Hack the SecOS:1 (CTF Challenge)

Hello readers and welcome to another CTF challenge. It is developed by PaulWebSec. The aim of this lab is to get the root on the VM and read the congratulatory message. The virtual machine can be downloaded here. I quickly loaded up the machine and it was primed and ready!

Steps involved:

  • IP discovery and port scanning
  • Running the web app
  • Running a CSRF attack on administrator
  • Tricking admin to visit a fake page by sending him a message
  • Waiting a few minutes to let admin visit that page
  • Getting credentials and logging in SSH using these
  • Running overlayfs on the system
  • Getting root access!

So, let’s start.

I need not say this after so many articles but the first and foremost step is running netdiscover to find the IP address of the VM.

The IP address in my case was 192.168.1.128

I run an aggressive nmap scan on this IP address to find which ports were open and the first clue to start the attack on.

We found a web app working on port 8081. Without any delay we opened it.

We found a web app working on port 8081. Without any delay we opened it.

First hint was the message shown—“Secure Web App is a part of the vulnerable VM called secOS-2”

Hence, we inferred that this VM has web based vulnerabilities. Next step was to run a nikto scan which didn’t yield much info either.

So, we ran dirb in hope that we find something good here.

Of course there is a login page! And a login page in a web vulnerable app means a route to shell!

We moved forward to the login page directly.

Although, on inspecting the page, there were no satisfactory results but there was still a register user page available to us. We headed over there.

Since, we got redirected to the home page, it was fair to assume we got registered. Let’s try and login into the web app using that testuser.

There wasn’t much of information on the page except for the fact we saw a “My Messages” tab on homepage.

Although, it is worthy to note that Burp Spider showed us a page called “hint” and upon inspecting that page we found the following details:

First: The admin visits the site very frequently.

Second: He runs it locally on 127.0.0.1

Third: CSRF is applicable!

After some going around, we found under “users” tab that Spiderman was administrator. Could it be possible that we prompt the admin to change its password to our custom pass?

Hence, we wrote a quick HTML CSRF in a text file and saved as csrf.html inside /var/www/html.

What this does is that it will prompt the administrator user to change its password to “passw0rd”

We saved the page to /var/www/html directory, started apache, ran the HTML code and waited for 2-3 minutes and we got logged into administrator account!

We found 2 messages from pirate user. One had a password for unidentified service. Could it be possible that this is a password for SSH?

We tried it out!

It worked!!

Next up, we looked for the Kernel version of the machine.

After a couple of minutes of searching for exploits for the given kernel version we found something worth to our cause.

It is exploitable with an exploit called “overlayfs.”

We downloaded it and ran it.

After it got compiled using gcc, we ran it using:

Voila! It gave us root shell.

And just like that, it was over. Hope you enjoyed.

Author: Harshit Rajpal is an InfoSec researcher and a left and right brain thinker. contact here

Leave a Reply

Your email address will not be published. Required fields are marked *