Where Notes Work
Money Heist – [Walkthrough]
Hello friends, In this post, I will show you guys, how I solved Money Heist (catch us if you can) box from vulnhub by Anant Chauhan.
This CTF level is medium and hard both, depending upon who is solving this, I will add my review on this CTF at end of the post.
I am assuming that you all guys got your VM IP if not use this command in Linux “arp-scan -l”,
By enumerating the open ports using Nmap, I found only three-ports are open.
we can see that FTP is allowing anonymous, after doing that I found a note.txt file, download it after opening the note.txt, I didn’t find anything worth it related to this CTF, so I move on to the next step.
After visiting the website on port 80, I didn’t find anything suspicious, so after that, I used dirb for brute-force scanning of webpages, after that I find these three directories, “/robots, /robots.txt, / gate”. after visiting the robots.txt, it have /robots directory, after visiting the robots directory I found an image, named tokyo.jpeg, download it on my own system, if I try to open that, it is not showing any image, after analyzing the file I find that it is in data format, so, I have to change the file signature of the image using “hexeditor”, you can find the “list of file signatures” here.
after opening the file with hexeditor, replace the first 4 hex with this “FF D8 FF EE
“, after that save it using ctrl+x, and open the image, sad you find something like this.
fine, let’s enumerate more, I have also a /gate directory, by going on the page I find that there is a gate.exe file, download it on my own system, using strings command I found that there is /BankOfSp41n, directory, so let’s go. after going to that page I see only an image, after that I use dirb and find that there is an indax.html page, after going to that page I found nothing suspicious, after viewing the source page, there is a comment that Arturo roman is saying something,
so, I can figure out that, Arturo maybe ssh username, okay after that I tried to brute force ssh using hydra with rockyou.txt, but it doesn’t work and I stopped after 1500 passwords try. then I look again at Arturo comment that it is saying that “old thing won’t work they are updated”, so I find some new wordlists on Seclist GitHub from passwords(common creds), and I tried all small ones but no one work, after that, I tried “10-million-password-list-top-1000000.txt” this word list, and it works, and the password is really new and updated, you all guys surely laugh.
root@prokunal# hydra -l arturo -P 10-million-password-list-top-1000000.txt -s 55001 ssh://<IP> -vV
after that logging into ssh using Arturo, I find that Arturo can run find command, after searching find command in GTFOBins, i find that SUID is available for privilege escalation to denver.
arturo@Money-Heist:~$ find / -type f -user denver 2>/dev/null
after going on the Denver directory, I found there are two files note.txt and secret_diary, in note.txt I found nothing suspicious, but by reading secret_diary I found there is a secret directory, and anything now happen will be Nairobi fault.
after going to that directory I found that there is morse code, I decode it and that I got some weird code like dot dot dot, it takes me many hours to figure out what exactly it is, it’s TAP-CODE, I decode it from cryptii website, after that, I got some strings, then I tried rot13 and after that affine cipher, that’s it, trust me it took me many hours to find the plain text, I am summarizing below how I decode.
MorseCode -> Tap-Code -> rot-13 -> affine-cipher
now, I have the password, and I read that in secret_diary, that anything will happen it will be Nairobi fault, so I tried using Nairobi and it works, after that, I again search for SUID files, and I find that Nairobi can run gdb command, again I search for gdb in GTFOBins I found the command and I successfully got the Tokyo account.
nairobi@Money-Heist:~$ find / -type f -user tokyo 2>/dev/null
after that going into the Tokyo directory I found that there is .sudo_as_admin_successful, by opening that I found some strange paragraph, I leave it and move on to more enumeration, after that in the Tokyo directory, there is “.nano” directory and in nano.save, after opening the “nano.save” I found that it’s saying that “He used some wrong spelling and alphabets” after that opening the .bash_history file there is only one history which is “su root”, so I figure out that I have to change the user to root, but I have not the password, so again I open .sudo_as_admin_successful, after I make a wordlist from that paragraph and brute force it using hydra, but it doesn’t work, after that randomly I was typing password from looking at the paragraph of .sudo_as_admin_successful, and my luck it works, the password was “india1947”.
Review: It was fun doing this CTF, This CTF was different from the rest of the CTF, something like real-world password cracking, not only using rockyou.txt, and some guessing things and the cryptography part was best, I learned also two new types of cryptography, affine, and tap-code(which is very old).
If you face any problem, let me know in the comment section.
Well explained!!
Yeah, Thank you for your appreciation!
Just wonder how did u found the “indax.html” inside the /BankOfSp41n .. Hehe .
see the source code of index.html
This is my first time go to see at here and i am in fact happy to read everthing at single place. Aron Jude