MoneyHeist: Catch Us If You Can (VulnHub) - Write-up

 MoneyHeist: Catch Us If You Can is vulnerable machine from VulnHub that is more on the CTF side.

As always we'll start with an nmap scan to discover all open ports.

Note: First you have to do a full port scan.

Command: nmap -p- -T4 $IP

Now you can scan only the open ports:

Command: nmap -p21,80,55001 -sC -sV $IP

First I'll check the FTP service because it has anonymous login. For this I used Filezilla.

The note.txt says:

Nothing that can help us from ftp. Next I checked port 80.

Let's start a gobuster scan to discover the directories.

Command: gobuster dir -u $IP -w /path to wordlist/ -x php,txt 

If we check robots.txt, we'll be pointed to the /robots directory.

Ok, let's start with the /robots directory.

If we try to view the image inside the browser it will tell us that there is something wrong with the image.

Let's download the image. Indeed there is something wrong with the image, the header of the image is wrong and to fix it we need to use a tool named hexedit.

Here, https://www.file-recovery.com/jpg-signature-format.htm, check the link on what is the correct header of a jpeg image. 

Now open the the image with hexedit and change the header as shown in the image below.

Here is the correct image:

Meh, a waste of time, we got nothing. Next let's check the /gate directory.

Now if we'll use the command file against the gate.exe, we'll see that this file is actually a zip file.

Just changing the extension from .exe to .zip we can open it. As you can see below, there is a note inside the zip file.

Let's see what the note says.

This looks like a directory that we can access from the browser, and that is what I did.

Now we need to start another gobuster.

That's all that we've found, a login page, so let's see what's with it.

I tried some sql injection but no luck. Next let's look to the page source.

The name is unusual, so let's see what this javascript does.

NICE, the credentials are hardcoded. Now we can login as user anonymous.

If we scroll to the bottom of the page we can see some type of function that sends messages.

But there is a problem with this contact form (that sends messages). If we send a message it will redirect us to a inexistent directory: /action_page.php. 

Next let's check the page source.

I was a bit confused with this hint, so I asked the box creator for a hint and he told me that the next step would be "hydra". 

Let's a password brute forcing against user arturo on the ssh service.

Command: hydra -l arturo -P /usr/share/wordlists/rockyou.txt $IP -s 55001 -t 64

Now we can access the machine as user arturo

Command: ssh arturo@$IP -p 55001

Inside the home directory there is a file named secret.txt.

Let's run linpeas.sh to see what we can find and here is the most important thing that I've found.

Looks like we can run 3 commands that are SUIDs as other users, but the first command that I used was find so I could get a shell as user denver.

Command: /usr/bin/find . -exec /bin/bash -p \; -quit

As you can see, our egid and euid is set to user denver. You can create a .ssh directory and add a authorized_key file inside so you can login as user denver to get a better shell, but the one that we have sould wok aswell.

Inside the /home directory of user's denver there are 2 files.

note.txt

secret_diary

Looks like there is a directory inside /var/www/html/BankOfSp41n, named /0x987654. Inside that directory there is a file, key.txt.

Note: You can access the /0x987654 from the browser.

Let's start to decode this "text". This is a morse code.

I used cyberchef to decode the morse code. Here you have to set the word delimiter to forward slash.

The next cipher is called tap code. The website used to decode the tap code is called cryptii.

Let's keep going. The next cipher is ROT13. To decode this I used cyberchef again.

And the last cipher used it's called Affine Cipher. For this cipher I used dcode.fr.

Now we can login as user nairobi, using the password that we decoded.

As user nairobi, we can execute the same 3 SUIDs commands, but this time I had to use the gdb SUID to get a shell as user tokyo.

Command: /usr/bin/gdb -nx -ex 'python import os; os.execl("/bin/sh", "bash", "-p")' -ex quit

As you can see from the above image, our euid is set to user tokyo.

From here we just have to get a shell as user root and this is easy. Inside the /home of user tokyo directory there are 2 files that will help us.

First file is .nano

And the second file is .sudo_as_admin_successful

The last file contains some military alphabet words that translates to:

ROOTSASSWORD: INDIAONFS

But there is something wrong with the last 4 letters: ONFS. This 4 last letters actually translates to numbers: 1947.

And the password for root user is india1947.

This was a nice box to solve, and hope that you would try it too. Thanks to the box creator for the help and for creating this box!!!