Hackfest2016 Sedna VM

for the hackfest2016: Sedna VM hosted on Vulnhub from Viper.

nmap scan:

Nikto tells us there’s directory listings in the file directory:

but for now this isn’t very useful. Further down in Nikto’s readings there’s a message that a license.txt file is present and may help enumerate software. I missed this for a while after going through a few other red herrings, but eventually gave it a look:

This exploit looks promising for builderengine, So I used the PoC code to upload my favourite reverse webshell:

Here we can use the directory listing issue earlier to verify that the file has been uploaded:

and netcat connects with the reverse webshell when we click on our reverse file:

I tried a few different means of privilege escalation; there was supposedly one for Tomcat which was installed on the server but I couldn’t get that to work, there were also a few present for the kernel version but no luck there either. In the end I went for the nuclear option and executed the dirtycow exploit. This is a very effective but pretty unstable solution; it can freeze the OS in a few seconds but for the purposes of this VM that was enough to grab a flag:

Written on March 31, 2017