Money Heist – [Walkthrough]

Hello friends, In this post, I will show you guys, how I solved Money Heist (catch us if you can) box from vulnhub by Anant Chauhan.

This CTF level is medium and hard both, depending upon who is solving this, I will add my review on this CTF at end of the post.

I am assuming that you all guys got your VM IP if not use this command in Linux “arp-scan -l”,

By enumerating the open ports using Nmap, I found only three-ports are open.

we can see that FTP is allowing anonymous, after doing that I found a note.txt file, download it after opening the note.txt, I didn’t find anything worth it related to this CTF, so I move on to the next step.

After visiting the website on port 80, I didn’t find anything suspicious, so after that, I used dirb for brute-force scanning of webpages, after that I find these three directories, “/robots, /robots.txt, / gate”. after visiting the robots.txt, it have /robots directory, after visiting the robots directory I found an image, named tokyo.jpeg, download it on my own system, if I try to open that, it is not showing any image, after analyzing the file I find that it is in data format, so, I have to change the file signature of the image using “hexeditor”, you can find the “list of file signatures” here.

after opening the file with hexeditor, replace the first 4 hex with this “FF D8 FF EE“, after that save it using ctrl+x, and open the image, sad you find something like this.

fine, let’s enumerate more, I have also a /gate directory, by going on the page I find that there is a gate.exe file, download it on my own system, using strings command I found that there is /BankOfSp41n, directory, so let’s go. after going to that page I see only an image, after that I use dirb and find that there is an indax.html page, after going to that page I found nothing suspicious, after viewing the source page, there is a comment that Arturo roman is saying something,

so, I can figure out that, Arturo maybe ssh username, okay after that I tried to brute force ssh using hydra with rockyou.txt, but it doesn’t work and I stopped after 1500 passwords try. then I look again at Arturo comment that it is saying that “old thing won’t work they are updated”, so I find some new wordlists on Seclist GitHub from passwords(common creds), and I tried all small ones but no one work, after that, I tried “10-million-password-list-top-1000000.txt” this word list, and it works, and the password is really new and updated, you all guys surely laugh.

root@prokunal# hydra -l arturo -P 10-million-password-list-top-1000000.txt -s 55001 ssh://<IP> -vV

after that logging into ssh using Arturo, I find that Arturo can run find command, after searching find command in GTFOBins, i find that SUID is available for privilege escalation to denver.

arturo@Money-Heist:~$ find / -type f -user denver 2>/dev/null

after going on the Denver directory, I found there are two files note.txt and secret_diary, in note.txt I found nothing suspicious, but by reading secret_diary I found there is a secret directory, and anything now happen will be Nairobi fault.

after going to that directory I found that there is morse code, I decode it and that I got some weird code like dot dot dot, it takes me many hours to figure out what exactly it is, it’s TAP-CODE, I decode it from cryptii website, after that, I got some strings, then I tried rot13 and after that affine cipher, that’s it, trust me it took me many hours to find the plain text, I am summarizing below how I decode.

MorseCode -> Tap-Code -> rot-13 -> affine-cipher

now, I have the password, and I read that in secret_diary, that anything will happen it will be Nairobi fault, so I tried using Nairobi and it works, after that, I again search for SUID files, and I find that Nairobi can run gdb command, again I search for gdb in GTFOBins I found the command and I successfully got the Tokyo account.

nairobi@Money-Heist:~$ find / -type f -user tokyo 2>/dev/null

after that going into the Tokyo directory I found that there is .sudo_as_admin_successful, by opening that I found some strange paragraph, I leave it and move on to more enumeration, after that in the Tokyo directory, there is “.nano” directory and in nano.save, after opening the “nano.save” I found that it’s saying that “He used some wrong spelling and alphabets” after that opening the .bash_history file there is only one history which is “su root”, so I figure out that I have to change the user to root, but I have not the password, so again I open .sudo_as_admin_successful, after I make a wordlist from that paragraph and brute force it using hydra, but it doesn’t work, after that randomly I was typing password from looking at the paragraph of .sudo_as_admin_successful, and my luck it works, the password was “india1947”.

Review: It was fun doing this CTF, This CTF was different from the rest of the CTF, something like real-world password cracking, not only using rockyou.txt, and some guessing things and the cryptography part was best, I learned also two new types of cryptography, affine, and tap-code(which is very old).

If you face any problem, let me know in the comment section.

5 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *