rootđź’€muzec-sec:~#

Hack. Sleep. Repeat

View on GitHub

image

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/Momentum]
└─$ nmap -sC -sV -oA nmap 172.16.139.165                                                                 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-24 07:05 EDT
Nmap scan report for 172.16.139.165
Host is up (0.00017s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5c:8e:2c:cc:c1:b0:3e:7c:0e:22:34:d8:60:31:4e:62 (RSA)
|_  256 c1:8f:87:c1:52:09:27:60:5f:2e:2d:e0:08:03:72:c8 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Momentum | Index 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.08 seconds

Not wasting to much of time hitting port 80 to burst directory but we got nothing.

image

So let try checking it manually to see what we are missing checking the page source for some clue or hidden hint.

image

So we have http://172.16.139.165/js/main.js let go through it to see what we have.

function viewDetails(str) {

  window.location.href = "opus-details.php?id="+str;
}

/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/

Interesting the window.location seems to be pointing to another directory let confirm it http://172.16.139.165/opus-details.php?id= and yes it a directory checking for LFI/RFI vulnerability but no luck i keep gettinf the same input back.

image

Spend time here so we have a cookie how can i miss that when i delete the cookie and refreshing the page we get the same cookie back cool not changing probably it our way in let try decrypting it.

AES Decrypt and yes i think we have the secret key already AES.decrypt(encrypted, "SecretPassphraseMomentum") we be using online tools to decrypt it https://www.browserling.com/tools/aes-decrypt .

image

Decryting and we have the password.

image

Now we have a password but no username i know the author name of the box is alienum and seems the password look like a 2 usernames let try to confirm it so i save both username in a file now let using hydra to brute force it.

image

We have the right credentials let log in SSH now .

image

And we are in also we have the user.txt moving to root now.

Privilege Escalation

image

Checking sudo -l ahhh not installed on the target so i try checking for ruuning port and cool we have the redis port 6379 we should be able to log in without details.

image

We are in and we have just one database active let try reading what we have in the database maybe way to root .

image

Boom password to login as root.

image

We are root box rooted.

Greeting From Muzec



Back To Home