hackfest2016: Sedna Walkthrough

Posted on

VM’s are coming in like crazy! Christmas all over again 🙂

This VM is called Sedna and was a pretty fun and interesting one.

Quick run-down:

  1. Enumeration
  2. Exploitation
  3. Read flag

Exploits used:

  1. Chkrootkit 0.49

Just like our last one, the author graced us with giving us the IP of the machine. Let’s see what we are going up against…

As you can see, there are quite a bit of open ports and as always, port 80 was something to look after. I had ran Nikto against the machine and a couple interesting things had come to mind to check out.

“/system” was forbidden to us and “/files” just showed us a directory with files in it. There were a few directories in there, but I will wait on that. I checked out the license to see if there was anything interesting and if it gave me any type of name to start working with.

So we know we are working with BuilderEngine. What is that? What do we know about that? Are there any knows haxx for that??? Let’s take a look…

According to Exploit-DB, we have a potential candidate for Arbitrary File Upload for BuilderEngine 3.5.0. I don’t know the exact version, but we can always try. After copying the exploit to our machine, I uploaded a test file by the name of “flag.txt” from my local machine. Guess what? It worked!

Shell shall commence in 3. 2. 1…

Very nice.

Now we have to escalate our privileges! I find out some quick details and see what is going on here.

After going through the machine, I found that it has an install of chkrootkit in /etc.

So you thinking what I am thinking?? Let’s get root on this bad boy…

I created a leet haxx shell with some simple C, compiled it, and executed it to make sure it works

Great.

So next thing to do is create a script called “update” and have it in /tmp. According to the exploit, if we place an executable file named update in /tmp, chkrootkit will pick it up and run it as root!

So, lets take advantage of that!

So after a few minutes or so, we see something a little different when running the “ls -al rootme” command 😉

Very nice.

He mentioned other flags, so theres this:

5 thoughts on “hackfest2016: Sedna Walkthrough

    1. I had taken advantage of chkrootkit’s vulnerability. Since it runs any file in /tmp named “update” as root, you can do anything you want. Run any command you want, etc, all as root.

      In this case, I just used that simple C proggie and simply changed the permissions in a bash script called update. “rootme” is the result of that.

  1. Hi, I just did not understand how did you find out that chrootkit is going to be run by root in a few minutes? I mean there is no such cron job as I searched. There is noting such in running processes too. How did you reach this conclusion of firing update binary?

    1. Howdy!

      Easy, I didn’t know. I didn’t see any crazy cron jobs and I hadn’t thought about looking at running processes either. The only thing I knew is that we had a vulnerable version of chkrootkit and I found that by checking the version (chkrootkit -V) and googling to see if it has any publicly available exploits.

      The other thing I didn’t know was how long it will take. What I did was just used the watch command to see if any permissions changed. While that was going on, I made another shell, connected, and kept exploring the file system to see if there are any other ways to escalate my privs. Permissions changed 😉

Leave a Reply

Your email address will not be published. Required fields are marked *