokyo
ls
cat flag_3.txt
cat message.txt

C0lddBox Link

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →