Symfonos2 VulnHub Walkthrough

The CTF or Check the Flag problem is posted on vulunhub.com. VulunHub is a platform that provides vulnerable applications/machines to gain practical hands-on experience in the field of information security. Symfonos 2 is a machine on vulunhub. To Download visit: https://www.vulnhub.com/entry/symfonos-2,331/    

Below are the steps for the Vulunhub Symfonos 2 Walk-through:

The first step that we need to do is to carry out some Intelligence Gathering. That includes Footprinting hosts, servers, etc. 

Discovery Phase:

Let’s start off by scanning the network and identifying the host IP address within the same network.

Enter the following command for the same:

netdiscover -i eth0 -r 10.0.2.0/16 
scanning and identifying hosts

Enumerating the host inside the network

So it looks like 10.0.2.25 is our target IP. The next step is to scan the target with the Nmap tool to check for any open ports and probe for running services on the VM.



Scanning Phase:

’ll start with a quick Nmap scan to look for open ports

Enter the following command for the same:

nmap -sV -sC -p- target_IP_address
nmap scan for open ports

Enumerating ports 

Visit Nmap cheat-sheet to learn more about nmap.

Reconnaissance Phase

1. Web Reconnaissance 

 Nice mix of interesting services found during the Nmap scan! Let’s first visit port 80 the default page of the victim machine.

 Enter the following command for the same:

curl  [website address]

curl a url

As you can see nothing suspicious is found here other than an image file. I investigate the image through the STRINGS command but again failed.

2. SMB Reconnaissance 



Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems. It is basically a wrapper around the tools in the Samba package and makes it easy to quickly extract information from the target pertaining to SMB.

Enter the following command for the same:

enum4linux -a [target_IP_address]

enu4linux to enumerate SMB

Feels like Deja Vu! There’s an anonymous share that has read-only access. Time to see what’s in it.

But first, if you want to learn more about enum4linux switches visit https://www.hackingarticles.in/a-little-guide-to-smb-enumeration/

Enter the following command for the same:

smbclient  //[target_IP_address]/anonymous

smbclient listing

We got a backups directory to let’s explore it.  ( Initially, we will see only backups file)

smbclient listing

We got a .txt file let’s copy it to our working directory through get [file_name].



Note: – ‘get‘ command is used to fetch data from the remote hosts to our current working directory.

Also, during SMB Reconnaissance we also got two Local user

smb reconnaissance

Local User enumerated

Exploring the log.txt file reveals, a few interesting points that I can ascertain from this file:

  • There is a backup of the /etc/shadow file in /var/backups/shadow.bak, so this may be a future targe
  • The anonymous SMB share points to /home/aeolus/share, so aeolus is a valid username

FTP Reconnaissance 

Note:- There are two ways of finding the password for user aeolus. We are going to see both.

By SAMBA Share

1. First access the FTP service through

FTP [target_IP_address] 

2. Then just copy the /etc/shadow and /var/backups/shadow.bak file to aeolus sharepoint.

ftp on an ip

FTP Exploitation  

3. Now, again connect to anonymous smbclient to see if we got the files or not.

smbclient and sambashare

Here, you will get the password as “sergioteamo”.

By HYDRA 

1. We Can retrieve the password through hydra also an inbuilt tool of kali for extracting the passwords on different ports.



Enter the following command for the same:

hydra -f -l [user_name] -P [password_file_path] [service_name]://[target_IP_address] -o [output_file]
hydra

Discovered Password

Learn more about hydra switches here!

SSH Reconnaissance 

Now, we have a user aeolus and password sergioteamo. Let’s try to ssh login through user aeolus.

SSH recon

SSH Login

Now I tried various commands to see if the user aeolus have any permission or not but got nothing. The user aeolus can’t run Sudo command and there are no files having SUID bit. So, we have to try something else to escalate our privileges.

Note: Upon searching on the web I found a .sh script file used to enumerate OS info. Copy the code from here! in [file_name.sh]. Now, execute the file with permission chmod +x [file_name.sh] to avoid any issue on the remote hosts.

We’ll admit, there’s a lot of output here. But there are a few things that are interesting:

  • The Kernel Version(4.9.0-9)
  • The other users on the system (Cronos)

But the biggest thing that stood out for me is the other ports that are listening. I can see that MySQL is running on port 3306 and that there is something running on port 8080. There is an apache config as well that was in the output of LinEnum.sh, so I’m going to check that out first.

Visit the path cd /etc/apache2/sites-enabled, and we found another site which is enabled as librenms.conf on port 8080.

Exit from the current ssh login session and try to connect through the VNC connection over SSH. You will need to run this command in the terminal on your Linux or UNIX machine:

ssh  -L  8080:localhost:8080 aeolus@10.0.2.25.

Learn more about VNC login over SSH here!.

sh login over vnc

SSH Login Over VNC 

Now, access the port 8080 on firefox through http://localhost:8080 and we found the LibreNMS login page. Let’s try to login through username aeolus and password sergioteamo.



         

Exploitation With Metasploit

1. The first thing which comes to my mind is to search Google if an exploit is available for LibreNMS and I got two of them. We can also do the same in Metasploit which shows the same result. 

enumeratin gexploit

Enumerating Exploit

Truly, speaking I have used both the exploit but somehow collected_cmd_inject doesn’t work.  So, I continued with addhost. 

2. Set the options as shown in the image file below and run exploit command to get the desired session.

run exploit

3. Now to interact with current session

session -i [session_id]

sudo mysql -e ‘\! /bin/sh’ 

running exploit

Running Exploit

       

Finding the Flag

1. To get the interactive shell use python script

python -c 'import pty; pty.spawn ("/bin/bash")' .

One thing to be noted that we got connected to the remote hosts through Cronus user which is the add-host user. Now, check the permission that the Cronus user can do as Sudo. 

finding the flag

2. As stated user can run /usr/bin/mysql as being sudo but as we are escalating out privileges. So, we have to use shell script which can be used to break out from restricted environments by spawning an interactive system shell.

Enter the following command in the terminal

sudo mysql -e '\! /bin/sh' 
getting access

Getting access

3.  Move to the root directory and use ls and there is the proof of hack.

getting access




My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.


Article Tags :

Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.