Thursday, March 16, 2017

[VulnHub] hackfest2016: Sedna

An nmap scan shows a very similar port list as the first hackfest VM I did. However, this time port 8080 is open.

I find a Tomcat 7 installation...

...however I couldn't login as the manager, so I gave up on this and moved on to enumerating port 80. Uniscan found a few interesting directories.

I couldn't do much with these on their own however. That is until nikto brought up a great point.

I checked license.txt and found a useful piece of information.

I see a "BuilderEngine" installation. I went to the /builderengine/ directory and confirmed it was present. There is an exploit that exists that allowed me to upload an arbitrary file and place it in the /files/ directory on the web server. First I went to the directory used in the exploit to confirm it exists.

Then I copied the exploit code, pasted it in a file called "uploader.html" on my attacking machine and swapped out the link to match the one above.

Then I opened the file in Firefox and uploaded a php reverse shell.

Then I navigated to the /files/ directory on the server and clicked on my shell.php file and get a beautiful reverse shell.

Then I dirty COW my way to root. The exploit kills my shell, however I can just ssh to the "firefart" user it created.

According to the VM details on VulnHub there are two post exploitation flags. I'm fairly certain one of them is the Tomcat7 password found at /etc/tomcat7/tomcat-users.xml.

These credentials allowed me to login to the tomcat manager interface.

The other flag I'm pretty sure is the password for the "crackmeforpoints" user...

...but I'm going to go ahead and let someone else crack that due to my hardware limitations. Overall I really enjoyed this VM; I don't get to use exploit-db enough for web apps in VulnHub VMs so this was a pleasant surprise!