Sedna VM – Walkthrough

Hi Friends,

Today we will solve the Vulnhub VM Sedna

Firstly, I need to detect the VM ip address, I will be using netdiscover command from Linux

netdiscover -r 192.168.174.1/24

Now we got Target IP address

192.168.174.133 – Sedna VM (Target Machine)
192.168.174.128 – Kali Linux (Attacker Machine)

First I will do the Port scan by using nmap to find the open ports, by using port 8080 we confirmed tomcat is running on target machine

To gather more information about the target I will be using nikto,

and we got some juicy info like /files, /system and /licence.txt, if we read carefully licence.txt we came to know that it is running “BuilderEngine”

I searched in exploitdb by using searchsploit tool for builderengine and found Arbitrary File Upload exploit exists

I used exploit and uploaded PHP reverse shell on target machine

To see the uploaded file, go to target machine/files/ you will be seeing rshell.php

Start netcat in kali Linux terminal, and click on the rshell.php

nc -lvp 4444

now shell is open, to get the bash use command “python -c ‘import pty;pty.spawn(“/bin/bash”)'”

and found first flag in flag.txt

Then next part is local privilege escalation

For this I used popular Linux dirtycow exploit from https://www.exploit-db.com/exploits/40839/

I compiled the exploit as per instructions and run the exploit with password as password

SSHed the target machine by using firefart user with password as password

to make shell stable run “echo 0 > /proc/sys/vm/dirty_writeback_centisecs”

now I become root of the target machine and can see the next flag