Today we found a Vulnerable Lab based on the 90377 Sedna. Sedna is a
dwarf planet in our solar system. This vulnerable machine was created for the
Hackfest 2016. We are going to download the VM Machine from here.
The credit for developing this VM machine goes to Viper.
Penetrating Methodologies
1.
Scanning Network
·
TCP and UDP ports scanning using nmap
2.
Testing Port 80
·
Surfing HTTP service on Web Browser
3.
Directory Scanning
·
Scanning using nikto
4.
Exploiting BuilderEngine
·
Using the Metasploit module to get meterpreter
session
6.
Exploiting chkrootkit
·
Using the Metasploit module to get the root
shell
7.
Retrieving Flag 2
Let’s Breach!!!
As always, Let’s start from doing a port enumeration on the
IP Address using the nmap tool. (Here, we have it at 192.168.1.110 but you will
have to find your own).
nmap -sV
192.168.1.110
From the NMAP Version Scan we enumerated the following
details:
Port No.
|
Service
|
SSH
|
|
Port 53
|
ISC Bind
|
Port 80
|
HTTP
|
Port 110
|
POP3
|
Port 111
|
RPC Bind
|
Port 139
|
NetBIOS
|
Port 143
|
Imap
|
Port 445
|
NetBIOS
|
Port 993
|
SSL/IMAPS
|
Port 995
|
SSL/POP3S
|
Port 8080
|
HTTP
|
As the HTTP service is running on the target server, let’s
open the IP Address on the Web Browser.
Here we decided to scan the target directory using nikto
scan. Now open the terminal in Kali Linux and type the following command:
nikto -h http://192.168.1.110/
From the scanning result, we chose the highlighted file link
for further enumeration. That is the license.txt.
Opening the license.txt in our browser gave us our way in.
This is what we looking for in the first place. If we take a closer look than
we can find that we have the BuilderEngine 2015 version installed on the
target system. A little bit of research here and there and we learned that we have a
module in Metasploit that we can use to get a meterpreter session on the target
machine.
So, let’s work on it. Firstly, we will open a terminal in out Kali
Linux and then we will type msfconsole on
it. This will open Metasploit Framework. After this we will proceed by using
the module and providing it with RHOST. RHOST is the remote host IP address,
which in our case is 192.168.1.110.
use
exploit/multi/http/builderengine_upload_exec
set rhosts
192.168.1.110
exploit
After exploiting, we get a meterpreter session as shown in
the given image. We used the sysinfo command
to get the information about the target machine and we can observer that it is
Sedna. Now we use the pwd command to
retrieve the working directory we have the shell in. It is /var/www/html/files.
Now, that we are inside the target machine all that we need
is to retrieve the flags and complete the challenge completely. After doing a
bit enumeration here and there, we found a flag inside the /var/www directory.
So, we traversed to that directory using the cd command. Now to read the flag we need to get a bash shell over
the machine. Now, we will use the shell command
to get a bash shell but what we got was an improper shell. So, we will use the python
one liner to get a proper shell.
python -c 'import
pty; pty.spawn("/bin/bash")'
Since we have the proper shell now, let’s read the flag
using the cat command.
Now, let’s work out our way to another flag. We traversed to
the /etc directory and here we found the directory named chkrootkit. On
traversing inside it, we get a README. Upon reading the README we get the
version of chkrootkit. The version is found out
to be 0.49.
Let’s get back to our beloved Metasploit and search for an
exploit for the chkrootkit. We learned that we have a module in Metasploit that
we can use to get a root shell on the target machine.
So, let’s work on it. On the Metasploit terminal. After this
we will proceed by using the module and providing it with the session id.
use
exploit/unix/local/chkrootkit
set session 1
exploit
This gives us a shell whose privilege we checked using the id command. We checked the contents of
the directory using the ls command.
We can see the flag.txt inside this directory. Now for the final step, we will
use the cat command to read the root
flag
0 comments:
Post a Comment