https://hackmyvm.eu/machines/machine.php?vm=Momentum
It's a little tricky machine, thanks author for the hints.
Nmap scan ports first.
nmap -sV -sC -p- -oN ports.log 192.168.56.100
Scan port 80, nothing special right now.
gobuster dir -u http://192.168.56.100 -t 50 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt,.bak,.zip,.js -b 401,403,404,500 --wildcard -o 80.log
Open index.html, and click on image, we will redirect to opus-details.php. But after some enum, we found opus-details.php has no LFI or RCE vluns.
Check source of index.html, find js/main.js.
Check main.js, find some decryption code.
function viewDetails(str) {
window.location.href = "opus-details.php?id="+str;
}
/*
var CryptoJS = require("crypto-js");
var decrypted = CryptoJS.AES.decrypt(encrypted, "SecretPassphraseMomentum");
console.log(decrypted.toString(CryptoJS.enc.Utf8));
*/Now we need to find some encrypted string. Notice there is strange cookie values when visit opus-details.php.
We save the js code from main.js to a new file, and use node to run it, then we get decrypted cookie string.
(If you don't have node, you need install node and Crypto-js package first)
sudo apt install npm sudo apt install node npm install crypto-js
Now we get a string like ssh password. Next we need to guess the username.
After some failure, we succeed with username "auxerre".
Check local port, notice port 6379.
It's redis service port. We can use redis-cli to login.
After learning some instruction of redis, we can get rootpassword from it.
Get root finally.
