My Fist Hacking Blog : A Journey into Hacking College Servers and Uncovering Security Vulnerabilities
Hello Guys . My name is Smukx , this is my first blog write up , so in this article we are going to see how i hacked my college cloud server , and Found interesting vulnerabilities… Trust me its going to be more Fun while you read and gain some unknown knowledge ! . Lets get into the series .
Found Vulnerabilities : Bypassing Google Authentication + DOS Attack + Account Take Over + Privilege Escalation !!
Current Scenario ; )
My College has assigned Some training sessions to learn Advance Linux , and C Programming for 1st Year Students . For that they have assigned clouds for each and every student to learn . As i am one of them ! but with a different mindset , you know We are hackers/pentesters , we think a different perspective…
Information Gathering …
This is my default cloud , you can see that they are using ubuntu 20.04 LTS (Focal Fossa) Version . No Browser ,No additional software’s were installed and don’t know the password for superuser . thats a disadvantage ;(
To Access cloud, we have to sign in through google accounts ;)
So i started Enumerating things , found ip address , kernel version, network config settings . but that doesn’t contain any interesting information so far . on ifconfig i can see it addr as 172.20.1.53 . If you guys have experience with docker then you know it’s a default bridge config for docker containers . So they use docker ?!, but for GUI ? i thought that they use some opensource services like VNC .
so i listed out the process that are running as user and root !Look what i got ?
using my roll no as token .. hmm that’s sus ..
My Guess was right , On the ps 1 , we can see that it is running vnc_startup.sh through kasm_startup.sh with the filepath dockerstartup . we found it guys , they uses kasm workspace . so i written a small bash script to re-run the vnc_startup.sh for 60 Sec. when i run it , My VNC display has gone . Giving me an error ! . Actually they are using javascript to disable the settings function , but when i crash my system for a minute , the js got disable and i got the popup on the left side .
One Good thing is that we have found the version for kasm_workspace . ;) . After a minute, i got my machine back . So when i searched for the version , i got goosebumps . i took a list of released versions for your
concern
OMG WTF ..! They use the oldest and beta version of this application . We know that older versions always has an Vulnerable piece of code . So, I started some web recon cause it’s a web server , as I am currently learning web security , yes . It’s time to learn new things .
before that when i try to Read source in dockerstartup file ,i find this help function on bash script !
Found a github site , Readed whole repo
So they are using headless vnc sessions to create 500+ docker containers 😮, I think it’s a huge process . Using these scripts they have made the process easier.
So I shut my laptop and booted my PC at HOME , opened Burpsuite and started intercepting each Request . Opened nmap and scanned All the Ports , intercepted each and every file that kasm has . Found public ip address through `curl ifconfig.me` , pinged it through my local pc . It works ! . so the machine is connected to the same network ,good .Okk now what .. It’s Time to get into main work
Bypassing Google Authentication
So when I inspect some parameters , requests on browser . I saw a weird but interesting request through its public Ip .
when I open that URL in new tab ! , I got access to my Cloud.
the default credentials //username : cloud //password : Student ROLL NO
So we can bypass Google authentication ! . infact that's not cookie 😑, its an Token that assigned to Each containers . I think it has to ATO ? Hmm… Let’s See . For now :
Successfully Bypassed Google Authentication ✅
DOS ( Denial-of-Service )
As Far We have Gathered some Basic Information About the target , after all if you analyse it well , You got an idea !, the container was configured by default , so to dos the system , we can increase the memory and CPU Process to test !
Target Specs :
CPU : Intel(R) Xeon(R) CPU E7–8870 v3 @ 2.10GHz , RAM : 503 GB
For that i have coded some C and Python codes . First time coding for an server processor . i was so Happy while coding ! when i executed the C Program ( RABBIT VIRUS ALGORITHM ) Link , my cloud was started lagging and crashed !
and After few minues later ! ….WAIT WHAT !! WTF IS GOING ON HERE !?!?
The Whole Server including login portal was Crashed Permanently ;( .
wait wait ? if my guess was correct @! did they host the web page on the same Container ?? Ouch My God . At-least they can set a limit to each containers . By Default configuring on that script , it leads to load Every process on PC . The only solution for that is to restart the server . I have done 2 to 3 times after that , same results :)
Successfully Found DOS Vulnerability ✅
(ATO) Account Takeover
This was not what I Expected , but when i was looking on a request , i saw a POST request from /api/signin ..hmm thats look sus .. when i saw the content , it uses json format to fetch the API using my Email . hmm ;)
I tried a different email of one of my classmates..
Gotcha .. we did it boys , So when we modify the URL with the ID , we got in Guys !
Note : I can legally see all Students name,Email and Roll no though student portal .
For a easy process i did write an simple python script ; )
So the API was fetched from the database(MongoDB) using our Email from flask . So It fetches the data from the database to authenticate , if we gave the wrong input through Json it leads to flask error . can we pentest the mongo db ; ))
Successfully Found Account Takeover ✅
Privilege Escalation .
So we have reached the main part , the most awaited twisted movement. so getting started into recon again
Used linpeas to find if any leaked file exists , used my shell script to discover the active containers in the specific domain. In that I found an silly but interesting thing . with that we can do ? the pic given below Explains you well . which i might cover in the part 2 ;)
So Lets get into the Topic …
No CVE’S on containers , that’s for sure . so when I’m searching the internet for Critical CVEs , Nothing Found ;( . But I didn’t lose Hope . So when i was surfing college stuffs , i got recommended an interesting video.
DEF CON 30 CONFERENCE . In that Samuel Erb and Justin Gardner Both covered a video about Exploring kasm vulnerability CSRF and RCE . what a luck !. So I took a bowl of popcorn 🍿 and started watching that , it was fun and the most roughest path ever .
Since the KASM version is too old , I executed it , guess what … it works . since the privilege escalation is not my credit , that’s why i didn't speak much on this topic
Successfully Executed Privilege Escalation Technique ✅
Did i Report ?! , Not yet
As i said earlier , there is 1 thing remaining that i need to Find , but it can take quite a time . But if i succeed it , i will write that topic in second part.
If you Like my Article . Give me a Clap for appreciation so that it could help me to publish more content like this . Do Follow my media Accounts Guys .
Happy Hacking :(){ :|:& };:
Bye Bye Guys , see you around …