Thu. Oct 22nd, 2020

Pentesting Fun Stuff

following the cyber security path…

Symfonos 2

This is the second of the Symfonos series by @zayotic. Its description is an OSCP-like Intermediate real life based machine designed to teach the importance of understanding a vulnerability and can be found here.

Enumeration

As always starting with a port scan to found out which ports are open and which services are running behind them.

The following ports are open:

  • 21 – runs FTP (ProFTP version 1.3.5)
  • 22 – runs SSH (OpenSSH version 7.4p1)
  • 80 – runs HTTP (WebFS version 1.21)
  • 139 – SMB (smbd version 3.X-4.X)
  • 445 – SMB (smbd version 4.5.16 – Debian)

FTP

Lets start with FTP as this version has a known vulnerability which let you execute certain commands without authentication.

This are the commands available. I can copy files on the remote machine, change a group and change the permission on a file. It looks like this is a setup for a later stadium. These commands will give me some options once I have access. For now I’m going to check out the other options.

Webserver

This website consist out of an image. DirSearch can’t find any folder other than the main landing page. The source of the page holds no useful information. Next is the Samba server.

Samba

Looks like a folder with some information I can read.

The file is a log file with information about the samba config and the ftp config. In it there are some interesting things.

I try to find more information, but at this time I really can not find any opening on how to get access to the machine. My last resort is brute forcing the username I found on the SSH server, but I really don’t like this option. It is very loud and in real life you really don’t want to try this as it can crash the server easily. But for now I think I don’t have a choice.

SSH

There are a lot of tools to brute force SSH, like patator, medusa, hydra, metasploit and many others. I’m going to use ncrack and tweak the threads so I don’t crash the server.

It took a really long time to crack this password as I’m on a VM. This is why I really don’t like brute forcing SSH. The long wait for this password is a bit disappointing.

With the password found I can finally access the remote machine.

Escalation of Privileges (EoP)

Running ss shows the current sockets. From this there are some services listening only on localhost.

For this I create a SSH tunnel from my machine to the remote machine so it will forward all the traffic. In this case I can direct my browser to my localhost, port 8080 and it will be forwarded to the remote machine.

There is a known vulnerability for LibreNMS. I choose the metasploit module to use. For this exploit I need valid credentials and as I only have one set….

I can use sudo to access MySQL as root. With MySQL I can drop a shell giving me the permissions at that moment. In this case, root.

Time to finish this up.

Conclusion

I really enjoyed this challenge. In my opinion I would skip the brute forcing part and try and put in a better way to let people retrieve the password. Also I was surprised there was nothing left to do with the exploit on the FTP server.

But at the end, the challenge was pretty nice and I would like to thank the creator for some outstanding work. For now I’m done, but the next machine will be certainly the third and final part of this series.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.