We are on a roll this week!  With this slew of new VM’s up on Vulnhub, there is plenty to keep me busy.  Today’s episode: Sedna.

Sedna is the “Intermediate” difficulty VM in a progressively more difficult 3 part series. Let’s see if it lives up to the difficulty rating.


As per the norm, I start off by scanning the target machine to see what services we’re working with:



Ok, 80 and 8080 stick out as potential first targets, so let’s take a look at what’s on 80:


Similar to Quaoar, we’ve got a picture of a rendered planet and it takes you to a “Hack the planet” picture when it’s clicked on:


As for 8080, it just gives us a Tomcat7 landing page.  Nothing too interesting, so let’s run wfuzz to see if we can find some interesting dirs:


For the Tomcat7 port, we find the manager dir.  When navigating to the manager dir, we’re presented with a login prompt:


Some initial attempts lead nowhere, so I tried a tomcat nse script that could brute the form easily/quickly:


No dice.  Ok, let’s figure out what’s running on port 80.  After some digging through each directory from the wfuzz scan, I find what I’m looking for at


A quick search in searchsploit turns up a single lonely exploit:


Next we modify the script to point to our target (After verifying the path exists on the target), place it in /var/www/html, start apache, and navigate to  We’re presented with a form upload page.  Upload a basic php command shell:


Once it’s sent we’re able to run commands:


I tried a few basic reverse shells to no avail and decide to move to an mfsvenom payload:



I upload the payload, use curl to make the file executable, prepare metasploit, and execute the shell:


Navigating to /var/www/ gets us the first flag:


Next up is figuring out the best way to root.  I load up metasploits exploit suggester module:


None of these end up working, so I give dirtycow a shot:


It worked!  I guess I should start testing dirtycow on everything from now on.  That’s a quick win if it’s vuln.  I quickly grab the flag, and it’s game over.  There are apparently 2 more post-exploitation flags, but the one I’m immediately aware of is a cracking challenge, so I didn’t bother with it.


Happy hacking!