Hi Friends,
Today we will solve the Vulnhub VM Sedna
Firstly, I need to detect the VM ip address, I will be using netdiscover command from Linux
netdiscover -r 192.168.174.1/24
Now we got Target IP address
192.168.174.133 – Sedna VM (Target Machine)
192.168.174.128 – Kali Linux (Attacker Machine)
First I will do the Port scan by using nmap to find the open ports, by using port 8080 we confirmed tomcat is running on target machine
To gather more information about the target I will be using nikto,
and we got some juicy info like /files, /system and /licence.txt, if we read carefully licence.txt we came to know that it is running “BuilderEngine”
I searched in exploitdb by using searchsploit tool for builderengine and found Arbitrary File Upload exploit exists
I used exploit and uploaded PHP reverse shell on target machine
To see the uploaded file, go to target machine/files/ you will be seeing rshell.php
Start netcat in kali Linux terminal, and click on the rshell.php
nc -lvp 4444
now shell is open, to get the bash use command “python -c ‘import pty;pty.spawn(“/bin/bash”)'”
and found first flag in flag.txt
Then next part is local privilege escalation
For this I used popular Linux dirtycow exploit from https://www.exploit-db.com/exploits/40839/
I compiled the exploit as per instructions and run the exploit with password as password
SSHed the target machine by using firefart user with password as password
to make shell stable run “echo 0 > /proc/sys/vm/dirty_writeback_centisecs”
now I become root of the target machine and can see the next flag
