Writeup symfonos 5 (VulnHub)

Beginner real life based machine designed to teach people the importance of understanding from the interior.

Start by running nmap against the target:

nmap -sV -p0-65355 192.168.78.134

reveals the following ports:

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
389/tcp open  ldap     OpenLDAP 2.2.X - 2.3.X
636/tcp open  ldapssl?

So we have ssh, http and lpap. No usernames to bruteforce yet, so let’s start with http.

King of the Gods
God of the sky, lightning, thunder, law, order, justice
A login form

Start bruteforcing for files and directories with dirsearch:

python3 dirsearch.py -u http://192.168.78.134 -e php -w /usr/share/seclists/Discovery/Web-Content/big.txt -f

Nothing special on the portraits.php. You can check for exif in the images, but you’ll find nothing interesting:

The admin.php login sends username and password in a GET request so this might be a good point to start. You may try sqlinjection for username and password using sqlmap, but neither seems to be vulnerable:

There is something more interesting in home.php though. Have a look at this:

Requesting this in the browser redirects to admin.php

Could this be a Local File Inclusion? Ironhackers has a good cheatsheet: https://ironhackers.es/herramientas/lfi-cheat-sheet/ After checking a whole bunch I found the injection with file:///

/etc/passwd

Nice userlist!

One of two new things I learned from this machine: Always enumerate LDAP if you have a username:

admin.php gives you a hint to check LDAP
nmap -sV -p389,636 --script ldap-search --script-args ldap.username='"cn=admin,dc=symfonos,dc=local", ldap.password="qMDdyZh3cT6eeAWD"' 192.168.78.134
Another user

Now you can login via ssh as the god of thunder. Standard enumeration shows that zeus can execute dpkg as sudo:

I found a tutorial on privilege escalation with dpkg. You may not speak indonesian, but it’s easy to understand. You build a debian package using fpm and put a backdoor script inside the .deb. Get it onto the machine and “install” it using your sudo privilege.

Creating deb package
Installing the backdoor
Catching the shell
Pwning the machine