Momentum 2 is an easy machine from vulnhub. This is the second machine in the series by AL1ENUM. “Momentum 2 Walkthrough – Vulnhub – Writeup”
Link to the machine: https://www.vulnhub.com/entry/momentum-2,702/
Identify the target
As usual, I started the challenge with the identification of the IP address of the target machine.
sudo netdiscover -i eth0 -r 10.0.2.0/24
Scan open ports
Next, I scanned the open ports on the target machine so that I could identify the exposed services.
nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.0.2.251
Enumerate web server
Then, I discovered some path in the web server.
gobuster dir -u http://10.0.2.251/ -x html,txt,php,bak --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
So, I opened the dashboard page.
We could upload some files from the page which would send the post request to /ajax.php path.
This is where I got stuck. Somehow, I found out that I could upload .txt file, however, I couldn’t upload php files. Furthermore, /owls contain the uploaded files.
However, it seems as if a backup file is present for the ajax.php file.
It looks like the admin can upload pdf, txt and PHP files. So, if we set the cookie of the admin, we can upload a shell to the target. However, the cookie still needed one more character at the end of it. Likewise, we might have to send a new POST parameter “secure” with the value “val1d” with the request.
Hence, I opened burp suite for this purpose and once again uploaded the shell. Then, I sent the request to intruder and cleared the placeholders.
Also, for generating the upper case letters, I simply created a script in python.
After I ran the script, I got the letters in a new line. I copied the letters and pasted on the simple list of the intruder.
Lastly, I ran the attack.
We got the response 1 with the letter R. So, it means that I have successfully uploaded the reverse shell. Hence, I will listen on the port.
nc -nlvp 4444
Then, I clicked the shell.php from the browser and finally got the shell.
Getting user shell
I improved the shell and did the further enumeration. On a user’s directory, I found the password of a user.
cd /home/athena ls -al cat password-reminder.txt
The password was myvulnerableapp*. So, I logged in using the SSH.
ssh email@example.com id cat user.txt
Getting root shell
Then, I looked at sudo permission of the user.
As we can see above, the user can execute a python script as root. So, I looked at the code of the script.
The python script asks for an input. However, the input is being echoed. To echo the output, the script is executing the bash command. So, if I can enter some commands that would get me the root access.
Firstly, I copied a reverse shell command and encoded it to base64 online.
nc -nlvp 5555 # I listened on the port
I copied the encoded strings and used the PIPEs to get the access.
cd /root ls -al cat root.txt
In this way, we can root the machine.