Money Heist Vulnhub Walkthrough

Today we are going to solve another Vulnhub boot2root machine called Money Heist. The difficulty of the VM Medium Level. you can download here this machine.

Network Scanning

Let’s discovered the target machine IP using the netdiscover tool. there is another option to find the machine IP run the Nmap ping scan.

Now we have our target IP address, my target IP address is ( 192.168.43.155 ) and our next step is discovering target machine open ports and running services.

Enumeration

Since we saw the Nmap scanning output target machine port 80 is open. Let’s explore the machine IP address in the browser.

here, we see the web page currently we haven’t any password information on the machine. Click the registration button and fill the registration form.

our new user is successfully created, let’s login with our new user credentials. After checking the page source and check our current user cooking we found a JWT ( JSON Web Token ) vulnerability.

We already download the JWT debugger add-on and we run the JWT debugger plugin and open the JWT form token.

We copy the toke and create a jwt_toke.txt file and try to crack the HMAC-SHA256 hash password using the john tool.

After a minute our hash is cracked and we found a valid signature, let’s change the verified signature and change our current email payload [email protected] to admin and save the cookies.

We back the main page and refresh the page we found a credentials.

and we try to login with the berlin user and we successfully connect with SSH console. we found our first flag in the berlin user home directory let’s read the flag using the cat command.

Privilege Escalation

After checking the all user directory we found another user professor password let’s change the berlin to the professor run the su ( switch user ) command. we check the professor user permission and the professor user have sudo permission.

again change the user professor to root user.

Another user Flags nairobi and tokyo

C0lddBox Vulnhub Walkthrough Link