Friday, 8 July 2016

SecOS challenge

The SecOS challenge has been prepared by PaulSec, so thanks Paul for that.

nmap -sV -A -p- [IP]

22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 9b:d9:32:f5:1d:19:88:d3:e7:af:f0:4e:21:76:7a:c8 (DSA)
|   2048 90:b0:3d:99:ed:5b:1b:e1:d4:e6:b5:dd:e9:70:89:f5 (RSA)
|_  256 78:2a:d9:e3:63:83:24:dc:2a:d4:f6:4a:ac:2c:70:5a (ECDSA)
8081/tcp open  http    Node.js (Express middleware)
|_http-title: Secure Web App
Good, only two open ports: 22 SSH and 8081 HTTP. Let's begin from HTTP.

OK, we see several links, but for us the most interesting are Sign up and Login. I prefer start from Login.
I was trying SQL Injection - without success as well as default credentials. So I decided to create our own user admin:admin using Sign up.

Very good information for us. We know that we have to attack spiderman. I have run DirBuster and it found /hint file.

Now, we know that we have to conduct CSRF attack against spiderman. Let;s do that!
I thought that the best idea would be write script which will change spiderman password  for known by us.

This script is located on http://my_ip/pics.html and I wrote message to spiderman that I have great pictures from vacations and I would like to from him to see it.
I waited several minutes and let's try log in as spiderman

Wow! Great! We know that our target has 22 SSH open port, so let's try to use CrazyPassword as password.

Excellent! I examined version of target OS and it is Ubuntu 14.04, so I found effective exploit.

Game over!