The SecOS challenge has been prepared by PaulSec, so thanks Paul for that.
Scanning
nmap -sV -A -p- [IP]Good, only two open ports: 22 SSH and 8081 HTTP. Let's begin from HTTP.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 9b:d9:32:f5:1d:19:88:d3:e7:af:f0:4e:21:76:7a:c8 (DSA)
| 2048 90:b0:3d:99:ed:5b:1b:e1:d4:e6:b5:dd:e9:70:89:f5 (RSA)
|_ 256 78:2a:d9:e3:63:83:24:dc:2a:d4:f6:4a:ac:2c:70:5a (ECDSA)
8081/tcp open http Node.js (Express middleware)
|_http-title: Secure Web App
OK, we see several links, but for us the most interesting are Sign up and Login. I prefer start from Login.
I was trying SQL Injection - without success as well as default credentials. So I decided to create our own user admin:admin using Sign up.
Very good information for us. We know that we have to attack spiderman. I have run DirBuster and it found /hint file.
Now, we know that we have to conduct CSRF attack against spiderman. Let;s do that!
I thought that the best idea would be write script which will change spiderman password for known by us.
This script is located on http://my_ip/pics.html and I wrote message to spiderman that I have great pictures from vacations and I would like to from him to see it.
I waited several minutes and let's try log in as spiderman
Wow! Great! We know that our target has 22 SSH open port, so let's try to use CrazyPassword as password.
Excellent! I examined version of target OS and it is Ubuntu 14.04, so I found effective exploit.
Game over!
