Try โ€‚โ€‰HackMD

Symfonos: 2 - Walkthrough

Machine Details

Name: Symfonos 2

OS: Linux

Platform: Vulnhub

Getting started

I booted up the machine and got assigned an IP addres of 192.168.50.130. Similar to symfonos1, I added symfonos2.local to my hosts file.

192.168.50.130 symfonos2.local

I proceeded to run a quick nmap scan on the target and obtained the result below.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Paying a visit to Port 80

I opened the target on the browser and I was presented with the following page:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

I ran directory enumeration on the target using dirb, but I did not obtain much result.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

The Good Old SMB

SMB service is also running on the target and it allows anonymous share. I connected to it and downloaded a log.txt file in the backups folder.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

The log.txt file has a whole bunch of text, but what I was able to extract from it is a username: aeolus.

Force them all

Checking back on my brute force running in the background. I obtained a password.

aeolus:sergioteamo

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Using these creds, I was able to login via SSH. Now that I am in, first thing I did was to check if I can execute commands using sudo.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Well, that was painful xD.

More Enumeration

Enumerating further, I checked the listening connections on the box and observed a service running locally on 127.0.0.1:8080

ss -lntp

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Using my current SSH connection, I tunneled the port to my local machine.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Visting the forwarded port on my local machine in the browser, I was presented with a new page running LibreNMS and I was able to login using aeolus credentials.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Searching on Google about LibreNMS exploit shows it is vulnerable to an Authenticated Remote Code Execution as seen here.

Way to ROOT!

Following the exploit code and supplying the required parameters, I obtained a reverse shell as the root user. To stabilize my shell, I added my public SSH key to the box and logged in as root.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More โ†’

Hope you enjoyed reading! See you in the next one.

tags: symfonos vulnhub proftpd smb librenms
Last changed by 
โ€‰
rudefish
I'm into cyber security and all its madness, whenever I participate in CTFs the write ups goes here
0
672

Read more

Symfonos: 3 - Walkthrough

Machine Details Name: Symfonos: 3 OS: Linux Platform: Vulnhub Download Link: Symfonos 3 Getting started After obtaining an IP address for the machine, 192.168.50.137 in my case. I addeed it to mu hosts file. 192.168.50.137 symfonos3.local

Mar 8, 2022
Symfonos: 1 - Walkthrough

Machine Details Name: Symfonos 1 OS: Linux Platform: Vulnhub Machine Link: Download Symfonos 1 Obtaining the assigned machine IP address After setting up the machine on VMWare, the first step is to find the IP address assigned to the machine. To do this, we can use several methods. The two I use often is shown below: sudo netdiscover -r 192.168.50.0/24

Mar 8, 2022
HTB Writeup - Search

Machine Details Name: Search OS: Windows IP address: 10.10.11.129 Difficulty: Hard Points: 40 Initial Enumeration As always, I started with an nmap scan to find out what services are running on the box.

Feb 17, 2022
Offsec Proving Grounds - SunsetDecoy Walkthrough

Machine Details Name: SunsetDecoy IP address: 192.168.66.85 Difficulty: Easy Points: 5 In the beginning As always, I started with an nmap scan and the result is shown below: There seems to be two services running; SSH on port 22 and HTTP on port 80. From the script enumeration, the HTTP service is serving a file save.zip. So I proceeded to visit the IP address in the browser and downloaded the save.zip file.

Jan 30, 2022
Read more from rudefish
Published on HackMD