Try   HackMD

Symfonos: 2 - Walkthrough

Machine Details

Name: Symfonos 2

OS: Linux

Platform: Vulnhub


Getting started

I booted up the machine and got assigned an IP addres of 192.168.50.130. Similar to symfonos1, I added symfonos2.local to my hosts file.

192.168.50.130 symfonos2.local

I proceeded to run a quick nmap scan on the target and obtained the result below.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Paying a visit to Port 80

I opened the target on the browser and I was presented with the following page:

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

I ran directory enumeration on the target using dirb, but I did not obtain much result.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

The Good Old SMB

SMB service is also running on the target and it allows anonymous share. I connected to it and downloaded a log.txt file in the backups folder.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

The log.txt file has a whole bunch of text, but what I was able to extract from it is a username: aeolus.

Force them all

Checking back on my brute force running in the background. I obtained a password.

aeolus:sergioteamo

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Using these creds, I was able to login via SSH. Now that I am in, first thing I did was to check if I can execute commands using sudo.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Well, that was painful xD.

More Enumeration

Enumerating further, I checked the listening connections on the box and observed a service running locally on 127.0.0.1:8080

ss -lntp

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Using my current SSH connection, I tunneled the port to my local machine.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Visting the forwarded port on my local machine in the browser, I was presented with a new page running LibreNMS and I was able to login using aeolus credentials.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Searching on Google about LibreNMS exploit shows it is vulnerable to an Authenticated Remote Code Execution as seen here.

Way to ROOT!

Following the exploit code and supplying the required parameters, I obtained a reverse shell as the root user. To stabilize my shell, I added my public SSH key to the box and logged in as root.

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Hope you enjoyed reading! See you in the next one.

tags: symfonos vulnhub proftpd smb librenms