Hackfest.ca CTF – Sedna

Written by  on March 21, 2017 

Hi folks! Sorry for being a little bit idle these last months, now I’m back with more stuff.

I found this box: https://www.vulnhub.com/entry/hackfest2016-sedna,181/ SEDNA, presented in the last edition of hackfest.ca

The box is configured to get it’s ip address from a dhcp server.

 

After booting the box and my kali one, I used netdiscover to look for its IP address.

1

Then i run a quick nmap scan to it to get a starting point:

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
|   2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|_  256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
53/tcp   open  domain      ISC BIND 9.9.5-3-Ubuntu
| dns-nsid:
|_  bind.version: 9.9.5-3-Ubuntu
80/tcp   open  http        Apache httpd 2.4.7 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
110/tcp  open  pop3        Dovecot pop3d
|_pop3-capabilities: RESP-CODES SASL STLS CAPA AUTH-RESP-CODE TOP UIDL PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
111/tcp  open  rpcbind     2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          44460/udp  status
|_  100024  1          49828/tcp  status
139/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
143/tcp  open  imap        Dovecot imapd (Ubuntu)
|_imap-capabilities: IDLE OK capabilities have post-login Pre-login more listed LITERAL+ LOGIN-REFERRALS LOGINDISABLEDA0001 IMAP4rev1 ID SASL-IR STARTTLS ENABLE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
445/tcp  open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
993/tcp  open  ssl/imap    Dovecot imapd (Ubuntu)
|_imap-capabilities: IDLE OK post-login SASL-IR Pre-login more listed LITERAL+ LOGIN-REFERRALS capabilities AUTH=PLAINA0001 ID IMAP4rev1 have ENABLE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
995/tcp  open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: RESP-CODES USER SASL(PLAIN) CAPA AUTH-RESP-CODE TOP UIDL PIPELINING
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T19:17:14
|_Not valid after:  2026-10-07T19:17:14
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 08:00:27:D2:FB:71 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.6
Network Distance: 1 hop
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 59m59s, deviation: 0s, median: 59m59s
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   NetBIOS computer name: SEDNA\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2017-03-21T06:57:26-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

Found a robots.txt and as sometimes it may have sensitive information in these kind of games I tried

2

But then I browsed to the dir and nothing found. Then I tried something more specific using dirbuster on both port 80 and 8080.

3

Found interesting stuff on 8080, and nmap told me that I may be able to use PUT to upload some files.

4

Well, PUT failed, and nothing really interesting found (at first sight..) on 8080. I tried dirb on 8080

dirb

After reviewing the output of dir and browsing some directories I found a CMS environment, and after doing some basic research on the exploit database I found this:

builder

So it looked like a remote file upload vuln. As the server allows php I got my php-reverse-shell.php from pentestmonkey ready.

revshell

Backdoor was uploaded without any problem.

upload

And then after launching it via the web browser I got my shell.

shell1

Then after doing a little bit of research about local exploits I gave dirtycow a try. Don’t forget to use -pthread and -lcrypt when compiling!

dirtycowcompìle

Dirtycow gave me a success when I ran it.

gameover

game over sedna P-)

Category : Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *