SecOS: 1 Walkthrough

Hi guys i found another awesome CTF on vulnhub so let's walkthrough the Secos

  • Nmap :

Result of nmap shows two ports are open. Let's try to access port 8081.


Looks cool ! let's explore website but before open burpsuite and spider this host so that burp can capture some directories. 


So burp caught a page called hint. Let's visit this page.

 
As always it shows nothing at the front so let's check source code 


We got three hints, after looking at third hint i quickly goto signup option and created a account and logged in with the same account. Digging around i noticed three important points .

  1. Administrator: Spiderman 
  2. Change password option:
  3. Message option:
Now we can understand hints simply saying that : We have you conduct a CSRF attack against the administrator i.e spiderman

Let's create a form for CSRF attack and the form should auto-submit so as soon as spiderman visits the page his password will be changed.


Save this form to /var/www directory and start apache server. we can also check the apache access logs which located at /var/log/apache2/access.log to see who submitted our form. 

Now everything is set so let's send a message to spiderman.


After few minutes apache access logs shows someone viewed our page.
So hopefully spiderman's password reset to spiderman. Its time to login with spiderman's account.


Here we have two messages from pirate user which looks interesting so after digging around i found nothing important to move further but finally i cracked this hint :p 

We know that ssh port is open and the hint is indicating that password might be CrazyPassword! so let's give it a try ;)


logged in successfully ;)

Privilege Escalation 

  • Os release 

  • Kernel version 



Since the target machine is running on ubuntu 14.04 with kernel version 3.13.0-24, the first thing we can try very popular exploit called overlayfs
which suppose to work for it.

Let's download and run the exploit.


 Thanks for reading :)





Comments

Popular posts from this blog

How I bypassed 2-Factor Authentication in a bug bounty program

Story of a JSON XSS