Thursday, March 16, 2017

[VulnHub] hackfest2016: Sedna

An nmap scan shows a very similar port list as the first hackfest VM I did. However, this time port 8080 is open.


I find a Tomcat 7 installation...


...however I couldn't login as the manager, so I gave up on this and moved on to enumerating port 80. Uniscan found a few interesting directories.


I couldn't do much with these on their own however. That is until nikto brought up a great point.


I checked license.txt and found a useful piece of information.


I see a "BuilderEngine" installation. I went to the /builderengine/ directory and confirmed it was present. There is an exploit that exists that allowed me to upload an arbitrary file and place it in the /files/ directory on the web server. First I went to the directory used in the exploit to confirm it exists.


Then I copied the exploit code, pasted it in a file called "uploader.html" on my attacking machine and swapped out the link to match the one above.


Then I opened the file in Firefox and uploaded a php reverse shell.


Then I navigated to the /files/ directory on the server and clicked on my shell.php file and get a beautiful reverse shell.


Then I dirty COW my way to root. The exploit kills my shell, however I can just ssh to the "firefart" user it created.


According to the VM details on VulnHub there are two post exploitation flags. I'm fairly certain one of them is the Tomcat7 password found at /etc/tomcat7/tomcat-users.xml.


These credentials allowed me to login to the tomcat manager interface.


The other flag I'm pretty sure is the password for the "crackmeforpoints" user...


...but I'm going to go ahead and let someone else crack that due to my hardware limitations. Overall I really enjoyed this VM; I don't get to use exploit-db enough for web apps in VulnHub VMs so this was a pleasant surprise!

11 comments:

  1. Hey,

    I'm really sure that the www-data user has one more flag ;-).
    Try harder!

    /dhn

    Spoiler: https://raw.githubusercontent.com/dhn/write_ups/master/boot2root/2017_hackfest2016-sedna.txt

    ReplyDelete
  2. dirty cow crashes my vm. Did you not have this issue?

    ReplyDelete
    Replies
    1. Use this instead, modify the source code as by default it if for 64 bit. Instruction inside file

      curl -k https://gist.githubusercontent.com/joshuaskorich/86c90e12436c873e4a06bd64b461cc43/raw/71db45f5b97c8e4ed00f1193e578a77f90dabbdd/cowroot.c > cowroot.c

      Delete
    2. I had trouble getting my go-to dirty cow exploit to work (https://www.exploit-db.com/exploits/40616/). I had to use the "firefart" one that modifies /etc/passwd (https://www.exploit-db.com/exploits/40839/). Also I ran the "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" command which, in my experence, has made the dirty cow exploits more stable.

      Delete
    3. Firefart with the echo command worked like a champ! Thanks! I'll give the other exploit a shot too, it's always good to have options.

      Delete
  3. I have done that and i get the option of creating a new password then i get the Nmap message at the end and it just crashed... i have to reset the box and the account firefart is not created.. i do not know what else to do. i can't use the dirtycow make as gcc is not installed. any help will be appreciated greatly.

    ReplyDelete
    Replies
    1. I had to kill the shell after I ran the exploit. Immediately after you see mmap message, try SSHing into the firefart user you created and then run the "echo 0 > /proc/sys/vm/dirty_writeback_centisecs" command which should prevent the VM from crashing.

      Delete
    2. thank you so much! i was doing it all correct but not ssh in to the box quickly enough! i managed to get in and before running the echo 0 command it crashed i need to speed it up! thanks again and keep up the good work i am also learning other linux exploits! :)

      Delete
    3. This comment has been removed by the author.

      Delete
  4. i strucked at dirtycow exploit help needed bro i already tried all possibilities, it is crashing vm but no progress

    ReplyDelete
    Replies
    1. Use this repo : https://github.com/exrienz/DirtyCow

      Delete