Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Momentum Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Momentum


It's a little tricky machine, thanks author for the hints.

Nmap scan ports first.

nmap -sV -sC -p- -oN ports.log 192.168.56.100

图片.png


Scan port 80, nothing special right now.

gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.bak,.zip,.js -b 401,403,404,500 --wildcard  -o 80.log

图片.png


Open index.html, and click on image, we will redirect to opus-details.php. But after some enum, we found opus-details.php has no LFI or RCE vluns.

图片.png


Check source of index.html, find js/main.js.

图片.png


Check main.js, find some decryption code.

function viewDetails(str) {
  window.location.href = "opus-details.php?id="+str;
}
/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/


Now we need to find some encrypted string.  Notice there is strange cookie values when visit opus-details.php.

图片.png


We save the js code from main.js to a new file, and use node to run it, then we get  decrypted cookie string.

(If you don't have node, you need install node and Crypto-js package first)

sudo apt install npm
sudo apt install node
npm install crypto-js

图片.png


Now we get a string like ssh password. Next we need to guess the username.

After some failure, we succeed with username "auxerre".

图片.png


Check local port, notice port 6379.

图片.png


It's redis service port. We can use redis-cli to login.

图片.png


After learning some instruction of redis, we can get rootpassword from it.

图片.png


Get root finally.

图片.png






发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.0