momentum 2 walkthrough vulnhub writeup

Momentum 2 Walkthrough – Vulnhub – Writeup

Momentum 2 is an easy machine from vulnhub. This is the second machine in the series by AL1ENUM. “Momentum 2 Walkthrough – Vulnhub – Writeup”

Link to the machine:,702/

Walkthrough of Momentum 1

Identify the target

As usual, I started the challenge with the identification of the IP address of the target machine.

sudo netdiscover -i eth0 -r

Scan open ports

Next, I scanned the open ports on the target machine so that I could identify the exposed services.

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log

Enumerate web server

Then, I discovered some path in the web server.

gobuster dir -u -x html,txt,php,bak --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log

So, I opened the dashboard page.

We could upload some files from the page which would send the post request to /ajax.php path.

This is where I got stuck. Somehow, I found out that I could upload .txt file, however, I couldn’t upload php files. Furthermore, /owls contain the uploaded files.

However, it seems as if a backup file is present for the ajax.php file.


It looks like the admin can upload pdf, txt and PHP files. So, if we set the cookie of the admin, we can upload a shell to the target. However, the cookie still needed one more character at the end of it. Likewise, we might have to send a new POST parameter “secure” with the value “val1d” with the request.

Hence, I opened burp suite for this purpose and once again uploaded the shell. Then, I sent the request to intruder and cleared the placeholders.

Also, for generating the upper case letters, I simply created a script in python.

After I ran the script, I got the letters in a new line. I copied the letters and pasted on the simple list of the intruder.

Lastly, I ran the attack.

We got the response 1 with the letter R. So, it means that I have successfully uploaded the reverse shell. Hence, I will listen on the port.

nc -nlvp 4444

Then, I clicked the shell.php from the browser and finally got the shell.

Getting user shell

I improved the shell and did the further enumeration. On a user’s directory, I found the password of a user.

cd /home/athena
ls -al
cat password-reminder.txt

The password was myvulnerableapp*. So, I logged in using the SSH.

ssh athena@
cat user.txt

Getting root shell

Then, I looked at sudo permission of the user.

As we can see above, the user can execute a python script as root. So, I looked at the code of the script.

cat /home/team-tasks/

The python script asks for an input. However, the input is being echoed. To echo the output, the script is executing the bash command. So, if I can enter some commands that would get me the root access.

Firstly, I copied a reverse shell command and encoded it to base64 online.

nc -nlvp 5555 # I listened on the port

I copied the encoded strings and used the PIPEs to get the access.

cd /root
ls -al
cat root.txt

In this way, we can root the machine.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments