Vulnhub_Sedna_WriteUp

View on GitHub

Sedna Vulnhub writeup

Sedna was pretty straight forward with few twists and turns. Cheers to Simon for building the VM. https://www.vulnhub.com/entry/hackfest2016-sedna,181/

Once the VM booted, it displayed the IP address which saved us from a pointless discovery scan.

Anyhow performing nikto on all http services, running around with nmap can be quite cumbersome. Hence as usual practice I fired up the DeepScan script to do all the basic enumeration for me. The beauty of the script is that it enumerates all common ports and services automatically while you can go for a coffee. You can find the DeepScan script here: https://github.com/tahmed11/DeepScan Deepscan_Demo

At this stage the scan came back with quite few open services and information. I wasted quite a bit of time going after port 8080 as it seemed to be the vulnerable service. After jiggling with PUT method to upload a shell and trying default tomcat credentials it became quite apparent port 8080 was the wrong service. So I moved on to the next service.

Deepscan

Deepscan showed a unix user crackmeforpoints. Not useful at this point. Hence I took a note of it and moved on.
crackmeforpoints

Nothing seemed out of ordinary from the nikto scan:

Nikto_again

But close inspection of the license.txt revealed the BuilderEngine application was installed.

license_file

Searching the exploit-db database revealed BuilderEngine has an arbitrary file upload vulnerability.

searchsploit

To confirm if the vulnerable php file exists visited the following link: http://192.168.117.132/themes/dashboard/assets/plugins/jquery-file-upload/server/php/

check_file

Now to put the exploit into action. If the exploit works the shell would be uploaded under the files directory. Before the exploit files directory:

before_exploit

Uploaded a reverse shell through the exploit.

shell_upload

Files directory after exploitation. The shell was uploaded so it means the exploit worked.

after_exploit

Now all is left to get the initial shell.

Finally Shell

shell_finally

Time to get the first flag.

flag_1

Privilege Escalation:

Looking at the kernel version: 3.13.0 it was quite apparent that it is vulnerable to the new kernel exploits like the dirty cow. But I tried to look for any vector through common misconfigurations. Hence ran the usual linux enumeration scripts. Ran out of patience soon and went straight for kernel exploits. As expected dirty cow worked like a charm and got the second flag.

dirty_cow

privesc

Overall a fun VM. Good weekend challenge.

Didnt get the last two flags