SYMFONOS: 5.2 Vuln Hub Machine Walkthrough

Symfono5.2 vulun hub

Beginner real life based machine designed to teach people the importance of understanding from the interior.

 

Level: Intermediate

Penetrating Methodology:

Network Scanning

  • ARP-SCAN

 

Scanning

 

  • nmap

 

 

Enumeration

  • Browsing HTTP Service
  • Dirsearch

 

Exploitation

  • Abusing http
  • Nmap nse script

 

Privilege Escalation

  • Exploiting Dpkg

Network Scanning:

We downloaded, imported and ran the virtual machine (.ova file) on the virtualbox, the machine will automatically be assigned an IP address from the network DHCP. To begin we will find the IP address of our target machine, for that use the following command as it helps to see all the IP’s in an internal network.

Commands: sudo arp-scan –l

Symfono5.2 vulun hub

Scanning:

We used Nmap for port enumeration. We found that port 22 for SSH, 80 for HTTP,389 and 636 for ldap are open.

Symfono5.2 vulun hub

Enumeration:

As port 80 is open, we tried to open the IP address in our browser but we didn’t find anything useful on the webpage.

Symfono5.2 vulun hub

Further, we use dirsearch for directory brute-forcing and found /admin.php page with status code 200 OK on executing following command.

Command: dirsearch –url http://192.168.1.17 -r -R 3

Symfono5.2 vulun hub

Exploitation:

When we searched the above-listed web page, i.e./admin.php; we got a login page, but we don’t know the login credential, so we try to bypass the login page by using the SQL injection.

Using for bypass use * for both username & password.

Symfono5.2 vulun hub

After the login click on portraits, so we get a result in the url section there is a ?url= parameter so maybe here LFI vulnerability.

Let’s exploit it as a result we successfully got the content of the “admin.php” file by exploiting LFI by fuzzing the same parameter. When check the page source we found credential “username: admin” and “password: qMDdyZh3cT6eeAWD” which is actually used to connect with LDAP

Symfono5.2 vulun hub

Further, we used nmap for LDAP enumeration and run following command, and as a result we found user information including password.

Command:

nmap 192.168.1.17 -p 389 –script ldap-search –script-args ‘ldap.username=”cn=admin,dc=symfonos,dc=local”, ldap.password=”qMDdyZh3cT6eeAWD”‘

Symfono5.2 vulun hub

For ssh credential user=zeus and password=cetkKf4wCuHC9FET

Privilege Escalation:

We used the user zeus credential as enumerated above to access the ssh shell of the host machine and check sudo rights for him. We found zeus has sudo permission to run dpkg as root thus we abuse zeus sudo rights for privilege escalation by exploiting dpkg functionality.

Commands: ssh [email protected]

sudo -l

Symfono5.2 vulun hub

Now check the dpkg binary exploiting sudo rights search the https://gtfobins.github.io/ use the exploit commands.

Symfono5.2 vulun hub

To perform privilege escalation run the following command and you get privilege where you found the proof.txt as shown in the given image.

Commands: sudo dpkg -l

!/bin/sh

whoami cd /root

cat proof.txt

Symfono5.2 vulun hub

Symfono5.2 vulun hub

 

Written By

Name : Akash Kumar

https://www.linkedin.com/in/aakash-kumar-5798a3235

Kindly read another articles :

SYMFONOS: 4 Vuln Hub Machine Walkthrough

SYMFONOS: 3.1 Vuln Hub Machine Walkthrough

Leave a Reply

Your email address will not be published. Required fields are marked *