Last updated: 15 Apr 24 09:28:16 (UTC)

Write-Up Momentum: 2

Momentum: 2

By Lawcky 18/01/24

Introduction

Momentum: 2

Difficulty : Medium

Additionnal info :

Name: Momentum: 2
Release date: 28 Jun 2021
Author: AL1ENUM
Series: Momentum

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • ffuf
  • file upload (packet forging)
  • python3 privesc

Write-UP

FUZZING

ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://192.168.1.59/FUZZ -fc 403 -e .txt,.html,.php

c8f07759cc760cedce29305665673579.png

dashboard.html allows the uploads of files

ajax.php not readable

/js/main.js

d3e65dc4793e597e1c8fceea7efa0cde.png

found the upload function

after using a stronger wordlist found :

0012783849d66bdcc9441eeff94aa9f9.png

/owls/

901b094aa8ab8d866c02c0fdae8d1c1d.png

File Upload

the dashboard.html only allows files that ends with .txt

which are then uploaded at /owls/

we were able to download the bak of ajax.php using the browser

http://192.168.1.59/ajax.php.bak

1fee8e254a3bc90042bcb70b9e834a85.png

we can upload php files if we are the admin, for that we need the cookie &G6u@B6uDXMq&Ms with one more Upper case letter and with specific parameters in our request, we can forge this request and send it while fuzzing for the last Uppercase letter of the alphabet with tools like burp for exemple.

Forging a packet

here is the default packet of the server when uploading a file:

fc0b859cdfb945432a012749ed5b151f.png

we need to add the POST parameter secure with the value= val1d

and the admin cookie that’ll be fuzzed for the 26 Uppercase letters of the Alphabet.

98957337c4dc81c57adfed68923f4622.png

note: the §F§ represents the character that’ll be modified for each different POST requests.

it worked and the last uppercase letter was R

5a2298e7cdcb99660a6dbc490cce9add.png

we now have successfully uploaded a php file

62fbb4c39c1f785592bdf42b2115ddcc.png

Privilege Escalation

from www-data to user

59a5e8373f3745dc2937bef41bb747cb.png

35eb2a538b4f09040fd4922098dee7d9.png

4WpJT9qXoQwFGeoRoFBEJZiM2j2Ad33gWipzZkStMLHw

first flag found

f6e377d112bb421b74f0103d48ed26cf.png

athena:myvulnerableapp*

got athena

76dfb7ec869eeedb3b9849aaf503e52d.png

Privilege Escalation

from athena to root

sudo -l

95cd6ce1cd5062de35539c50fd67e47e.png

the script in question :

e53ee875103019b5f22f70c5bfd8f2ad.png

after reviewing the code i understood that the seed was getting echo’d to the log.txt file before the end of the script. which means we can use the echo command to execute command by using

echo $()

which mean we can execute one command as root

before the shell crashes taking also down the ssh connection, since just entering $(/bin/bash) is getting root which then instantly crashes we need something else, like a reverse shell, or changing root password in a single command.

option 1 :

changing root password in a single command

echo -e "1234\n1234" | passwd

option 2:

getting a reverse shell

cb4e21fa28b52d7baa9fc8381e2ecc75.png

9f91239829a975276fde4e86ec3910df.png

85a24ec1d6ffcbfd8737f9ae9050a0f9.png

4bRQL7jaiFqK45dVjC2XP4TzfKizgGHTMYJfSrPEkezG

got second flag

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.