Home Vulnhub Momentum 1 Writeup
Post
Cancel

Vulnhub Momentum 1 Writeup

Momentum 1


First i started off with a network scan to obtain the IP and services of the box

1
2
nmap $IP/24
nmap -sC -sV -oN nmap/initial $IP

once done i see that their is an ssh port and an http port open on the box

seeing that it is a webserver i decided to start my enumeration to see if their are any extra pages i might miss.

1
gobuster dir -u http://$IP/ -w ~/path/to/wordlist.txt

looking through the output i see nothing useful so i go digging in the webpage with inspect element. while looking through the files and what happens when reloaded i look at the source code of the site. along with the js files and css.

in the js file i notice this

1
2
3
4
5
6
7
8
9
10
function viewDetails(str) {

  window.location.href = "opus-details.php?id="+str;
}

/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/

having just recently started looking at Javascript i see that their is another webpage that my enumeration couldnt find. i emediatly take the bit of url their and past it into the url of the site. in doing so i see that whatever i put down in the id= field will be displayed on the webpage. again having just recently started messing with XSS i go and try to exicute an alert and it worked.( pretty simple )

i tried multiple different things such as: a remote shell (didnt work), LFI (didnt work), even some DB scripts, and nothing. then while doing some research i saw that most people when given a cookie try stuff with that. so i went and looked at the cookie in inspect-element -> application -> cookie or by causing the page to execute

<script> alert(document.cookie)</script>

it looked to be encrypted and with the info the js file gave me i figured it was using crypto-js with AES to encrypt it. so i looked online for a decoder and found one here that was able to decrypt it for me. it needed the password in order to decrypt which i saw in the js file that it was ” SecretPassphraseMomentum “ which in turn gave me this as the text ” auxerre-alienum## “

now with this i figured with the ssh port open it might be a password but what would i use as the username and password? given the decrypted passphrase i figured it had to be some permutation of it so i made a [[passphrase.txt|wordlist]] to bruteforce it with hydra.

1
hydra -L wordlist.txt -P wordlist.txt <IP of target> ssh

and bam i got the username and password

1
[22][ssh] host: <ip>   login: auxerre   password: auxerre-alienum##

so i ssh’d in with the credentials

1
2
ssh auxerre@<ip>
auxerree@<ip> password: auxerre-alienum##

once in i see a user.txt i cat it out and

1
2
3
4
[ Momentum - User Owned ]
---------------------------------------
flag : 84157165c30ad34d18945b647ec7f647
---------------------------------------

First flag!!!

now to get root.

i imported [[linpeas.sh|linpeas]] to autoenumerate and found that their was an open port on 6379 listening on localhost. after a little research i see that it is a [[6379-pentesting-redis|redis]] instance and that it potentialy could be used as a privesc vector. looking at the documentation on what commands to do to log in i found out i can just use

1
redis-cli

and then similar to a ftp connection i can find info in the instance. using the command

keys *

i see that their is a key called rootpass and so i

get rootpass

and i recieved this string m0mentum-al1enum##

i then logged in as root with the password

1
2
su root 
Password: m0mentum-al1enum##

once logged in i cat root.txt in /root and get

1
2
3
4
5
[ Momentum - Rooted ]
---------------------------------------
Flag : 658ff660fdac0b079ea78238e5996e40
---------------------------------------
by alienum with <3

i now have the final flag!!

This post is licensed under CC BY 4.0 by the author.