Hi all, Let’s start this awesome series!
You can find the machine there > Symfonos1
Enumeration/Reconnaissance
Let’s start always with nmap.
1 |
|
Lot of things to enumerate, but first let’s add the symfonos.local
to our hosts
file as the box description says.
192.168.1.12 symfonos.local
Let’s start with SMB, let’s list the shares. I’ll show you 2 ways to do that:
1 |
|
1 |
|
Let’s connect to anonymous
share since we have READ ONLY
permission.
Great, we have 3 possible passwords -> epidioko:qwerty:baseball
. We can see a helios
share, that’s a username. After some tries i found the right password:
1 |
|
Let’s connect to it and download the files.
todo.txt
has an interesting directory:
1 |
|
It’s a wordpress site:
SMTP log poisoning - shell as helios
Let’s run wpscan
on it.
1 |
|
mail-masta
plugin seems interesting. Let’s search for possible exploits.
1 |
|
Let’s check the LFI one & we have LFI:
1 |
|
Now we need to find a way to get shell, i stuck here for a bit. But then i noticed that SMTP
is open.
SMTP(Simple Mail Transfer Protocol) server send & receive emails.
We can do SMTP log poisoning, we will send an email to user helios with our payload:
1 |
|
Now the local mailbox is under /var/mail/$USER
and we have RCE:
1 |
|
Let’s spawn a shell now. I’ll show you a good trick to url encode/decode from terminal:
$ apt-get install gridsite-clients
1 |
|
1 |
|
We have shell:
1 |
|
helios -> root
Privesc is simple, let’s check for SUIDs.
1 |
|
/opt/statuscheck
seems interesting, if we run strings
on it we can see that execute curl:
1 |
|
We can exploit this, by making the binary to execute our curl
. We will modify the PATH environmental variable, first let’s make the file:
1 |
|
You may notice the -p
argument, this allows the shell to run with SUID privileges.
Now let’s modify the PATH & run the binary.
1 |
|
That was an awesome box! :D