Mon. Jul 13th, 2020

Pentesting Fun Stuff

following the cyber security path…

Symfonos 1

This VM is recently added to vulnhub and is advertised as a real life based machine designed to teach a interesting way of obtaining a low priv shell. The level is beginner, but as it is the first part of a serie I like to do every part.

Enumeration

Starting with a portscan to get a view on what kind of ports are open on the system and what services are running behind them.

These ports are open:

  • port 22, which runs a recent version of OpenSSH
  • port 25, which runs a PostFix SMTP server (from the scan there is no version number available)
  • port 80, which runs a Apache2 webserver version 2.4.25
  • port 139, NetBIOS session client version 3.x – 4.x
  • port 445, Samba version 4.5.16-Debian

Webserver

Let’s start with the webserver first. The website itself is nothing more then a picture. There is nothing in the source and the picture itself seems to hold no hidden features.

DirSearch nor Nikto show something interesting. For now, I turn my focus to another port.

Samba

To enumerate an SMB server I use smbmap.

It looks like there is a document that I can download.

That’s a nice hint about certain passwords. Also the name Zeus could mean the usernames are Greek gods. Let’s put these so called passwords into a file. One of the shares is called helios. Let’s see if helios also uses a weak password.

Looks like the user ‘helios’ uses one of the weak passwords.

Looks like he is working on a folder called /h3l105. Let’s check if this folder exists on the webserver.

WordPress

Looks like a wordpress site. When running wpscan I get several vulnerabilities and an username (admin).

Here the information about the possible exploits are available. The LFI can be easily tested.

Looks like this works. But for this vulnerability to be useful, I need either files with credentials or to upload a payload that I can trigger.

SMTP

Because of the /etc/passwd file, I know there is a user named helios. I can try and send this user a message with the mail server. The content of this message will be a web shell which hopefully will give me the opportunity to execute with the LFI. Information about web shells are numerous on the internet. Here is an example.

Starting up a listener.

And now to activate the payload.

Escalation of Privileges

To do a fast enumeration of the system, I use a shell script called “LinEnum”. To run it on the remote system I run a PythonSimpleHTTPServer on my local system and curl it from the remote system. Because I pipe it to bash, I don’t have to download the file to the system, which leaves traces.

There is a lot of information, but the most interesting part is a file with the SUID bit set.

The file of interest is /opt/statuscheck. This is not a well-known SUID file and should be investigated more.

Looks like the return of a curl command.

Now to use this to my advantage. For this I will use the PATH variable. First I create a file called curl, because I know that the program statuscheck calls on curl and set all the bits.

Then I add /tmp to PATH. This way statuscheck will look for the first folder in PATH which contains the file curl. Because /tmp is first, it will think this is the correct curl which it needs to execute.

Then run the program and get root.

Now to finish this challenge.

This was a nice challenge to start with. Because there are two more, Symfonos 2 will be next. A thanks to @zayotic for a fun challenge.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.