NepCodeX

Learn. Spread. Learn.

momentum 2 walkthrough vulnhub writeup

Momentum 2 Walkthrough – Vulnhub – Writeup

Krishna UpadhyaySecurity, , , , No Comments on Momentum 2 Walkthrough – Vulnhub – Writeup

Momentum 2 is an easy machine from vulnhub. This is the second machine in the series by AL1ENUM. “Momentum 2 Walkthrough – Vulnhub – Writeup”

Link to the machine: https://www.vulnhub.com/entry/momentum-2,702/

Walkthrough of Momentum 1

Identify the target

As usual, I started the challenge with the identification of the IP address of the target machine.

sudo netdiscover -i eth0 -r 10.0.2.0/24

Scan open ports

Next, I scanned the open ports on the target machine so that I could identify the exposed services.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.0.2.251

Enumerate web server

Then, I discovered some path in the web server.

gobuster dir -u http://10.0.2.251/ -x html,txt,php,bak --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

So, I opened the dashboard page.

We could upload some files from the page which would send the post request to /ajax.php path.

This is where I got stuck. Somehow, I found out that I could upload .txt file, however, I couldn’t upload php files. Furthermore, /owls contain the uploaded files.

However, it seems as if a backup file is present for the ajax.php file.

curl http://10.0.2.251/ajax.php.bak

It looks like the admin can upload pdf, txt and PHP files. So, if we set the cookie of the admin, we can upload a shell to the target. However, the cookie still needed one more character at the end of it. Likewise, we might have to send a new POST parameter “secure” with the value “val1d” with the request.

Hence, I opened burp suite for this purpose and once again uploaded the shell. Then, I sent the request to intruder and cleared the placeholders.

Also, for generating the upper case letters, I simply created a script in python.

After I ran the script, I got the letters in a new line. I copied the letters and pasted on the simple list of the intruder.

Lastly, I ran the attack.

We got the response 1 with the letter R. So, it means that I have successfully uploaded the reverse shell. Hence, I will listen on the port.

nc -nlvp 4444

Then, I clicked the shell.php from the browser and finally got the shell.

Getting user shell

I improved the shell and did the further enumeration. On a user’s directory, I found the password of a user.

cd /home/athena
ls -al
cat password-reminder.txt

The password was myvulnerableapp*. So, I logged in using the SSH.

ssh athena@10.0.2.251
id
cat user.txt

Getting root shell

Then, I looked at sudo permission of the user.

As we can see above, the user can execute a python script as root. So, I looked at the code of the script.

cat /home/team-tasks/cookie-gen.py

The python script asks for an input. However, the input is being echoed. To echo the output, the script is executing the bash command. So, if I can enter some commands that would get me the root access.

Firstly, I copied a reverse shell command and encoded it to base64 online.

nc -nlvp 5555 # I listened on the port

I copied the encoded strings and used the PIPEs to get the access.

cd /root
ls -al
cat root.txt

In this way, we can root the machine.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Scroll to top

Send help to Morocco.

Donate!
X