Sedna

We are on a roll this week!  With this slew of new VM’s up on Vulnhub, there is plenty to keep me busy.  Today’s episode: Sedna.

Sedna is the “Intermediate” difficulty VM in a progressively more difficult 3 part series. Let’s see if it lives up to the difficulty rating.

As per the norm, I start off by scanning the target machine to see what services we’re working with:

Ok, 80 and 8080 stick out as potential first targets, so let’s take a look at what’s on 80:

Similar to Quaoar, we’ve got a picture of a rendered planet and it takes you to a “Hack the planet” picture when it’s clicked on:

As for 8080, it just gives us a Tomcat7 landing page.  Nothing too interesting, so let’s run wfuzz to see if we can find some interesting dirs:

For the Tomcat7 port, we find the manager dir.  When navigating to the manager dir, we’re presented with a login prompt:

Some initial attempts lead nowhere, so I tried a tomcat nse script that could brute the form easily/quickly:

No dice.  Ok, let’s figure out what’s running on port 80.  After some digging through each directory from the wfuzz scan, I find what I’m looking for at http://192.168.110.132/themes/default_theme_2015/description.txt:

A quick search in searchsploit turns up a single lonely exploit:

Next we modify the script to point to our target (After verifying the path exists on the target), place it in /var/www/html, start apache, and navigate to 127.0.0.1.  We’re presented with a form upload page.  Upload a basic php command shell:

Once it’s sent we’re able to run commands:

I tried a few basic reverse shells to no avail and decide to move to an mfsvenom payload:

I upload the payload, use curl to make the file executable, prepare metasploit, and execute the shell:

Navigating to /var/www/ gets us the first flag:

Next up is figuring out the best way to root.  I load up metasploits exploit suggester module:

None of these end up working, so I give dirtycow a shot:

It worked!  I guess I should start testing dirtycow on everything from now on.  That’s a quick win if it’s vuln.  I quickly grab the flag, and it’s game over.  There are apparently 2 more post-exploitation flags, but the one I’m immediately aware of is a cracking challenge, so I didn’t bother with it.

Happy hacking!