Inside this Article:
- Settings Up
- Enumeration
- Identify the IP address
- Mapping the Network
- Web Enumeration
- Directory Enumeration
- Bypass Login using LDAP injection
- Enumerate Dashboard for Potential Vulnerability
- Exploitation
- Leveraging FFUF to Identify LFI File Paths
- Investigating the Web file source code
- Enumerate LDAP service to retrieve sensitive information
-
Foothold
- Privilege Escalation
Hello, everyone! Welcome back to our VulnHub Walkthrough series. In today’s video, we’ll continue exploring the exciting VulnHub collection with SymfonOS. Specifically, we’re diving into the 5th virtual machine in the series, SymfonOS 5. This intermediate, OSCP-like, real-world scenario machine is designed to highlight the importance of understanding vulnerabilities and how to exploit them effectively. Let’s get started!
To begin, head over to the VulnHub website and download the machine's image file. If you're new to VulnHub, check out our playlist for helpful guides on how to use the platform.
Vulhub - Vulnerable by Design
Discover Vulhub, a collection of pre-built Docker environments for security testing. This platform offers a wide range of vulnerable systems to help enhance penetration testing and security assessment skills.
Now, let’s get started with exploiting this machine!
Settings Up
Previously, we downloaded all the 6 image files.
So, our next step is, to set up the Virtual image in VirtualBox. The
downloaded image file is in the form of 7Z format, so start by extracting the
archive to access the files within. You’ll find several files, including the
essential VMDK files, in the extracted folder.
Now, our next step involves “ creating a new virtual machine ”.
Creating a New VM
In VirtualBox, click "New" to create a new VM.
Name it "
SymfonOS 5,"
set the OS type to Linux, and choose "Other Linux 64-bit" for the
version since the specific distribution is unknown.
Now, allocate the desired amount of RAM.
Next, select " Use an existing virtual hard disk file " locate the VMDK file, and click on " Finish " to complete the setup.
Once the setup is finished, you'll see the "
SymfonOS 5
" vulnerable machine in
the
VirtualBox manager. For better
organization, let me regroup it into the VulnHub group.
Network Configuration
To ensure that both your Kali Linux machine (used for attacks) and the vulnerable machine are connected to the same network, do we have to make sure they're both connected via a host-only Adapter?
So, go to “ settings ” and change the Network adapter to " Host-Only ."
Since everything is ready, let’s
attempt to start the VM to check if it works.
Start the VMs
Once it's ready, you should see a
login
prompt, indicating that everything is set up and we can begin our exploration!
Finally, notice that our vulnerable machine is ready and awaiting a login prompt. Let's dive into the fun!
Enumeration
Identify the IP address.
The first step in our attack is
enumeration, where we identify the IP address of our target machine using the
netdiscover
tool. This step helps map the network and locate devices that are
up and accessible.
To execute this, open a terminal and enter: netdiscover –i <specify the network interface> to use for scanning, which in this case is eth1 .
The command output displays a list of devices detected on the network, showing their IP and MAC addresses, as well as the associated vendor.
From these results, we can see several IP
addresses along with their corresponding MAC addresses. Our target machine’s IP
address is identified as “
192.168.103.17”.
Mapping the Network
Next, we'll perform a network scan to
identify open ports on the target, which is a critical part of the enumeration
process. Identifying open ports provides insights into the network’s attack
surface, helping us pinpoint services that may be vulnerable to exploitation.
For this task, we’ll use the popular network scanning tool,
Nmap.
To execute the scan, open a terminal and
run the command:
nmap -sC <
the
target IP address>
In this command:
- -sC: Performs a script scan using Nmap's default scripts to gather additional information about services and identify potential vulnerabilities.
- -sV: Enables version detection to determine the versions of services running on open ports.
After the scan is completed, the results reveal four open ports with their respective services:
- Port 22 (TCP) : Running SSH (Secure Shell) allows remote access with valid credentials. Although generally secure, weak or default passwords could make it vulnerable.
- Port 80 (TCP) : Running HTTP on a web server. The scan shows a basic website with no title hosted on Apache HTTPD, which may contain web-based vulnerabilities.
- Port 389 (TCP) : Running OpenLDAP, a directory service protocol. The specific version may indicate potential security weaknesses.
- Port 636 (TCP) : Running LDAP over SSL, but the exact protocol couldn't be confirmed.
These open ports present potential entry
points into the target system. The next step is to conduct a deeper enumeration
of each service to uncover vulnerabilities or clues that could facilitate
initial access or shell exploitation. This analysis will guide the development
of a strategic approach to compromise the target.
Web Enumeration
Our next steps involve identifying vulnerabilities to gain shell access or another foothold on the target system. Since the HTTP web server is running on Port 80, we’ll start by analyzing it, as web services often serve as primary access points and can reveal additional attack vectors.
Access the web service by entering the target's IP address directly into a web browser.
The webpage displays an image resembling Zeus, suggesting a possible exploration or reference to Greek mythology.
Examining the page source by pressing CTRL + U does not reveal any hidden details.
Directory Enumeration
To locate hidden resources, we will perform directory enumeration using tools like dirb or Gobuster. These tools systematically probe for common directory and file names that are not directly visible on the website. This process can uncover sensitive files or directories that facilitate further exploitation.
Execute the following command in the terminal:
The scan reveals three accessible pages.
Among them,
/admin.php
appears particularly interesting. This indicates a potential
administrative or control panel for the website. Accessing it could provide
significant control over the site.
Upon inspection, we discovered a login
portal that could serve as a potential entry point. Initial attempts to log in
using default credentials like
admin:admin
and
admin:password
were unsuccessful.
Bypass Login using LDAP injection
However, based on the behavior and structure of the login form, it appeared the website might be vulnerable. To confirm and exploit this vulnerability, various payloads were tested while observing the server's responses.
From the previous Nmap scan, we noted that the LDAP service was running on port 389.
This suggested that the web service could use LDAP for authentication. Testing for LDAP injection required crafting payloads to manipulate the LDAP query and bypass authentication.
A
wildcard (
*
)
was used as a test payload for both the username and password
fields, which is commonly employed for wildcard login testing.
The payload was successful, allowing access and confirming that this page served as an administrative or control panel.
Enumerate Dashboard for Potential Vulnerability
The header displayed navigation links labeled, "Home," "Portraits," and "Logout." The main content area showed a single message: "Under Development," indicating that the website was still in the development phase and likely not fully functional.
Clicking on "Portraits" revealed an interesting functionality.
The URL suggested that the
home.php
script was using the
url
parameter to fetch a resource (
http://127.0.0.1/portraits.php
).
This behavior indicated a possible Server-Side Request Forgery (SSRF) or Local File Inclusion (LFI) vulnerability.
Exploitation
To determine the specific vulnerability, we
will modify the
url
parameter which will help us
to access local files. Let’s start with
/etc/passwd
.
Upon execution, the server successfully displayed the contents of the
passwd
file.
While applications interacting with LDAP often exhibit SSRF vulnerabilities, the observed behavior strongly pointed to an LFI vulnerability in this case.
Leveraging FFUF to Identify LFI File Paths
To further explore accessible file paths
and potentially gain a foothold on the target system,
ffuf
was used for brute-forcing.
Before proceeding, we need a cookie and also need a wordlist.
Since the LFI vulnerability is being tested within a
logged-in session, a valid session cookie is required. Without the cookie,
ffuf
will treat the page as inaccessible due to the lack of authentication.
Open the browser's developer tools (usually by pressing F12 ), navigate to the Storage or Network tab, and copy the session cookie.
For brute-forcing, we used the Seclist LFI wordlist. But, it is not available in Kali Linux, so we will have to download it from GitHub.
SecLists - LFI Fuzzing Payloads
Explore LFI (Local File Inclusion) payloads curated for penetration testing. These payloads are part of the SecLists project, offering a comprehensive collection of security testing resources.
We executed the following command,
where:
- -u is used to specify the target URL with FUZZ as the placeholder for brute-forcing.
- -b is used to provide the session cookie for authentication.
- -w is used to point to the wordlist used for testing file paths.
- -c is used to enable colored output for easier result interpretation.
-
-fw
is used to refine false positives to filter responsive words, which is in our case 117 words . (Watch the video to know.)
However, none of the files contained valuable information. This required further analysis and strategizing to decide the next steps.
Investigating the Web file source code
Attempts were then made to access the source code of PHP files, as they often contain sensitive information like database usernames and passwords.
Directly accessing PHP files only displayed their rendered content rather than the source code. So, we have to use the PHP wrapper method to bypass this.
The PHP wrapper encodes the content of the file in Base64, allowing access to its raw content without triggering execution on the server.
This approach was used to load the source code of the PHP files.
Upon execution, the server returned the Base64-encoded content of the file. However, manually copying the Base64 text was cumbersome.
Instead, the the
curl
command line tool was used to directly retrieve and save the
Base64-encoded content to a local file for easier processing.
The following considerations were
necessary during this step:
The cookie was required for authentication. Without it, access to the file was denied.
- The -o flag in the curl command saved the output to a file for subsequent decoding.
After saving the file locally, we need to open the file in a text editor.
Next, copy the Base64-encoded content. For decoding, I am going to use an online Base64 decoder.
Base64 Decode Online Tool
Use this online Base64 decode tool to quickly decode Base64-encoded data. This resource is helpful for developers and penetration testers needing to process encoded strings.
Now, let’s decode it.
Here, the content of home.php has been decoded.
Upon inspecting the decoded content of home.php, no sensitive information was found.
We then repeated the same process with admin.php.
Upon
inspection, it revealed hardcoded
LDAP credentials
in its source code.
The authLdap function contained the following credentials:
- Username: cn=admin,dc=symfonos,dc=local
- Password: qMDdyZh3cT6eeAWD
These credentials allowed direct binding to the LDAP server, enabling unauthorized
operations or enumeration.
Enumerate LDAP service to retrieve sensitive information
To enumerate LDAP, the retrieved credentials will be used to perform queries and identify critical information within the directory structure. This process can uncover valuable details such as user accounts, groups, or configurations that could aid in further exploitation.
The tool used for this task is
ldapsearch
, a command-line utility for querying and retrieving data from an
LDAP (Lightweight Directory Access Protocol) server. Its flexible syntax
supports parameters for authentication, base DN, filters, and attributes.
To begin, run the following command:
-
ldapsearch
-x
-
–H
which is used to specify the LDAP URI. -
-D
which is used for providing the Bind DN (Distinguished Name). It is typically an administrative account. -
–w which is used
for supplying the bind password, and -
–b which is used
for defining the base DN, which serves as the starting point for the search.
The search results include
the domain entry (that is
dc=symfonos,dc=local
)
, the
admin
entry with an encrypted password in the
userPassword
field, and the
zeus
entry representing a user account.
Attributes for the
zeus
entry include:
-
UID
(User ID): zeus -
CN
(Common Name): admin -
loginShell
(Shell environment):/bin/bash
(indicating a Unix/Linux user) -
homeDirectory
(User's home directory): /home/zeus -
userPassword
(encrypted password, Base64-encoded): Y2V0a0tmNHdDdUhDOUZFVA==
The
userPassword
attribute
zeus
is in the form of
Base64-encoded. To decode the password, run the following
command.
Now, we have a valid username and password,
so, our next step involves, using these credentials, we will try to establish an
SSH login attempt on
target machine
to gain a foothold
on the target system.
Foothold
Establish Connection via SSH
To gain an SSH connection, on the terminal, use ssh followed by the username, zero, at the rate, then specify the target IP address.
Now, specify the password.
The SSH login using the credentials was
successful, providing access to the remote system. Upon connecting, the system
fingerprint was verified and added to the
known_hosts
file.
After gaining access, the user’s home
directory was inspected for the
user flag,
but it was not present. With no user flag available, the next logical step is
Privilege Escalation
to obtain
higher-level access and locate the
root flag.
Privilege Escalation
In the privilege escalation process, the
primary objective is to further enumerate the system to identify
misconfigurations, exploitable vulnerabilities, or overlooked permissions that
could enable escalation to root or another privileged user. This includes
investigating
file permissions
,
SUID files
,
running services
, and
scheduled
tasks
for potential exploitation opportunities.
Enumerating System Information
However, as we currently operate with limited user privileges through the reverse shell, we face restrictions on accessing certain files or commands for a comprehensive assessment.
To move forward, we run the sudo -l command to determine if the user Zeus had any special sudo privileges.
The
sudo -l
output
revealed that
Zeus
could execute the
/usr/bin/dpkg
command as root without requiring a password. This
opens a path to escalate privileges and gain root access.
Local Privilege Escalation via Missing passwd in dpkg File Path
To exploit this, the dpkg command is used to run a binary that retains elevated privileges. This binary allows access to the file system, escalates to root, or maintains privileged access.
The process involves:
Visiting the GTFOBins website, a repository of Unix binaries that can bypass standard security restrictions, to identify a suitable command for privilege escalation using dpkg.
GTFOBins - GTFO Binaries
Explore GTFOBins, a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. A valuable resource for penetration testers and security professionals.
Searching for dpkg on GTFOBins, which confirmed its ability to execute commands with elevated privileges.
Running sudo dpkg -l followed by injecting !/bin/sh to open a root shell .
This successfully escalated privileges, switching the user to the root account.
Navigating to the
/root
directory, the contents revealed a file named
proof.txt, a common marker in
CTF challenges and penetration tests to confirm successful exploitation.
To view the root flag, the
cat
command was executed on the
proof.txt
file, verifying ownership of root privileges and completing the escalation
process.