Vulnhub Walkthrough

Money Heist Vulnhub Walkthrough

Today we are going to solve another Vulnhub boot2root machine called Money Heist. The difficulty of the VM Medium Level. you can download here this machine.

Network Scanning

Let’s discovered the target machine IP using the netdiscover tool. there is another option to find the machine IP run the Nmap ping scan.

sudo netdiscover

Now we have our target IP address, my target IP address is ( ) and our next step is discovering target machine open ports and running services.

sudo nmap -sV -sC


Since we saw the Nmap scanning output target machine port 80 is open. Let’s explore the machine IP address in the browser.

here, we see the web page currently we haven’t any password information on the machine. Click the registration button and fill the registration form.

our new user is successfully created, let’s login with our new user credentials. After checking the page source and check our current user cooking we found a JWT ( JSON Web Token ) vulnerability.

We already download the JWT debugger add-on and we run the JWT debugger plugin and open the JWT form token.

We copy the toke and create a jwt_toke.txt file and try to crack the HMAC-SHA256 hash password using the john tool.

john jwt_token.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=HMAC-SHA256

After a minute our hash is cracked and we found a valid signature, let’s change the verified signature and change our current email payload to admin and save the cookies.

We back the main page and refresh the page we found a credentials.

and we try to login with the berlin user and we successfully connect with SSH console. we found our first flag in the berlin user home directory let’s read the flag using the cat command.

sudo berlin@
cat flag_1.txt
cd /home
cd professor

Privilege Escalation

After checking the all user directory we found another user professor password let’s change the berlin to the professor run the su ( switch user ) command. we check the professor user permission and the professor user have sudo permission.

again change the user professor to root user.

cat passwd.txt
su professor
sudo su
cd /root
Another user Flags nairobi and tokyo
cd /home
cd nairobi
cat flag2.txt
cat message.txt
cd ../
cd tokyo
cat flag_3.txt
cat message.txt

C0lddBox Vulnhub Walkthrough Link

By Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View Archive