This is MOMENTUM: 1 from Vulnhub. It says that it is ‘easy/medium’; ok.
SSH and HTTP only.
The basic dirsearch:
python3 /opt/dirsearch/dirsearch.py -u http://192.168.1.211
Okay, we have a crypto function and a passphrase. I visit the opus-details.php and try a quick LFI with the id parameter; nothing. The box has set a cookie for us:
And that looks suspicious to me. Over to JSFiddle, where I have this in the html:
And this in the JS:
And in the console log, I get this:
The maker of our box is alienum:
A few goes with SSH reveals we have a login with:
What happens when we get there?
No sudo? I am disappoint.
I run linpeas and see this:
redis 469 0.1 0.4 51672 9548 ? Ssl 06:30 0:06 /usr/bin/redis-server 127.0.0.1:6379
Let’s try that: