Last updated: 15 Apr 24 09:28:10 (UTC)

Write-Up Momentum: 1

Momentum: 1

By Lawcky 17/01/24

Introduction

Momentum: 1

Difficulty : easy+

Additionnal info :

Name: Momentum: 1
Release date: 22 Apr 2021
Author: AL1ENUM
Series: Momentum

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • ffuf
  • sqlmap
  • AES encryption
  • redis

Write-UP

FUZZING

ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://192.168.1.61/FUZZ -fc 403 -e .txt,.html,.php

d21255c941b9981137b7ba565208ffc1.png

found apache default documentation at http://192.168.1.61/manual/

found what seems to be databases query when clicking on the index images

c984808190a3076c710549bc8fa387c6.png

SQLmap

sqlmap -u http://192.168.1.61/opus-details.php\?id\=demon --batch --dbs --level 3 --risk 3

721c1361fe8aa02a11fc4c6e9abe3045.png

AES Encryption

in the /js/ we found

48032e389f34e08133381cb1e024af65.png

which is a code that encrypt something in the cookie of the website.

After getting the cookie :

U2FsdGVkX193yTOKOucUbHeDp1Wxd5r7YkoM8daRtj0rjABqGuQ6Mx28N1VbBSZt

and the passphrase :

SecretPassphraseMomentum

using online tools (browserling here) to decrypt it

10b031c0a83675d350b6f2d012c7271b.png

auxerre-alienum##

this wasnt a webpage, it was a ssh user:

auxerre:auxerre-alienum##

f3e67c3f835fe814725d9185375df388.png

first flag found

Privilege Escalation

we found that there is a redis service running on the localhost without authentication, using this

to understand redis’ functions we were able to retrieve the root password of the machine that was inside a database of the service.

e27197d4edd2c02ac151240e711ab7da.png

2fc34eddc766f0692d53af42f1d23181.png

second flag found

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.