SYMFONOS : 2 Vuln Hub Machine Walkthrough

symfonos 2 Vuln Hub machine walkthrough

OSCP-like Intermediate real life based machine designed to teach the importance of understanding a vulnerability.

Penetrating Methodology:

 

1.    Network Scanning

  • ARP-SCAN

2.    Scanning

  • NmapAutomator

3.    Enumeration

  • Enum4Linux

4.    Exploitation

  • Smbclient
  • Hydra
  • Msfconsole

5.    Privilege Escalation

  • Exploiting Sudo rights

 

Network Scanning:

We downloaded, imported and ran the virtual machine (.ova file) on the virtualbox, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP address of our target machine, for that use the following command as it helps to see all the IP’s in an internal network.

Commands: sudo arp-scan –1

Symfonos 2 vuln hub

Scanning:

We found the target’s IP Address 192.168.1.159. The next step is to scan the target machine by using the NmapAutomator tool. This is to find the open ports and services.

Symfonos 2 vuln hub

Enumeration:

As port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.

Symfonos 2 vuln hub

 

SMB Reconnaissance

We found a shared directory named anonymous.

Symfonos 2 vuln hub

To confirm our finding we took the help of smbclient with an empty password to list the shared resources of the target machine and got the same result.

Inside the anonymous directory, there is another directory named backups. Inside the backups directory, we got a log.txt file. So we downloaded the same file with the get command.

Commands: smbclient //192.168.1.102/anonymous

 

ls

cd backups get log.txt

Symfonos 2 vuln hub

After opening the log.txt file in our local machine we got a username aeolus.

Symfonos 2 vuln hub

Exploitation:

So far we have got a username aeolus, so we tried to

bruteforce it with hydra and after a long wait we successfully got a password sergiotaemo.

Command: hydra –l aeolus –P /usr/share/wordlists/rockyou.txt ftp://192.168.1.159

Symfonos 2 vuln hub

Now, we have a user aeolus and password sergioteamo. Let’s try to ssh login through user aeolus.

Symfonos 2 vuln hub

I can see that MySQL is running and that there is something running on port 8080. There is an apache config as well that was in the output of LinEnum.sh, so I’m going to check that out first.

Visit the path cd /etc/apache2/sites-enabled, and we found another site which is enabled as librenms.conf on port 8080.

Exit from the current ssh login session and try to connect through the VNC connection over SSH.

Command: ssh  -L  8080:localhost:8080 [email protected]

Symfonos 2 vuln hub

Now, access the port 8080 on firefox through http://localhost:8080 and we found the LibreNMS login page. Let’s try to login through username aeolus and password sergioteamo.

Symfonos 2 vuln hub

Symfonos 2 vuln hub

I have used both the exploits but somehow collected_cmd_inject doesn’t work. So, I continued with addhost.

Set the options as shown in the image file below and run exploit command to get the desired session.

Now to interact with current sessions. Command: sessions -i

Symfonos 2 vuln hub

Symfonos 2 vuln hub

Privilege Escalation:

To get to the root shell we checked for the sudoer permissions for the librenms user and found that this user can run mysql command with no password. So we

leveraged this to our advantage and run /bin/sh to get the root shell.

To get the interactive shell use python script

Command: python -c ‘import pty; pty.spawn(“/bin/bash”)’ sudo -l

 

cd /usr/bin

sudo mysql -e ‘\! /bin/sh’ whoami

cd /root ls

cat proof.txt

Symfonos 2 vuln hub

 

Written By

Name : Akash Kumar

https://www.linkedin.com/in/aakash-kumar-5798a3235

 

Leave a Reply

Your email address will not be published. Required fields are marked *