Vulnhub-Walkthrough: Momentum1
Hello, everyone! Today, I’m back with a new challenge from VulnHub. As promised, I decided to try something a bit different this time. This machine is part of the Momentum series and is called “Momentum.” Up until now, I’ve been focusing on machines labeled as easy, but this one is rated as easy/medium, which has me feeling a bit unsure. But enough chatter… let’s dive in! 🔥🔥
Designer: AL1ENUM
Download Link: https://download.vulnhub.com/momentum/Momentum.ova
Difficulty: Easy/medium
Author: Nitunga Baptiste Billy
Step 1: Enumeration
. We start off with a quick nmap scan with the command:
nmap -sC -sV 192.168.4.34
As usual, port 22 and 80 open.
. How about a visit on port 80?
Cool webpage but nothing for us here even after inspecting it.
.Let’s dive deeper with directory enumeration with gobuster using the command:
gobuster dir -u http://192.168.4.34 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,html,php
Normal stuff at first sight but, i thought i might have a look at the /js directory.
Click on the main.js, and we get an interesting file
The commented js code looks like it is attempting to decrypt “SecretPassphraseMomentum” with AES. Also there is a php page indicated in the viewDetails function.
It is not vulnerable to neither LFI nor RFI, but i knew this was hiding something. So i used the developer tool (CTRL+SHIFT+I), in the network section, to see how the web page behaves. There is apparently a cookie being set.
Step 2: Foothold
. Using the passphrase we got earlier, we are going to try and decode the cookie using node.js in vscode.
. Typically put the cipher text into a variable called encrypted and copy pasted every line to the command line. Not the best way to do it but hey, we got some credentials. auxerre-alienum##
. This only mean one thing…ssh credentials
Step3: Gaining Access
. I first tried auxerre as the username and the other one as the password but it didn’t work. Then, i tried auxerre as the username and auxerre-alienum## as the password and it worked.
. I went ahead and cat’d out the user flag.
.Let’s try and get higher privilegies
Step 4: Privilege Escalation
. I tried several methods on this step. I looked for SUIDs, Capabilities, sudo privilegies, kernel exploits and tried to use linpeas but all of that were fruitless. I decided to look for unusual processes using the command:
ps aux
I noticed there was a process i normally not see when i am doing CTFs. redis. Upon further research, i realized we can connect to it and see its contents.
Connection:
redis-cliView Content:
KEYS *
We get new credentials, for the root user.
. We can switch the user to root using the command:
su root. And parse in the password we just got
Conclusion
This machine presented a significant challenge for me. Gaining access to the auxerre user was particularly tough, as I don’t often work with cookies in VulnHub challenges. Escalating privileges to the root user was equally difficult. However, I learned a great deal from this experience and plan to explore the vulnerabilities I encountered here in future labs. Thank you for following along with this walkthrough! Ciao!
