Hack the Sedna VM (CTF Challenge)

Today we found a Vulnerable Lab based on the 90377 Sedna. Sedna is a dwarf planet in our solar system. This vulnerable machine was created for the Hackfest 2016. We are going to download the VM Machine from here.
The credit for developing this VM machine goes to Viper.

Penetrating Methodologies
1.      Scanning Network
·        TCP and UDP ports scanning using nmap
2.      Testing Port 80
·        Surfing HTTP service on Web Browser
3.      Directory Scanning
·        Scanning using nikto
4.      Exploiting BuilderEngine
·        Using the Metasploit module to get meterpreter session
6.      Exploiting chkrootkit
·        Using the Metasploit module to get the root shell
7.      Retrieving Flag 2
Let’s Breach!!!
As always, Let’s start from doing a port enumeration on the IP Address using the nmap tool. (Here, we have it at 192.168.1.110 but you will have to find your own).
nmap -sV 192.168.1.110


From the NMAP Version Scan we enumerated the following details:

Port No.
Service
Port 22
SSH
Port 53
ISC Bind
Port 80
HTTP
Port 110
POP3
Port 111
RPC Bind
Port 139
NetBIOS
Port 143
Imap
Port 445
NetBIOS
Port 993
SSL/IMAPS
Port 995
SSL/POP3S
Port 8080
HTTP


As the HTTP service is running on the target server, let’s open the IP Address on the Web Browser.


Here we decided to scan the target directory using nikto scan. Now open the terminal in Kali Linux and type the following command:


From the scanning result, we chose the highlighted file link for further enumeration. That is the license.txt.


Opening the license.txt in our browser gave us our way in. This is what we looking for in the first place. If we take a closer look than we can find that we have the BuilderEngine 2015 version installed on the target system. A little bit of research here and there and we learned that we have a module in Metasploit that we can use to get a meterpreter session on the target machine.
So, let’s work on it. Firstly, we will open a terminal in out Kali Linux and then we will type msfconsole on it. This will open Metasploit Framework. After this we will proceed by using the module and providing it with RHOST. RHOST is the remote host IP address, which in our case is 192.168.1.110.

use exploit/multi/http/builderengine_upload_exec
set rhosts 192.168.1.110
exploit

After exploiting, we get a meterpreter session as shown in the given image. We used the sysinfo command to get the information about the target machine and we can observer that it is Sedna. Now we use the pwd command to retrieve the working directory we have the shell in. It is /var/www/html/files.


Now, that we are inside the target machine all that we need is to retrieve the flags and complete the challenge completely. After doing a bit enumeration here and there, we found a flag inside the /var/www directory. So, we traversed to that directory using the cd command. Now to read the flag we need to get a bash shell over the machine. Now, we will use the shell command to get a bash shell but what we got was an improper shell. So, we will use the python one liner to get a proper shell.
python -c 'import pty; pty.spawn("/bin/bash")'
Since we have the proper shell now, let’s read the flag using the cat command.
Now, let’s work out our way to another flag. We traversed to the /etc directory and here we found the directory named chkrootkit. On traversing inside it, we get a README. Upon reading the README we get the version of chkrootkit. The version is found out to be 0.49.



Let’s get back to our beloved Metasploit and search for an exploit for the chkrootkit. We learned that we have a module in Metasploit that we can use to get a root shell on the target machine.
So, let’s work on it. On the Metasploit terminal. After this we will proceed by using the module and providing it with the session id.
use exploit/unix/local/chkrootkit
set session 1
exploit

This gives us a shell whose privilege we checked using the id command. We checked the contents of the directory using the ls command. We can see the flag.txt inside this directory. Now for the final step, we will use the cat command to read the root flag

0 comments:

Post a Comment