SecOS: 1 Walkthrough

-
Hi guys i found another awesome CTF on vulnhub so let's walkthrough the Secos

  • Nmap :

Result of nmap shows two ports are open. Let's try to access port 8081.


Looks cool ! let's explore website but before open burpsuite and spider this host so that burp can capture some directories. 


So burp caught a page called hint. Let's visit this page.

 
As always it shows nothing at the front so let's check source code 


We got three hints, after looking at third hint i quickly goto signup option and created a account and logged in with the same account. Digging around i noticed three important points .

  1. Administrator: Spiderman 
  2. Change password option:
  3. Message option:
Now we can understand hints simply saying that : We have you conduct a CSRF attack against the administrator i.e spiderman

Let's create a form for CSRF attack and the form should auto-submit so as soon as spiderman visits the page his password will be changed.


Save this form to /var/www directory and start apache server. we can also check the apache access logs which located at /var/log/apache2/access.log to see who submitted our form. 

Now everything is set so let's send a message to spiderman.


After few minutes apache access logs shows someone viewed our page.
So hopefully spiderman's password reset to spiderman. Its time to login with spiderman's account.


Here we have two messages from pirate user which looks interesting so after digging around i found nothing important to move further but finally i cracked this hint :p 

We know that ssh port is open and the hint is indicating that password might be CrazyPassword! so let's give it a try ;)


logged in successfully ;)

Privilege Escalation 

  • Os release 

  • Kernel version 



Since the target machine is running on ubuntu 14.04 with kernel version 3.13.0-24, the first thing we can try very popular exploit called overlayfs
which suppose to work for it.

Let's download and run the exploit.


 Thanks for reading :)





Comments

Post a Comment

Popular posts from this blog

How I bypassed 2-Factor Authentication in a bug bounty program

-
Image
Hello readers, This post is about one of my recent finding in a private bug bounty program on hackerone. For the sake of privacy, let’s call the site as bountyplease.com According to Bountyplease.com scope, they are more interested in Authentication related issues. So I decided to test their 2-Factor Authentication mechanism. As normal 2-Factor Authentication flow the process works in the following steps. 1. User login to account by providing valid email and password 2. A valid OTP send to users register number 3. User fill OTP 4. Login successful But in case if any user lose their phone or SIM card the process works in the following steps. 1. User login to account by providing valid email and password 2. User select other options 3. User provide backup codes 4. Login successful In both above described cases there is also a code flow as following. 1. User login to account by providing valid email and password 2. At this stage bountyplease.com display a pa...
Read more

Story of a JSON XSS

-
Image
Hi folks, This post is about of one of my recent my finding in a bug bounty program. I started checking the application for common vulnerabilities but got nothing after spending an hour I came across an endpoint which looks as follows. If you look at request and response you will see the value of status parameter is reflecting back in the response. So I tried replacing the value of status parameter and same reflected back in the response as shown in below. What next? Let’s check for XSS with a simple payload as shown in below. But angle brackets getting filtered, after I tried some encodings but nothing worked. So I was about to give up but suddenly i decided to try array tricks. So you can see whatever we write inside the round brackets is reflecting back in response as it becomes associated array as follows Status    Equals JSON object <haha> Equals Key of JSON o...
Read more