Article directory
-
- introduce
- collect message
-
- host discovery
- port scan
- Website detection
- directory scan
- Web Penetration
-
- XSS vulnerability
- SSH login
-
- Redis
- Local privilege escalation
- Summarize
- Reference article
Introduction
- Vulnhub address: Momentum: 1 ~ VulnHub
- Release date: 22 Apr 2021
- Difficulty: Easy/Medium
- Shooting range environment:
Machine | ip |
---|---|
kali | 10.4.7.135 |
target drone | 10.4.7.142 |
Information collection
Host discovery
Port Scan
Website detection
No information available.
Directory Scan
Found a js file and an apach file.
dirb http://10.4.7.142
Open the js file and find that this is the decryption process. First call the cryptojs library, then use the decrypted content and key, and then convert it to utf8 format.
Get an encrypted Key.
SecretPassphraseMomentum
Web Penetration
Click on the image and try to write data in the url.
The write was successful.
Try xss, there are xss vulnerabilities.
<script>alert(1);</script>
XSS vulnerability
Use xss to get cookies.
<script>alert(document.cookie);</script>
cookie=U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt
The cookie is encrypted. The secret key of Lenovo’s previous js file needs to be decrypted with the secret key previously obtained in js to obtain a password.
Decryption website: AES encryption-AES decryption-online AES encryption and decryption tool (jsons.cn)
U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt
SecretPassphraseMomentum
auxerre-alienum##
SSH login
ssh [email protected] # password #auxerre-alienum##
Check the file and get the first flag.
flag: 84157165c30ad34d18945b647ec7f647
Check for kernel vulnerabilities.
There is no sudo command.
Check the users and find that there is a redis
user.
Check the system process and find that port 6379 is opened, indicating that redis
is enabled.
ss-anotu
Redis
REmote DIctionary Server (Redis) is a key-value storage system written by Salvatore Sanfilippo. It is a cross-platform non-relational database.
Connect redis
.
Open the terminal and enter the command redis-cli
. This command will connect to the local redis
service. It is found that you can log in without a password, check the key value, and get the root password.
m0mentum-al1enum##
# Start redis auxerre@Momentum:~$ redis-cli # Get the total number of keys 127.0.0.1:6379> dbsize (integer) 1 # Get all keys 127.0.0.1:6379> keys * 1) "rootpass" # Get key value 127.0.0.1:6379> get rootpass "m0mentum-al1enum##" 127.0.0.1:6379>
Local privilege escalation
Get the second flag.
Summary
This time includes:
- XSS vulnerability
- AES encryption and decryption
- Redis query
Reference article
[Selected] Target Penetration Exercise 80-Momentum: 1_Access port 80 of the target machine, analyze the port open service, exploit vulnerabilities based on the service, and submit fla_hirak0’s blog that exists in the server-CSDN Blog
After reading this article, I will teach you how to play with the penetration testing target machine Vulnhub–Momentum:1-CSDN Blog
Redis Tutorial | Novice Tutorial (runoob.com)
Redis common operation commands, very detailed! – Zhihu (zhihu.com)