Money Heist: 1 (VulnHub) Write-up

Publicat de pe

Money Heist: 1 is a vulnerable machine from VulnHub. The machine is rated as medium difficulty.

As always we are going to start with an nmap scan to discover the open ports.

Command: nmap -sC -sV $IP

Open ports:

  • port 22 SSH
  • port 53 DNS
  • port 80 HTTP
  • port 3000 NODE.JS
  • port 3001 ????
Accessing the website on port 80 we don't have much, except a login and a register form.
On port 3000 is a JSON, as can you see from the below image we can't do much so we'll move on the last HTTP port.
On port 3001 is an automation tool that makes web development faster, called Browsersync. Now you might think that this would be the way to get a reverse shell. Well...... it's not (at least I have not found one :D).
Now that I don't have nothing on my hands, I went back to port 80 (La Casa de Pape themed page) to create an account (I tried some SQLi on the login page but didn't worked).
After I created the account I logged in to it and I was welcomed by a beautiful message: WE NEED TO BE AND ADMIN to get the flag.
I tried another things but I couldn't find a way to move on. After some time I wanted to check the cookie and there was something interesting: JWT.
I wanted to decode the jwt, and to do that I accessed jwt.io. As you can see from the below image there is my email (fake email) that I used to create my account on port 80 encoded in the jwt.
The next thing to do was to forge a jwt to het admin access on the website. Check this link to get and idea on how to forge a jwt: https://blog.pentesteracademy.com/hacking-jwt-tokens-bruteforcing-weak-signing-key-hashcat-7dba165e905e

The first thing I had to do is to crack the hash to get the signature for the jwt and to do that I used hashcat.
Command: hashcat -m 16500 hash rockyou.txt
As you can see the signature is professor.

Now on the jwt.io I added the signature to the verify signature tab and changed the email to admin. Check the image below.
After that I replaces the actual cookie with the forged cookie (forged jwt).
After I refreshed the page I was able to read the "flag".
Shell as berlin
In berlin's home directory there is a .pcapng file. You might think that this could have some interesting stuff, but it is a rabbit hole.
After I've spent 5 minutes on the .pcapng file I used linpeas to do an automated scan. If we go to professor's home directory (as berlin we are able to do so) we can find his password.
Shell as professor
If we check his privileges we can see that we are able to execute any command as root.
Shell as root
Note: In /opt/python/flag.py we can find nairobi's password which is base64 encoded.
Note 2: I haven't tried to get to the secure_bank. If i'll do it, U will post it here.

Comments

Post a Comment