Momentum: 1Strategy

Article directory

    • introduce
    • collect message
      • host discovery
      • port scan
      • Website detection
      • directory scan
    • Web Penetration
      • XSS vulnerability
    • SSH login
      • Redis
    • Local privilege escalation
    • Summarize
    • Reference article

Introduction

  • Vulnhub address: Momentum: 1 ~ VulnHub
  • Release date: 22 Apr 2021
  • Difficulty: Easy/Medium
  • Shooting range environment:
Machine ip
kali 10.4.7.135
target drone 10.4.7.142

Information collection

Host discovery

image-20231031174134820

Port Scan

image-20231031174158683

Website detection

No information available.

image-20231031174603085

Directory Scan

Found a js file and an apach file.

dirb http://10.4.7.142

image-20231101113544777

Open the js file and find that this is the decryption process. First call the cryptojs library, then use the decrypted content and key, and then convert it to utf8 format.

Get an encrypted Key.

SecretPassphraseMomentum

image-20231101113849119

Web Penetration

Click on the image and try to write data in the url.

image-20231101114449382

The write was successful.

Try xss, there are xss vulnerabilities.

<script>alert(1);</script>

image-20231101114601681

XSS vulnerability

Use xss to get cookies.

<script>alert(document.cookie);</script>

cookie=U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt

image-20231101114736799

The cookie is encrypted. The secret key of Lenovo’s previous js file needs to be decrypted with the secret key previously obtained in js to obtain a password.

Decryption website: AES encryption-AES decryption-online AES encryption and decryption tool (jsons.cn)

U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt

SecretPassphraseMomentum

auxerre-alienum##

image-20231101115302441

SSH login

ssh [email protected]
# password
#auxerre-alienum##

image-20231101163837545

Check the file and get the first flag.

flag: 84157165c30ad34d18945b647ec7f647

Check for kernel vulnerabilities.

image-20231101164059895

image-20231101164051111

There is no sudo command.

image-20231101164122416

Check the users and find that there is a redis user.

image-20231101164228098

Check the system process and find that port 6379 is opened, indicating that redis is enabled.

ss-anotu

image-20231101164442515

Redis

REmote DIctionary Server (Redis) is a key-value storage system written by Salvatore Sanfilippo. It is a cross-platform non-relational database.

Connect redis.

Open the terminal and enter the command redis-cli. This command will connect to the local redis service. It is found that you can log in without a password, check the key value, and get the root password.

m0mentum-al1enum##

# Start redis
auxerre@Momentum:~$ redis-cli
# Get the total number of keys
127.0.0.1:6379> dbsize
(integer) 1
# Get all keys
127.0.0.1:6379> keys *
1) "rootpass"
# Get key value
127.0.0.1:6379> get rootpass
"m0mentum-al1enum##"
127.0.0.1:6379>

image-20231101165321101

Local privilege escalation

Get the second flag.

image-20231101170250291

Summary

This time includes:

  • XSS vulnerability
  • AES encryption and decryption
  • Redis query

Reference article

[Selected] Target Penetration Exercise 80-Momentum: 1_Access port 80 of the target machine, analyze the port open service, exploit vulnerabilities based on the service, and submit fla_hirak0’s blog that exists in the server-CSDN Blog

After reading this article, I will teach you how to play with the penetration testing target machine Vulnhub–Momentum:1-CSDN Blog

Redis Tutorial | Novice Tutorial (runoob.com)

Redis common operation commands, very detailed! – Zhihu (zhihu.com)