Monday 27 March 2017

Sedna challenge

Hello,

Today I want to show you a Sedna hackfest walkthrough.

Scanning















There are a lot of open ports. I was trying play with Samba, but there is nothing interesting except version - 4.6.1 (I didn't find valid exploit for this version of Samba).
I was trying browse port 8080, but to manager's panel I need to know valid web based authentication credentials. Default credentials such as: admin:admin and tomcat:tomcat don't work.

So, I decided to browse 80 port.





















OK, let's run DirBuster to find the web application directories structure.









Hmmm, unfortunately I didn't find entry point to hack the target.
So, because I didn't have some interesting idea I decided to run nikto vulnerability scanner and it found license.txt file, which may be interesting...













Running /license.txt I found something juicy.
















This page provided us to information that web application utilizes BuilderEngine. I was looking for valid exploit and BINGO!
We are able to use - "BuilderEngine 3.5.0 - Arbitrary File Upload".
I have executed URL from exploit






I have created new file named exploit.html which contains part of content of our exploit.







I have run apache server and execute our exploit. So I have uploaded PHP Reverse Shell file named shell.php.
Now, we have to find our backdoor.




















Excellent! Our shell is uploaded, now let's execute it.











Great! We have got limited shell!

TBU