I picked up Sedna and these were the steps:

Like any machine, starting with arp-scan to first know the machine IP:

arp-scan -l



The machine got detected at 192.168.137.152

The next step was to run an nmap scan:



From here, I decided that I shall  be concentrating on port 80.

First checking the webpage:


I decided I shall have a peek at the robots.txt as well:


going to /Hackers gave 404 -Not found! Damn! :D

Meanwhile in background, I was running gobuster.

Doing web enumeration and checking web page sources dint reveal much!
I decided to check my gobuster results:


Manually enumerating the dirbuster pointed folders, I quickly became clear that builderengine was running.

Next, a searchsploit revealed exploit for arbitrary upload in BuilderEngine.


Seems BuilderEngine is vulnerable to arbitrary file uploads on the directory:
http://IP_Addr/themes/dashboard/assets/plugins/jquery-file-upload/server/php/

I uploaded a simple php reverse shell to received reverse shell on listening port 443.



And I got the limited shell:



And the first flag :D

/var/html
cat flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289

Privilege Escalation:

It became very clear that in world writeable files:

    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/systemd/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/hugetlb/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/perf_event/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/blkio/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/freezer/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/devices/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/memory/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuacct/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpu/cgroup.event_control
    --w--w--w- 1 root root 0 Mar 16 11:09 /sys/fs/cgroup/cpuset/cgroup.event_control
    -rw-rw-rw- 1 root root 0 Mar 16 11:09 /sys/kernel/security/apparmor/.access

Apparmor was writeable.

So taking some clue, I first tried overlayfs local exploit as it involves using the apparmor directory.

https://www.exploit-db.com/exploits/37292/

The exploit matched exactly with the kernel version and the release.

Running the exploit, it was giving its output in all fprintf statements but It failed.
Checking the C code, it seems there is on "su" file in /bin by default!

In this stage, I enumerated further on the misconfigurations part, I could not find much so ...

So, back again I went back to check more exploits for the kernel and the OS release.

The OS being 14.04 has another matching exploit:

https://www.exploit-db.com/exploits/36746/

For 14.04, the exploit apport worked just fine and root shell was achieved.


And the next flag!

/root
cat flag.txt
a10828bee17db751de4b936614558305

There are two more flags, I am lazy so going to skip those in ths walkthrough...
(Maybe I will do tat later...) :D

Comments

  1. Bhai thoda aur detail me likh de .. shell nahi mil raha :)

    ReplyDelete
  2. Got it bro .. thanks keep it up!!!

    ReplyDelete

Post a Comment

Popular posts from this blog

Pluck w00t!

Automating backdoor creation for PE files