Hackfest2016 Sedna VM
for the hackfest2016: Sedna VM hosted on Vulnhub from Viper.
nmap scan:
Nikto tells us there’s directory listings in the file directory:
but for now this isn’t very useful. Further down in Nikto’s readings there’s a message that a license.txt file is present and may help enumerate software. I missed this for a while after going through a few other red herrings, but eventually gave it a look:
This exploit looks promising for builderengine, So I used the PoC code to upload my favourite reverse webshell:
Here we can use the directory listing issue earlier to verify that the file has been uploaded:
and netcat connects with the reverse webshell when we click on our reverse file:
I tried a few different means of privilege escalation; there was supposedly one for Tomcat which was installed on the server but I couldn’t get that to work, there were also a few present for the kernel version but no luck there either. In the end I went for the nuclear option and executed the dirtycow exploit. This is a very effective but pretty unstable solution; it can freeze the OS in a few seconds but for the purposes of this VM that was enough to grab a flag: