Tue. Oct 20th, 2020

Pentesting Fun Stuff

following the cyber security path…

hackfest2016: Sedna

Location

https://download.vulnhub.com/hackfest2016/Sedna.ova

Description

This is a vulnerable machine i created for the Hackfest 2016 CTF http://hackfest.ca/
Difficulty : Medium
According to the description there are multiple ways to root this box. This machine should be doable for someone who has some experience.
There are 4 flags on this machine 1 for a shell, 1 for root access and 2 for doing post exploitation on Sedna.

Getting started

Starting with nmap to see what ports are open and what services run behind them.

A lot of open ports and services running. I’ll start with port 80 and work my way through the list of open ports.

Webserver

First stop is the main page. Nothing much in the source code, so it’s time to start up dirsearch.

Because there is a proxy server running I’ll do the dirsearch scan again, but this time via the proxy server.

This time I get a basic HTML authentication. Before continuing this lead, I run a nikto scan on port 80 first.

A license file with possible site software. Worth taking a look. First I run nikto again, but this time via the proxy server.

Looking at all the information gathered I decide to check out the licence file first.

After a quick search on exploit-db it seems like there is an exploit which leads to an arbitrary file upload that will place the file in the/files/ folder.
In the exploit mentioned there is a piece of HTML code I can use to inject it into the page which creates a form to upload files.

For the upload I use the php reverse shell code from pentestmonkey. After I finished the upload I run the file and this way get a reverse shell.

Now to look around the system.

First flag.

Ubuntu 14.04 and kernel 3.13.0 Maybe an overlayfs exploit will work to get root.
I download the code from exploit-db and paste it into a file on my local system. With SimpleHTTPServer I wget it onto the remote system. From there I compile it and run it.

The start looked promising…but unfortunately no root. With the kernel version number in hand I tried several exploits. After a while I tried the ‘dirty cow’ exploit. It’s a race condition that was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. In other words, an unprivileged local user could get write access to a read-only memory mapping and raise his privileges. There is a very good explanation about ‘Dirty Cow’, which you can find here. Also to be fair….I must warn you that if you try different ‘Dirty Cow’ exploits it’s wise to make a snapshot of your Sedna box because the exploit can crash your box and you need a fresh one to try again. In RL this would mean admins will probably get the signal there is something wrong with their server as it crashed, which normally isn’t a good thing LoL.
After a few tries I found out the ‘Dirty Cow’ exploit from Firefart did the trick. After downloading the source code to the remote machine, I compiled and ran it. Unfortunately with this exploit I need to act fast. After I run the exploit it will make the box to freeze up and I need to reboot it.

Now to move fast.

I got root…..I got the flag…..game over.
There are some more flags to gain. For example by probably cracking the hash from ‘crackmeforpoints’ or ‘root’ with hashcat or John the Ripper, but for time purposes I’ll let someone else do that.

Conclusion

The challenge was a bit frustrating. Not many hints or leads to get further and when you finally get a working exploit, the system gets unstable and you need to hurry to get the job done. Too slow and you need to reboot and try again. I think the challenge would be a bit more fun if the system would be a bit more stable after the exploit. If someone else has a better solution, please do tell.
 
 
 
 
 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.