I picked up Sedna and these were the steps:
Like any machine, starting with arp-scan to first know the machine IP:
arp-scan -l
The machine got detected at 192.168.137.152
The next step was to run an nmap scan:
From here, I decided that I shall be concentrating on port 80.
First checking the webpage:
I decided I shall have a peek at the robots.txt as well:
going to /Hackers gave 404 -Not found! Damn! :D
Meanwhile in background, I was running gobuster.
Doing web enumeration and checking web page sources dint reveal much!
I decided to check my gobuster results:
Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running.
Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine.
Seems BuilderEngine is vulnerable to arbitrary file uploads on the directory:
http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/
I uploaded a simple php reverse shell to received reverse shell on listening port 443.
And I got the limited shell:
And the first flag :D
/var/html
cat flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289
Privilege Escalation:
It became very clear that in world writeable files:
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/systemd/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/hugetlb/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/perf_event/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/blkio/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/freezer/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/devices/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/memory/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuacct/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpu/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuset/cgroup.event_control
-rw-rw-rw- 1 root root 0 Mar 16 11:09 /sys/kernel/security/apparmor/.access
In this stage, I enumerated further on the misconfigurations part, I could not find much so ...
So, back again I went back to check more exploits for the kernel and the OS release.
The OS being 14.04 has another matching exploit:
https://www.exploit-db.com/exploits/36746/
For 14.04, the exploit apport worked just fine and root shell was achieved.
And the next flag!
/root
cat flag.txt
a10828bee17db751de4b936614558305
There are two more flags, I am lazy so going to skip those in ths walkthrough...
(Maybe I will do tat later...) :D
Like any machine, starting with arp-scan to first know the machine IP:
arp-scan -l
The machine got detected at 192.168.137.152
The next step was to run an nmap scan:
From here, I decided that I shall be concentrating on port 80.
First checking the webpage:
I decided I shall have a peek at the robots.txt as well:
going to /Hackers gave 404 -Not found! Damn! :D
Meanwhile in background, I was running gobuster.
Doing web enumeration and checking web page sources dint reveal much!
I decided to check my gobuster results:
Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running.
Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine.
http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/
I uploaded a simple php reverse shell to received reverse shell on listening port 443.
And I got the limited shell:
And the first flag :D
/var/html
cat flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289
Privilege Escalation:
It became very clear that in world writeable files:
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/systemd/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/hugetlb/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/perf_event/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/blkio/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/freezer/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/devices/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/memory/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuacct/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpu/cgroup.event_control
--w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuset/cgroup.event_control
-rw-rw-rw- 1 root root 0 Mar 16 11:09 /sys/kernel/security/apparmor/.access
Apparmor was writeable.
So taking some clue, I first tried overlayfs local exploit as it involves using the apparmor directory.
https://www.exploit-db.com/exploits/37292/
The exploit matched exactly with the kernel version and the release.
Running the exploit, it was giving its output in all fprintf statements but It failed.
Checking the C code, it seems there is on "su" file in /bin by default!In this stage, I enumerated further on the misconfigurations part, I could not find much so ...
So, back again I went back to check more exploits for the kernel and the OS release.
The OS being 14.04 has another matching exploit:
https://www.exploit-db.com/exploits/36746/
For 14.04, the exploit apport worked just fine and root shell was achieved.
And the next flag!
/root
cat flag.txt
a10828bee17db751de4b936614558305
There are two more flags, I am lazy so going to skip those in ths walkthrough...
(Maybe I will do tat later...) :D
Bhai thoda aur detail me likh de .. shell nahi mil raha :)
ReplyDeleteGot it bro .. thanks keep it up!!!
ReplyDelete