Monday, 27 March 2017

Sedna challenge


Today I want to show you a Sedna hackfest walkthrough.


There are a lot of open ports. I was trying play with Samba, but there is nothing interesting except version - 4.6.1 (I didn't find valid exploit for this version of Samba).
I was trying browse port 8080, but to manager's panel I need to know valid web based authentication credentials. Default credentials such as: admin:admin and tomcat:tomcat don't work.

So, I decided to browse 80 port.

OK, let's run DirBuster to find the web application directories structure.

Hmmm, unfortunately I didn't find entry point to hack the target.
So, because I didn't have some interesting idea I decided to run nikto vulnerability scanner and it found license.txt file, which may be interesting...

Running /license.txt I found something juicy.

This page provided us to information that web application utilizes BuilderEngine. I was looking for valid exploit and BINGO!
We are able to use - "BuilderEngine 3.5.0 - Arbitrary File Upload".
I have executed URL from exploit

I have created new file named exploit.html which contains part of content of our exploit.

I have run apache server and execute our exploit. So I have uploaded PHP Reverse Shell file named shell.php.
Now, we have to find our backdoor.

Excellent! Our shell is uploaded, now let's execute it.

Great! We have got limited shell!