AdSense

Friday, February 11, 2022

Symfonos_3

 SYMFONOS_3

- Layout for this exercise:










 1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_3, from the VulnHub pentesting platform.

Symfonos_3 can be downloaded from here:

https://www.vulnhub.com/entry/symfonos-31,332/

- Once the virtual machine downloaded and extracted with VirtualBox:



2 - ENUMERATION

- Scanning with Nmap:









- Browsing the web server:














- View-sourcing there is a note about "underworld":

















- Dirbusting the web server we find /cgi-bin/underworld:




















- Going to /cgi-bin/underworld:


- Output is similar to command uptime:





3 - EXPLOITATION

- Metasploit has some exploits related to cgi script, for instance this one related to vulnerability Shellshock:

https://www.rapid7.com/db/modules/exploit/multi/http/apache_mod_cgi_bash_env_exec/



- A Meterpreter session is triggered:
















- Getting a shell:









- One interesting thing about user cerberus is that he belongs to group pcap, as previous image shows.

- So the right tools for reading .pcap files are tcpdump and Wireshark.

- First, running tcpdump at local interface and saving to file.pcap:





- Now we've got a file.pcap that can be transferred to Kali to be analyzed with Wireshark:







- Opening file.pcap with Wireshark, putting a filter for FTP traffic and following the stream we discover credentials for user hades:
















- Now, we  can try SSH with these credentials: hades: PTpZTfU4vxgzvRBE



4 - PRIVILEGE ESCALATION

- The new user hades belongs to group gods:





- Let's find files owned by group gods, for instance sitecustomize.py has root privileges:





sitecustomize.py is a Python script that can be adpated to our needs:






- Just adding these 3 lines at the beginning of the file:




- Setting a Netcat listener:




- Running sitecustomize.py we get a root shell:













5 - CAPTURING THE FLAG

- Reading proof.txt:























Thursday, February 10, 2022

Symfonos_1

 SYMFONOS_1

- Layout for this exercise:










1 - INTRODUCTION

 - The goal of this exercise is to develop a hacking process for the vulnerable machine Symfonos_1, from the VulnHub pentesting platform.

Symfonos_1 can be downloaded from here:

https://www.vulnhub.com/entry/symfonos-1,322/

- Once the virtual machine downloaded and extracted with VirtualBox:



2 - ENUMERATION

- Discovering IP 192.168.1.35 with netdiscover:






- Scanning ports with Nmap:





- Enumerating with enum4linux:




- So there is one user named helios and two shared folders named helios and anonymous.

- Accessing to anonymous and getting file attention.txt:




- Reading attention.txt we discover 3 potential passwords:





- The 2nd password qwerty allows access for user helios to shared folder helios, where there are two files research.txt and todo.txt:





 
- Reading research.txt and todo.txt, we will focus our attention on folder /h3l105:




- Browsing the web server:






- Going to /h3l105 we find a Wordpress site:






- Scanning the site with Wpscan we find a folder /uploads:









- Going to /uploads there is siteeditor:




3 - EXPLOITATION

- Site Editor 1.1.1 is a Wordpress plugin vulnerable to a LFI exploit:









- Copying as URL the Proof of Concept we check that Symfonos1 is vulnerable to LFI:








- Now, let's try to include a PHP command through the STMP server:





- Adapting the exploit's Proof of Concept to command pwd:








- Same thing with command id:








- Finally let's try to execute a Netcat reverse shell:





- Setting a listener session:





- Passing the exploit to the URL and running it:





- As a consequence a remote shell is triggered:





- Improving the shell and changing to user helios' home folder:












4 - PRIVILEGE ESCALATION

- Looking for files with bit Setuid:





- Exploring /opt/statuscheck:





- Applying command strings to /opt/statuscheck:




- So it happens that /opt/statuscheck runs curl directly, with no path. 

- The idea to Privilege Escalation would be to redo curl as a bash script, store it at /tmp, and change the variable PATH so that curl is run directly from /tmp.

- The original path for curl:








- Going to /tmp and creating a new curl:




- Editing PATH by including /tmp to the beginning:






- Now /opt/statuscheck calls curl inside /tmp and a root shell is achieved:





5 - CAPTURING THE FLAG

- Reading proof.txt: