Vulnhub - Symfonos-2


Today, we are going to pwn Symfonos 2 from Vulnhub.

Nmap

Starting off with Nmap, using nmap -sV -sC -A -p- -T5 192.168.43.85 shows that we have FTP, SSH, HTTP and SMB port.

HTTP and FTP Enumeration

Going to the HTTP port shows a similar image that we encountered in previous symfonos machine. Nothing is there, running gobuster, dirb and other web crawlers gave nothing. So moving over to SMB, sice it has Backup folder which is publicly accessible, we can see a log.txt. It has following data:

SAO, we get know thatthere is user aeolus and the directory where backup is being stored.
So, as we knew FTP service is available which is ProFTP 1.3.5, searching for the exploit on ExploitDB. It has a exloit of mod_copy which allows you to copy files from one folder to another. @mzfr discovered it.
We tried it and we were almost close to making it work but alas, we couldn’t. It was just a silly mistake and from this point we accidentaly did the machine in a very unintended way.


site cpfr /etc/passwd
350 File or directory exists, ready for destination name
site cpto <?php phpinfo(); ?>
550 cpto: Permission denied
site cpfr /proc/self/fd/3
350 File or directory exists, ready for destination name
site cpto /var/www/test.php

Note

I will explain the other method at last which @zayotic told @mzfr after completion of machine.

FTP Bruteforce and SSH Login

Well, from this point using THC-Hydra and rockyou.txt we got the password of user aeolus. hydra -l aeolus -P rockyou.txt 192.168.43.85 ftp -t 40 reveals that the password is sergioteamo. Now, we tried it to SSH into the machine with the same creentials.

SSH Login

Privilge Escalation

With some enumeration, I foud that there are 2 users aeolus and cronus. I tried it enumerate everything I can but at the it was a wild goose chase. So @mzfr told to me check /etc/apache2 folder and checking some files from that I cme to know that there is a local web server running on the machine, to confirm this I used curl which confirms it. So using socat TCP-LISTEN:5000;fork,reuseaddr 127.0.0.1:8080 we just forked te actual port i.e. 8080 to 5000 of the actual web server, now visiting to http://192.168.43.85:5000 shows that it is a LibreNMS based web application. I checked ExploitDB and it has exploit for adding a hostname that will give reverse shell, using metasploit I added the module to the ~/.ms4/exploits directory.

As the exploit will start working it will give a reverse shell as the user cronus. Using sudo -L we can see that mysql can be run as root. GTFOBins to the rescue.

That has shown that using sudo mysql '\! /bin/sh we can spawn root shell.

The Flag

Intended Way

As much as I was happy for pwning this machine but it was temporry the main learning part is missed in it by using hydra.
So as I mentioned eariler we were supposed to use that ProFTP 1.3.5 vulnerbaility which can be found here to copy files from one folder to another. From that exploit we can copy the files from any folder and copy it to /home/aeolus/share/ that will make that file publicly accessible to us via SMB. So, copying the file /var/backups/shadow.bak to /home/aeolus/share/shadow.txt. After that it will be available to SMB service which can be used to dump the users password and then cracked with john to crack the hash of the user aeolus.

Resources

ProFTP 1.3.5 - File Copy: https://www.exploit-db.com/exploits/36742
GTFOBins: https://gtfobins.github.io
LibreNMS Exploit: https://www.exploit-db.com/exploits/46970

Thanks to

@mzfr
@DCAU7

Detailed version og intended way.

The very detail version of the intended way is covered by @mzfr in his writeup.


Author: D4mianwayne
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source D4mianwayne !
  TOC