Sedna

We are on a roll this week!  With this slew of new VM’s up on Vulnhub, there is plenty to keep me busy.  Today’s episode: Sedna.

Sedna is the “Intermediate” difficulty VM in a progressively more difficult 3 part series. Let’s see if it lives up to the difficulty rating.

 

As per the norm, I start off by scanning the target machine to see what services we’re working with:

 

 

Ok, 80 and 8080 stick out as potential first targets, so let’s take a look at what’s on 80:

 

Similar to Quaoar, we’ve got a picture of a rendered planet and it takes you to a “Hack the planet” picture when it’s clicked on:

 

As for 8080, it just gives us a Tomcat7 landing page.  Nothing too interesting, so let’s run wfuzz to see if we can find some interesting dirs:

 

For the Tomcat7 port, we find the manager dir.  When navigating to the manager dir, we’re presented with a login prompt:

 

Some initial attempts lead nowhere, so I tried a tomcat nse script that could brute the form easily/quickly:

 

No dice.  Ok, let’s figure out what’s running on port 80.  After some digging through each directory from the wfuzz scan, I find what I’m looking for at http://192.168.110.132/themes/default_theme_2015/description.txt:

 

A quick search in searchsploit turns up a single lonely exploit:

 

Next we modify the script to point to our target (After verifying the path exists on the target), place it in /var/www/html, start apache, and navigate to 127.0.0.1.  We’re presented with a form upload page.  Upload a basic php command shell:

 

Once it’s sent we’re able to run commands:

 

I tried a few basic reverse shells to no avail and decide to move to an mfsvenom payload:

 

 

I upload the payload, use curl to make the file executable, prepare metasploit, and execute the shell:

 

Navigating to /var/www/ gets us the first flag:

 

Next up is figuring out the best way to root.  I load up metasploits exploit suggester module:

 

None of these end up working, so I give dirtycow a shot:

 

It worked!  I guess I should start testing dirtycow on everything from now on.  That’s a quick win if it’s vuln.  I quickly grab the flag, and it’s game over.  There are apparently 2 more post-exploitation flags, but the one I’m immediately aware of is a cracking challenge, so I didn’t bother with it.

 

Happy hacking!