Sedna Vulnhub writeup
Sedna was pretty straight forward with few twists and turns. Cheers to Simon for building the VM. https://www.vulnhub.com/entry/hackfest2016-sedna,181/
Once the VM booted, it displayed the IP address which saved us from a pointless discovery scan.
Anyhow performing nikto on all http services, running around with nmap can be quite cumbersome. Hence as usual practice I fired up the DeepScan script to do all the basic enumeration for me. The beauty of the script is that it enumerates all common ports and services automatically while you can go for a coffee. You can find the DeepScan script here: https://github.com/tahmed11/DeepScan
At this stage the scan came back with quite few open services and information. I wasted quite a bit of time going after port 8080 as it seemed to be the vulnerable service. After jiggling with PUT method to upload a shell and trying default tomcat credentials it became quite apparent port 8080 was the wrong service. So I moved on to the next service.
Deepscan showed a unix user crackmeforpoints. Not useful at this point. Hence I took a note of it and moved on.
Nothing seemed out of ordinary from the nikto scan:
But close inspection of the license.txt revealed the BuilderEngine application was installed.
Searching the exploit-db database revealed BuilderEngine has an arbitrary file upload vulnerability.
To confirm if the vulnerable php file exists visited the following link: http://192.168.117.132/themes/dashboard/assets/plugins/jquery-file-upload/server/php/
Now to put the exploit into action. If the exploit works the shell would be uploaded under the files directory. Before the exploit files directory:
Uploaded a reverse shell through the exploit.
Files directory after exploitation. The shell was uploaded so it means the exploit worked.
Now all is left to get the initial shell.
Time to get the first flag.
Looking at the kernel version: 3.13.0 it was quite apparent that it is vulnerable to the new kernel exploits like the dirty cow. But I tried to look for any vector through common misconfigurations. Hence ran the usual linux enumeration scripts. Ran out of patience soon and went straight for kernel exploits. As expected dirty cow worked like a charm and got the second flag.
Overall a fun VM. Good weekend challenge.
Didnt get the last two flags